Month: October 2006

Earlier today, I blogged about an exploit that has been getting some attention, that I felt really wasn’t worth getting too worried about.

As part of the piece, I questioned turning off ICS, because I felt it would disable the Windows firewall. 

However, Corey Nachreiner at WatchGuard made the following point to me:

…I too think this very low risk vulnerability has been over hyped in the media’s headlines. However, …as far as I can see, properly disabling ICS does not kill or disable the Windows XP firewall.

If you have a multi-homed XP machine, just go into the advanced properties of any network adapter and you can clearly see that you can uncheck the ICS component ( the “Allow other network users to connect through this computer’s network connection” box) while still keeping the XP firewall enabled.

So I don’t see why …disabling ICS kills the XP firewall. On the other hand, disabling ICS does obviously prevent any other client computers that were using ICS before from reaching the Internet. But it doesn’t kill the Firewall.
 
I understand that ICS relies on some of the Firewall’s functionality to work. Because of this, if ICS dies improperly it will take the Firewall with it. However, I don’t know of the Firewall relying on ICS to work (as far as I can tell). So you can disable ICS without disabling the Firewall.

I think that Corey may be right here, but will continue to research this.  At any rate, the real point of my blog post stands — a potential vulnerability in ICS is just not that big of a deal. 

Alex Eckelberry

UPDATE:   nCircle has lots more posted to clarify the whole “disable ICS” issue.  You do not have to disable the ICS/Firewall service to mitigate this exploit, thus shutting down your Windows firewall.  More here.

A bit of flurry about an exploit available in Internet Connection Sharing (ICS).  Basically, this exploit allows an attacker to shut down the Windows Firewall.

While any exploit is something to be concerned about, this one is not a big deal and is not worthy of mass panic.  George Ou writes on this issue here, worth reading.  

To distill the problem, first ask yourself:  Do you even use Internet Connection Sharing?  

If you’re like most people, you don’t.  In fact, Internet Connection Sharing is something most people don’t even know about — it’s a little-used feature that Microsoft has been shipping since Windows 98 that allows one computer’s internet connection to be shared by others.

Maybe it’s used in third world countries, where one dial up connection is shared by others (while some poor fellow gets the job of having to bicycle to keep the generator going). But ICS is just not part of any current network topology.  And for those who share a DSL or cable modem through ICS — let me give you a word of advice.  If you can afford the $50 per month for your service, then pay even half that amount for a cheap firewall/router.  Really.

Second, if you do use Internet Connection Sharing, realize that this exploit only affects you from the inside of your LAN.  Yes, folks, this is not something where you have to go to a website and get hacked.  It is exploited from within. 

Reguly at nCircle, the fellow who is chatty about this particular exploit, has recommended a solution that might not be the best course of action — disabling ICS (which will kill the Windows firewall, not the approach I would be the most sanguine about) and blocking port 53.  [Update — I have to correct myself — it’s true that if you kill the Firewall/ICS service, you kill your Windows firewall.  But as the nCircle folks point out, you can simply disable ICS and keep the firewall going, mitigating this exploit. More here.]

You want the solution?  Follow Secunia’s advice: “Use another way of sharing the Internet connection”.  Yup, like a cheap router/firewall (unless you’re still stuck on the bicycle generator).

Alex Eckelberry
(Hat tip to George Ou.)

UPDATE:  More here at nCircle on disabling ICS.

Part of our dev team is under intense pressure to get a new product out.  Walking down the hallway today, I saw this sign on the office door of one of our developers and couldn’t help laughing (TestTrack is the program we use to track bugs, and it assigns a number to each defect).

 

Now that’s focus!

Alex Eckelberry

Chad Loeven joins us as VP International and Business Development.

Before joining Sunbelt, Loeven served as vice president of business development for Montreal-based email security vendor Vircom, where he held international channel and business development responsibility, signing the largest OEM deal for Vircom during his tenure. Prior to Vircom, Loeven held various executive management positions at The Messaging Architects, overseeing the daily operations and international channel networks, and IndustryHub where he was responsible for technology direction, product strategy, and sales and marketing.

Corporate propoganda here.

Alex

Analyst says disclaimers are bad becuase:

Any standardized, boilerplate text is a godsend for a malicious network sniffer who’s hell-bent on stealing your secrets. Imagine you are trying to commit corporate espionage by tapping into an ISP’s network and watching all the network packets go by. It would be like drinking from a fire hose: very difficult to select the packets containing email text from the organization you’re targeting. However, if you knew that organization used a standard disclaimer, you could have your packet sniffer search for packets containing that text. It’s likely it would pick up a very large proportion of the messages you’re interested in.

Link here.

I disagree and admit to being somewhat baffled by this article.  A bad guy can just as easily sniff for source IP, the From address, domain, etc.

And even if the message is encrypted,  that data won’t be because it needs to be cleartext in order to be sent — then you would get some of the details regardless of what is done to the message.    

Alex Eckelberry

SecurityFocus writes about the situation. We helped a small bit on this article.

Estimates of the magnitude of the increase in junk e-mail vary, but experts agree that an uncommon surge in spam is occurring. On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.

Link here.

Alex Eckelberry

Google spells out their security philosophy and recognizes people and companies in the security industry.  

Google Thanks You
People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience.  We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

• Alex Shipp, Messagelabs
• Bryan Jeffries
• Castlecops
• H D Moore
• Jeremiah Grossman
• Johannes Fahrenkrug
• Martin Straka
• Team Cymru
• Yahoo! Paranoids
• Wayne Porter & Chris Boyd, FaceTime Communications
• Alex Eckelberry, Sunbelt Software
• Richard Forand

Seeing my company on this list is a rather pleasant surprise.  I must also recognize all the people in my company who help me in my efforts.  You know who you are, and I thank you.

And my hearty congratulations to my good friends CastleCops (Paul and Robin Laudanski), Wayne Porter, Chris Boyd (aka PaperGhost) and all the rest on Google’s list.   You rock.

Alex Eckelberry
DoTheGoogle

 

Tyler Reguly tries out the Sandbox.

Lately, I’ve been more and more interested in malware analysis… I’ve been gathering viruses I receive and watching how they operate inside VMs. Due to this interest I’ve added more blogs to my seemingly never-ending list of RSS Feeds… Today a very interesting one came across the wire. Sunbelt Software had a blog posting announcing the official launch of CWSandbox. I must say, the software looks pretty damn cool.

Blog link here.

Alex Eckelberry

I’ve seen a number of posts on a couple of different groups speculating that there has been a big increase in spam.

The answer is yes, there has been a dramatic increase.

You can see this chart yourself at TQMcubed.

Just as a general side note, we were doing some analysis the other day, and found that about 95% of the email that Sunbelt receives is spam.  That’s a lot of junk.

Alex Eckelberry
(Thanks Jeff)

Re our PatchaGuard argument.

Authentium (incidentally, a partner of ours), bypasses PatchGuard.

Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsoft’s next-generation Vista operating system.

Link here.

Alex Eckelberry
(With a hat tip to Ferg)

The Maginot Line in 1944

“If you entrench yourself behind strong fortifications, you compel the enemy to seek a solution elsewhere.” — von Clausewitz

“Fixed fortifications are monuments to the stupidity of man.” — Patton

Before I start on one of my typical diatribes, I think it’s worthy to note that one of the problems facing the security industry is entrenched user resentment.

I see this all the time: When I write about the larger security vendors, there is almost an angry mob mentality about how they deserve it because “antivirus companies have been soaking us for years”, etc. Ok, so there may be validity to some of that entrenched resentment, but the PatchGuard issue affects all security vendors.

Yesterday, Sophos tapped into that angry mob user resentment in a brilliant PR move — after having drunk the Microsoft KoolAid from a fire hydrant, they openly embraced PatchGuard. In one fell swoop, they positionoing themselves as Microsoft-friendly, happy-dancing, API-loving people. At the same time, they positioned the rest of the industry as a bunch of moronic crybabies. Beautiful.

Now, the Sophos folks are very smart both PR-wise and technically, and so one must give pause to consider their statements. However, I suggest we dig a little deeper.

It is an evolved theory of both security and warfare that one cannot create one defense that is all-encompassing. A infamous object lesson in this thinking is the French, with their Maginot Line: Created to stop a German invasion by land, the German’s merely flew over it — quite a wake-up call for the Frenchies. Now, military planners rely on flexibility as the ultimate defense.

The security industry has had several such lessons, the Code Red Worm being one of them. A network-based worm that utilized a vulnerability in Microsoft’s IIS, it never hit the disk. Instead, it ran solely in memory. A system based on file-based protection would not have been able to stop it.

The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.

PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.

Mikhail Penkovsky at Agnitum also points out that the API model itself opens up the kernel to attack anyway.

Why is it so risky to use KPP [PatchGuard] to provide kernel security for computers running Vista x64 rather than a third-party security solution?

Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.

His point is valid, because PatchGuard will get hacked in a number of ways: a) through good old-fashioned hacking (like we saw at BlackHat recently), b) or even possibly bundling themselves with a component of a product that does have access to the APIs.

But there’s another key issue: The ability of security companies to fully support the 64–bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won’t even be available until 2008!

And it’s interesting that Neil used HIPS as an example.

HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it’s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.

Sophos and Kaspersky have gone on the record that they don’t really care much about PatchGuard, but that is ostensibly because a) they don’t have HIPS or b) they are not using the kernel in such a way that PatchGuard poses a problem for them. Is this just whistling past the graveyard?

McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it’s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.

Could we use the existing APIs to do what we need to do? Yes, and Microsoft has publicly stated that they will release APIs to PatchGuard to security developers, but a) these will not be for some time (2008) and b) if we need a new API or some enhancement to an existing API, we have to ask for it. It puts security providers in a tenuous position, waiting for possibly up to a year to get the legal APIs to fix a threat that may be in the wild. And waiting for the PatchGuard APIs will delay our ability to ship a 64–bit version of our Kerio firewall and possibly other technologies.

Getting back to the Maginot Line example, however, if some type of new threat comes out that requires a security vendor to access the kernel to protect against it, we’ll all be in trouble, and so will the customer. Because we’ll have to ask Microsoft for an API to the kernel and hope they provide it, instead of just quickly adding some extra functionality to our products by directly accessing the kernel.

Alex Eckelberry

How to change the picture on the Start menu
Note: this doesn’t apply to XP computers that belong to a Windows domain. On non-domain systems, XP displays a photo on the Start menu that’s associated with the logged on user account. You can set this photo through the User Accounts applet in Control Panel, but there’s also another, faster way:

1. Click Start to open the Start menu.
2. Click on the picture itself. This opens the User Account settings option.
3. Choose a new picture from the ones displayed, or click Browse to use a picture located anywhere on your computer.
4. After you’ve changed the picture, close the User Accounts dialog box.

How to Start the Shared Folder Wizard
The XP Shared Folder Wizard lets you create one or multiple shared folders. The quickest way to start it is to click Start | Run and type shrpubw.exe.

Vista: Using check boxes to select items
It’s a small thing, but it can make a big difference to users who have to type with one hand. Now instead of holding down the CTRL key to select multiple items, you have the option of enabling checkboxes.

By default, files in Explorer don’t have the checkboxes, but it’s easy to enable it: just click Tools | Folder Options and click the View tab. Scroll down in the Advanced Settings list to “Use check boxes to select items” and select it. Now in Explorer you can just check the boxes to select multiple items without holding down CTRL.

What happened to the option to make pictures smaller?
QUESTION: Once upon a time, when I would attach a picture to email in Outlook Express, a dialog box would pop up, offering to make them smaller. I almost always said “no” – but somewhere along the way I stopped getting asked and recently I did have some photos taken at very high resolution that I wanted to make smaller before sending. Do you know how I can get this option back? – Judy D.

ANSWER: The lack of the “make pictures smaller” dialog box usually means a DLL has become corrupted or unregistered. To fix the problem, try registering the DDL. Here’s how:

1. Click Start | Run
2. Type regsvr32 shimgvw.dll

Let us know if this doesn’t work.

Current folder settings are not applied to other open folders
You can set all the folders in Windows Explorer to display in the same View (List, Details, Thumbnails, etc.) as the one you have currently selected. However, if you have other folders open when you apply the setting, those folders may not get the new setting applied. For the solution, see KB article 307116.

Access Denied error message
If you try to open a folder and receive a message that says “ is not accessible. Access is denied,” it may be because the folder was created prior to upgrading to Windows XP, on an NTFS partition. Upgrading to XP changed the security ID (SID) for your user account, so that it doesn’t match the one on the folder. Luckily, if you can log on with an administrative account, you can take ownership of the folder so you can access it. For instructions on how to do so, see KB article 810881.

System Restore is suspended
If you try to start System Restore, you might get an error message that says “System Restore is suspended because there is not enough disk space available on the system drive.” This can happen even when you do have plenty of available disk space on that drive. There are two workarounds for this problem; to find out how to fix it, see KB article 299904.

TechTool: The psTools list of sysinternals command line tools are very handy in some occasions. Here is an overview of all these gems.

TechTool #2:  ShortKeys is a utility that allows you to set up replacement text or paragraphs for any given number of user defined keystrokes. A free version is available.

Deb Shinder, MVP

Most of us have had the experience, when we saw someone do something stupid or that we thought was wrong, of shaking our heads and lamenting that “there ought to be a law.” Unfortunately, our legislators have taken our wish literally – more and more laws are being passed criminalizing every “bad” behavior, and I’m afraid that soon it’s going to be as impossible for most people to go through life without committing a crime as it is to drive a car without ever committing a traffic violation.

This came to mind yesterday when I was filling out a form on the web. You know, the ones that you have to complete in order to access some sites? I never give my correct address and phone number in those forms; who knows who’ll have access to that information? In many cases, the lists are sold to spammers – er, sorry: to advertisers. Another piece of info I don’t give out casually is my date of birth, since that’s prime information for identity thieves.

But as I typed in my fake info, I wondered whether someday in the near future it will be illegal to lie on web forms. Sound silly? I’m not so sure. Lying is becoming a crime in more and more circumstances, in more and more jurisdictions. It used to be that the only time you could go to jail for telling untruths was when you committed perjury (lying under oath) or engaged in a blatant con game. Now we have laws making it illegal to lie in all sorts of situations, from applying for a loan to applying for a job. Some states have outlawed claiming to have a diploma or degree you don’t have. Does that mean the office manager who pretends to be a doctor when he’s coming on to some lady in a bar can go to jail for it? Maybe, depending on how the law is written.

Now I’m not advocating dishonesty. Telling a lie usually results in way more trouble than it’s worth and in most cases it’s ethically wrong (although in some cases, brutal honesty can be ethically questionable, too). But this trend toward making it a criminal offense worries me. Not everything that’s unethical or immoral should result in jail time. If you lie on your resume, your employer should be able to fire you. If you lie to your spouse too many times, he/she might (and probably should) leave you. If you lie on your credit card application, you ought to get the card yanked and your credit record affected. Heck, all of the above wronged parties should be able to sue you for compensation if they want. But should you be imprisoned for it?

As a former cop, I don’t really think most police officers want to be in the business of rounding up all the folks who fudged a little about their former job titles or salaries or education. With serial killers, terrorists and child predators out there on the loose, I don’t think government resources are best spent tracking down liars.

And it’s not just the possibility of being taken downtown for giving a false phone number on a Web form that I’m worried about. This propensity to make everything illegal goes way beyond the bans on lying. We are increasingly turning to the criminal laws to punish every undesirable behavior. Smoking is illegal in more and more places; it’s only a matter of time before it’s banned outright and mere possession is made a crime. I hate cigarettes and don’t allow them in my house or car – but I also hate the thought of the government putting nicotine addicts in jail. We’ve seen how well that works with those addicted to “harder” substances.

Having done a miserable job of waging the war on drugs, health advocates are now ramping up to declare war on “bad” food. They point to obesity statistics as justification and are already seeking to make fast food illegal. What’s the next step? Raiding grandma’s kitchen if she dares whip up a batch of evil fried hushpuppies for the grandkids?

What does all this have to do with technology? Computers and the Internet are prime fodder for our over-zealous lawmakers, and it’s probably just a matter of time before this micro-management of our lives spreads further into the electronic frontier. Just last week, reports came out that FBI director Robert Mueller wants ISPs, social networks and search engines to log and store records of users’ IP addresses for up to two years, and another proposal would require providers to record the identities of email correspondents, IM users and addresses of web pages visited. Of course, you can still use web browsers that encrypt the addresses of users and online sites – but will legislators soon make it illegal to use such technologies based on the theory that they can be used by terrorists and child predators? Given the trends in modern lawmaking, I’d say it’s not just possible but probable.

What do you think? Is our society becoming over legislated to the point where the government will make criminals of us all? Should the government stay out of issues like lying to private parties (such as an employer) and let it be handled administratively or civilly?

Are you in favor of laws protecting people from themselves (such as bans on smoking in your own home or eating food that’s not healthy) or do you think it’s justified on the basis of health care costs for which society often must pick up the tab? Twenty years from now, will we still be able to surf the ‘net freely, or will we be required to get a license and register every site we visit with the government? What other changes to the laws (for good or bad) do you foresee in the near future?

Tell us your opinions.

Deb Shinder, MVP 

Our new sandbox technology was officially announced this morning at the Infosec conference in New York.

Sunbelt Software today announced the availability of Sunbelt CWSandbox, a powerful tool for the automatic analysis of malware samples. The technology was originally developed by noted security expert Carsten Willems while at the University of Mannheim and is under exclusive license to Sunbelt Software.

CWSandbox provides technology providers and corporations the ability to rapidly analyze malware for a number of different purposes — security research, creation of new signatures, forensic/criminal analysis and improved threat protection. Malware samples submitted to the sandbox are executed in a controlled environment, with a comprehensive analysis provided of the malware’s execution in XML, HTML or text format.

How CWSandbox Works
Using a comprehensive automated system, CWSandbox uses unique technology to execute malware in a controlled environment for behavior analysis. The application provides fast analysis of large volumes of malware samples in a short period of time, capable of automatic collection of malware from different inputs including Nepenthes (a tool for automated collection of autonomous spreading malware), a web server/interface, or a directory.

The CWSandbox is an awesome tool for malware analysis.   Submit a piece of malware, and you’ll get a detailed report back as to what the malware is actually doing.  In addition, the sandbox will also run the malware through several different AV engines to give you a feel as to what the in-the-wild detection is.

Link here.

Try the sandbox out youself — go to www.sunbeltsandbox.com and submit a malware sample. 

Our business model for the sandbox is simple: Anyone can freely use our public sandbox for malware analysis.  If commercial entities want to bring the power of the sandbox in-house, they can purchase a reasonably priced license.  Entities involved in pure research (e.g. no commercial intent) can license the sandbox at no-charge.  More information can be had by contacting a specialist.

Alex Eckelberry

Microsoft uses the trademark Spyweeper in promoting OneCare. 

This shows that Microsoft is not looking for new customers who don’t have security software, as they’ve said in the past.  They are directly targeting an incumbent player here.

Alex
(Thanks Suzi!) 

 

 

File under shameless self promotion.

FutureSoft®, Inc., the Houston-based Endpoint Security solution provider, today announced the release of their latest and most powerful version of DynaComm i:scan®. Version 6.5 of DynaComm i:scan addresses such critical endpoint security issues as distributed anti-spyware protection, USB security management, and application and desktop lockdown.

This new release builds on the centrally managed solution by incorporating new anti-spyware day-zero protection to secure critical operating systems resources that are typically targeted during the first hours of a new spyware infection. In addition to the enhanced day-zero protection, this newest release includes an anti-spyware scanning and cleaning engine licensed from award-winning security developer Sunbelt Software.

Link here.

Alex Eckelberry

Aberdeen Group’s Information Security practice recently published a new research report “The 2006 Messaging Security Benchmark Report: Strategies for Securing Corporate Communications.” Sunbelt Software co-sponsored this research, which is now available to you at no cost.

Feel free to to take a moment and download this report. It focuses on messaging security trends in today’s IT market, and finds that while 80% of companies are aware of the threat of loss of confidential data by insiders, only 43% have implemented messaging security solutions that will stop that outbound threat. Link here.

We’re going to be in Barcelona, Spain – November 14-17. Look for the QBS booth and check out Ninja and CounterSpy Enterprise! Here is the link to the Microsoft site.

I’m a competitor so my opinion is worthless.  But this article has some people quite curious.  What is up? I don’t know — anyone want to leave a comment explaining more?

Alex

n3td3v (leetspeak for “net-dev”) is a person or persons who has had a history of posting some fairly obnoxious stuff on Full Disclosure.

Dr. Neal Krawetz of Hacker Factor decided to figure out who this person(s) was, and has written an extensive analysis of his effort.  It’s fun sleuthing, and the result is he believes that n3td3v is likely the same person(s) behind Gobbles Security, who had posted similarly obnoxious (but quite interesting exploits) messages on technical forums.

In three minutes, writing samples from n3td3v were collected. Two minutes later, it was determined that n3td3v was not a “he” but a “they”: at least three distinct individuals, two males (one European) and a female. Another researcher (Jim McCown) mentioned that the trolling1 reminded him of the postings made by Gobbles Security. Dr. Krawetz had met the primary members of Gobbles Security many years ago and knew that they consisted of three people: two males (one is Eastern European) and a female. This document shows techniques used to identify writing characteristics and concludes that the core people behind Gobbles Security are strong contenders for being the people behind n3td3v.

Link here.

Alex Eckelberry

Update: SecurityFocus has more on this here, which sheds some doubt on Krawetz’s findings, but it’s all part of the sleuthing fun.