Achyra Security Bulletin #005 – Domain Name System Trojan

There is a very nasty little Trojan (technical terminology for a type of malicious software) doing the rounds at the moment, that goes by the imaginative name of “DNS Changer Trojan”. It originated from Estonia, and although the creators have been arrested the malware has seen extensive infection across the globe. One security firm’s report (by Internet Identity) found that half of all Fortune 500 firms and 27 out of 55 major US government entities were affected by this problem. If it can wreak this much havoc on these highly secure, cash rich organisations I suspect that there is every chance your PC or server(s) could be at risk.

To check your machine follow this link http://www.dns-ok.us/ for an immediate diagnosis. There is also information on how to remove the malware should your machine be infected.
More information:

Q) What is DNS?

A) DNS stands for Domain Name System. In a nutshell it acts very much like a telephone directory for computers on the internet. A web address (or URL) is actually linked to an IP address which computers use to identify servers they are requested to connect to by the user, however but an IP address is a series of numbers which us humans find difficult to remember so we masked the numbers with a more user friendly URL (http://www.google.co.uk for example)

Q) What does this Trojan do?

A) DNSChanger changes an infected system’s domain name system (DNS) resolution settings to point towards rogue servers that redirected legitimate searches and URLs to malicious websites, earning “cybercrooks” kickbacks from click-fraud scams and “scareware” distribution rackets in the process.

Q) What happens if I don’t get rid of it?

A) Your machine will continue you to send you to “dodgy” websites when you are trying to visit a legitimate site. This could end up costing you money or infect your machine with further malware, could also disable your anti virus software and prevent your machine from downloading system updates.

Advertisements

Achyra Security Bulletin #004 – Passwords

How secure is your online identity? Thousands of Internet service accounts are being attacked and successfully hacked every day. The actual numbers are unknown but according to JUST Facebook out of a billion log in attempts over a 24 hour period typically 600,000 of these will be imposters attempting to access someone else’s profile. This problem is exacerbated by many people choosing to use weak passwords. How do you measure up in the password department? Read on for more info…

With more and more of our business being conducted over the Internet these days, most of us have some kind of password protected service we log on to over the Internet, and the majority of these will have a plethora of log in accounts. By this I mean webmail, office based mail systems, social networking sites, bank accounts, shopping accounts. The list is long and for each user is likely to get longer with time. “So what” I hear you say. Well the point of this bulletin is to remind you all not to use weak passwords and also ideally change them on a regular basis. This article http://www.telegraph.co.uk/technology/news/8898482/25-worst-web-passwords.html from the Telegraph lists the 25 most common (and therefore worst in terms of security) passwords according to a list compiled by an American password management application (Splashdata).

If you use any of these passwords from this “rogues gallery” I would recommend changing them as soon as possible. If an unscrupulous person was trying to gain unauthorised access to one of your accounts, you can be sure they would most likely try these passwords first. It’s also not a very good idea to use whole English words or names either as these can be overcome by “dictionary attack” applications. See here for more information http://en.wikipedia.org/wiki/Dictionary_attack.

So what are the best passwords to use? Well generally the longer the better but obviously we need them to be usable as well, so a good guideline would be 8-14 alphanumeric characters. For additional strength a mixture of caps and lowercase is a good idea, and for the strongest passwords you should include one or more symbol characters (?, ! or # for example). See this link for Microsoft’s password advice http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx. If you already have a password that you want to you use you can check its strength here: https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx.

Is it a good idea to use one password for all your accounts? Well no, in a word. This will make all of your systems easy to use on the basis of only needing to remember one password but if your password gets comprised you have lost privacy to all of your accounts instead of just one. Check out this article from the NY Times for some good advice on how to manage all your passwords. http://gadgetwise.blogs.nytimes.com/2009/06/24/how-to-securely-manage-all-your-passwords/

If you would like more information on this topic please feel free to contact me on this email address or by phone on 07810 543910.

Please feel free to circulate this email to your family, friends and colleagues.

Phish or spam?

It seems that “phishing” has replaced “spam” (or spamming) as the preferred method of tricking the unsuspecting public into parting with their hard earned cash, according to a survey carried out by PC security company Symantec. See the full article here http://www.symantec.com/connect/blogs/phish-tastes-better-spam

So what’s the difference? Well both of these techniques involve sending out large numbers of emails to either pre-compiled or sometimes just randomly generated email lists. The difference lies in the content of the emails. A typical spam mail might contain a link to a sales website and will try to get the recipient to buy a product (typical examples include watches, medication and qualifications). The recipient would then enter their bank details and the amount of the product they were trying to buy would be taken from their account. Another classic example of spam email was the infamous Nigerian Advance-fee fraud scam.

Phishing though might be considered to be an evolution of spam and is perhaps more devious. A typical example of a phishing email would look almost identical, and appear to come from a reputable high street bank or other well known financial organisation. It would try and get the recipient to part with (typically) online banking information, or other private information pertaining to the apparent organisation. Falling foul to this kind of hack is potentially extremely costly as, instead of losing just a set amount of money, a potential attacker could have access to the entire funds in the hacked account.

What can you do to help to protect yourself? There are numerous things you can do – some of them are technical and some of them are common sense practises.

Technically you should always keep your operating system up to date with OS vendor updates. For Windows users go to the start menu, (all)programs, and select “Windows Updates”, follow on screen instructions. For Mac OS X users go to the Apple menu and select “Software Update…”, then follow on screen instructions. You should always run some kind of antivirus program, and most importantly keep that up to date. There are decent free programs currently available for both Windows and Mac, for example Microsoft Security Essentials for Windows and ClamXav for Mac. Finally if your OS has a built in firewall you should make sure that is enabled for your network connection. For Windows this can be enabled in the control panel  (Windows Firewall) and for Mac OS X 10.6 and later go to system preferences, Security, Firewall (toggle on/off from here). Following these steps will reduce the likelihood you will accidentally run malicious content on your computer and reduce the number of malware applications able to run on your computer.

Common sense practises are quite simple. Firstly never follow any links from an email if you have any doubt whatsoever that the email is fishy (phishy). If you appear to have been sent an email from an organisation you have no affiliation with (for example if you bank with LloydsTSB and you have been sent an email from HSBC saying there is a problem with your account) then you can be sure that this a phishing attempt. If you are in any doubt, DO NOT follow any links in the email then phone the organisation. Finally, and most important of all, a legitimate organisation will NEVER ask you for your passwords, either on an email, website or over the phone, therefore you should NEVER divulge this information to anyone. Period.

For further reading follow these links.

Morto – Remote Desktop Protocol (RDP) Worm Alert

A new computer worm called “Morto” is infecting Windows computer systems via the Remote Desktop Protocol (RDP) and exploiting weak system passwords.

Does this affect you?
If you use Remote Desktop Protocol to connect to any remote network or server then potentially yes, it does.

How can you reduce the risk of being affected by this?
Using strong passwords (I.E. passwords that are typically over 8 characters long and contain a mix of alphanumeric characters, caps/lower case and symbols) will reduce the chance of your password being guessed by an intruder or malware.
Minimising the number of accounts that have RDP permission will give intruders fewer accounts to hack.

A good way to remove the need to have an Internet facing RDP accessible account altogether is to implement a VPN (Virtual Private Network) system to securely connect to your network from remote locations.

What happens if I get compromised?
Aside from adding the compromised machine to a botnet (see here http://en.wikipedia.org/wiki/Botnet for a description) an attacker could potentially have total control over the target machine, access to other network devices and data stores.

Further information:
To be vulnerable the target system needs to have the RDP service enabled and the Windows administrator account configured to use a weak password such as “123”, “letmein” or “password”. The SANS Internet Storm Centre has noticed a large spike in the amount of RDP scan traffic. Microsoft has released details about the worm with a severity level rated as severe, its highest alert level.

World IPv6 Day (via WordPress.com News)

We’ll be seeing pure IPv6 subnets by the end of the year in widespread use by European ISPs.

Get ready!

World IPv6 Day To show our support for IPv6, and as part of our IPv6 migration plan, we have enabled dual stack connectivity on our blog on this occasion of World IPv6 Day. If you view this site over IPv6, you will see a visual indicator confirming access from IPv6: What’s IPv6? For those of you who don’t know, IPv6 is the next-generation Internet protocol, which offers a large number of IP addresses, 296 (= 79228162514264337593543950336) times of what IPv4 has … Read More

via WordPress.com News