Let’s face it. Virtualization is everywhere in businesses today. There probably isn’t an IT admin out there that doesn’t swear by it. The sheer number of benefits it adds to the IT departments with its reduced resources, better energy savings, easier administration, etc. It’s also nothing new really. It’s been around for quite some time now, but it has usually been limited to the IT departments, developers, system testers, or the other elite geeks. It hasn’t really been a product for mass consumption – until now very soon.

Anyone who hasn’t been hiding under a rock for the past few weeks has probably heard about Microsoft’s new OS, Windows 7, and how it’s incorporated a built-in Windows XP virtualization. It will utilize Microsoft’s Virtual PC technology and host a built-in copy of Windows XP for legacy use. The technology seems pretty sweet on paper so far. There are still a few days before we get to try it out as a whole.

Even though virtualization has been in use for some time now, it’s usually always been in the hands of trained professionals (or at least those with a higher geek score than the average user). So, is the everyday user ready to take on the responsibility of having the equivalent of two machines running all the time?

One area of concern is that the virtual XP (VXP) still needs to be handled as if it were its own machine, just like any other server platform running in a virtual environment. The VXP still needs to run its own local copy of anti-virus, firewall, and maintain its own regular patch frequency. This also helps explain Microsoft’s extension of the XP support line.

So, not only are IT admins now responsible for maintaining a regular update and policy environment for all the standard user machines, but they also need to take into consideration what could be running in “XP Mode.” I’m sure in larger companies software is controlled, and policies restrict the usage of this. But there are plenty of medium/smaller companies that don’t have as tight of reigns on the systems.

Windows 7 seems to be a great step forward, even in security related aspects, but does this open up the attack vector even more, or could it circumvent all of Windows 7’s security and use the VXP as the attacking source now? There are plenty of questions to be asked still, but it doesn’t look like any are stopping the product. It isn’t exactly a standard default either; the XP Mode is an opt-in option. So, at least if there is no need for legacy support, then you don’t have to take it.

I’ll be getting a copy of the next beta release as soon as it’s available and let you know some more of the details as the product is explored more thoroughly. So, what are your ideas/concerns about the new “feature?” Let us know in the comments.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

This post is by no means complete. It’s only a guide for how to determine if an e-mail you got is phishing or not. There is a game we discussed before – Anti-Phishing Phil – that can help test your skills.

I got the following e-mail in my junk mail folder.

Phishing E-mail

The e-mail looks official, and the link even goes to where it says it goes. So, how do I know this is a phishing e-mail?

1. This is supposed to be from the US Federal Reserve System. Most Americans do not use phrasing like “hitherto and therefore”. Listen to your British/Australian/Indian counterparts and you’ll hear this type of language though.
2. Bad grammar – “banks and credit unions is”.
3. The link leads to a site called secureserver-27, the Fed’s web page is http://www.federalreserve.gov
4. The e-mail is *not* from federalreserve.gov. If they were sending out official e-mail, do you think they’d allow an employee to send from their personal e-mail account?

Above and beyond these items, if you look at the headers of the e-mail, you can see that Spam Assassin flagged it as including blacklisted URLs.

Spam Assassin headers

Spam Assassin gave this a score of 9.2, at 4, my server marks it and dumps it to the spam folder, at 10, my server outright rejects the SMTP connection. This e-mail is pushing it pretty close to that.

In summary, watch for strange language, bad grammar, misspellings, and strange links. And any e-mail where the text doesn’t match where the link goes to. If in doubt, assume it’s spam. If it’s from a company you normally do business with (like your bank), give their main number a call and ask about it – don’t use any phone numbers or e-mails given in the suspect e-mail. Always use the phone number on the back of your credit/bank card, or from one of your statements.

If you’ve ever wanted to see exactly what your web browser was sending and receiving, there are plenty of programs out there that can help you out. The reasons you might want to see that kind of information may vary: maybe you’re debugging an in-browser flash app; or perhaps you want to see what HTTP headers a web server responds with; or maybe you even want to try some fuzzing to test the security of a web app. In any case, having the ability to pull back the curtain and see what your browser is doing behind the scenes can be useful.

One particular program that does this well is Fiddler. It acts as a local proxy– simply point your browser’s proxy URI at Fiddler’s local open port and it’ll act as the chatty middleman, telling you everything that the browser is doing. With plenty of options and filters to play with, Fiddler can be configured to only interfere with certain user-defined connections or to capture them all.  But perhaps the most useful feature is the ability to edit data on the fly before it gets sent (hence the name Fiddler… you can “fiddle” with stuff). This goes a step beyond Firefox’s TamperData add-on. Fiddler will let you edit everything from headers to POST and GET variables. It will even let you edit the binary data of a MIME-encoded form submission… in hex.

Fiddler is thorough.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

On Wednesday, while the virtualization and cloud computing topics were continuing to see a lot of coverage, I began to focus my attendance in some different areas. The first Wednesday keynote included a brief discussion of the 60-day cybersecurity review by Melissa Hathaway, Acting Senior Director for Cyberspace for the Obama administration. While she did not tip her hand regarding what would be in the final report, she spent a lot of time discussing the importance of the report and the work which will come out of it. You can read her speech by following the word document link on this article in The Atlantic.

Also on Wednesday was a panel discussion on the increasing prominence of legal and audit concerns in security featuring two federal judges and two lawyers. The presence of two federal judges at the RSA conference should be viewed as good news, as it clearly demonstrates that the legal system is taking note of and participating in a dialog with the security industry as a whole. Also there was an individual talk in the Governance-Legal track in the same thread, “eDiscovery Cooperation Workshop for Attorneys and Technologists”. Meaningful information security-related laws and regulations can only be developed and enforced by a team which includes the legal system and the security practitioners.

Other sessions that were heavily attended and well regarded were individual sessions for which there is not yet a link for video or audio. These include “Is Google Evil?” by Ira Winkler, and “The Danger that Lurks in the Internet’s Core Protocols” by a panel including Jeff Moss, Dan Kaminsky and Anton Kapela.

I can easily sum up what nearly every talk, every keynote, and every booth vendor is discussing here at RSA.  I just need four words: “Cloud computing and virtualization”. Virtualization is important because of the desire to make things cheaper and easier to maintain, and presents a powerful argument for power savings especially the week of earth day. The security concerns in virtualization are generally no different than they are with any current system, except for attack vectors between the host and guest operating systems. Virtualizing security services may be helpful in long term cost savings, but introduces additional risks which must be considered and mitigated or accepted.

During the Cryptographer’s Panel, counterarguments about cloud computing were presented. Whit Diffie said he was excited, while Ron Rivest expressed concern. Bruce Schneier said the current move toward cloud computing is like the computing industry coming full circle. Back in the 70s and 80s, we had underpowered terminals accessing shared computing power, storage, and services on a mainframe. Now, replace mainframe with “cloud” and underpowered terminal with “netbook” or “mobile phone” and you’ll see where we are.

Personally, I don’t think we did a great job of information security in the 70s and 80s, so coming full circle is not a good thing.  Cloud computing must be an area of continued vigilance, concern, and research for the coming years.

What are your thoughts? Tell us in the comments!

Much like most virtual hacks, some clever people create a very sophisticated tool and a bunch of amateurs (or crime syndicates) use them to commit fraud. Hardware hacks, like this ATM skimmer are generally more difficult to obtain, expensive, and can’t be copied and shared as easily as a computer program.

ATM skimmers like those shown in the video require a camera set up to see you PIN as you enter it. Aside from the obvious advice or not using and ATMs with wires or protruding panels, they recommend shielding the number pad as you enter in your PIN code. I’d add going inside of a bank to withdraw cash when at all possible, but now a days most debit cards double as credit cards and your PIN is pretty useless. The crooks can just take the card number swiped from the magnetic strip to go shopping online or sell to someone else.

All of us are terrible at remembering passwords, causing us to find convenient ways to make logging on to our Twitter, bank, and other online accounts a bit easier and much less secure. Users combat password fatigue by using the same password for all of their accounts, selecting short and weak passwords, or creating bad compliant passwords.

There is a simple way to make sure that your passwords you don’t use often or care about too much a bit more secure than “PoisonRocks1″ – like the hair bands of the 80s, just forget about them. Don’t remember those passwords; just reset them each time you need to log in to the account. Before you get alarmed at what I’m proposing, think about it. Most websites will send users a 6 character, randomly generated password upon reset – which is better than 99% of passwords that users pick.

You can even write down all of these reset passwords on a post-it note and carry it in your wallet and just reset the passwords each week or whenever you feel like it. You’ll have a decent password that is constantly changing and not connected to any of your other accounts. (Business managers, you’ll be insulated from outside passwords being stolen and used on your corporate network, although this tactic won’t work in most business environments unless you want your help desk to work on even more password resets.)

There are some websites that will only send you links to reset your own password or send you reset passwords in clear text in an email. In both situations it’s better to create randomly generated passwords using an online generator or using OpenSSL and testing its overall strength. Passwords sent in the clear really shouldn’t be trusted since emails are the digital equivalent of postcards and constantly setting your own password will just cause more password burnout.

For proper security you need real two-factor authentication so that you’re not relying solely on a password (something you know) but something you have as well (like a smart card). Of course, it won’t help you much if you keep losing your token. For your other accounts, try resetting the passwords and see how the online service handles them. Do they have you click a link in an email to follow and retrieve a new, random, and complex password?

Password resets generally rely on email accounts, so you’re only as secure as your email password. I don’t recommend forgetting your passwords and constantly resetting logins to any sensitive accounts, just the ones you don’t care too much about. Besides, if someone does end up stealing your password to some forum or other non-essential account, you’ll be resetting your password anyway.

picture: KaCey97007

I’ll be attending the 2009 RSA Conference next week.  I will likely write one or more blog posts while there, so stay tuned. I also plan to use twitter to post interesting things I come across while there.  The following link will let you see all posts by @geminisecurity and/or @pmhesse with the RSA conference hashtag:  http://bit.ly/p5BTh

I look forward to connecting with some of you out west. Drop me a line if you have got a few minutes to chat.

This concludes parts 1, 2 and 3 of our Sniffing Networks series. This part is a little less technical, but I still recommend that you be familiar with the first three parts.

In part 3 of our series, I showed you how to use Wireshark to sniff traffic and hopefully gather some passwords. It’s a lot of digging through a haystack to find a needle. It works, and if you know some of the protocols, you can search for keywords to help you. But if you’re just lazy, there are two excellent tools for just passwords: dsniff on Unix, and Cain & Abel on Windows.

Both tools do a little bit more than sniffing and support things like ARP spoofing and man-in-the-middle attacks. dsniff is old and not updated much any more, but it’ll pick up clear text passwords quite well. Cain & Abel is kept fairly up-to-date. However, both only deal with protocol specific passwords. So you’re not going to sniff any webpage passwords through them. You’ll still have to look for those passwords manually.

Cain & Abel is a whole lot more than just a sniffer; I suggest you play with it. However, what we’re concerned about is the sniffing capabilities. If you select the sniffer tab at the top, and the passwords tab at the bottom, then click on the “Start Sniffer” button near the top, you will see any protocol passwords it can see. In the screenshot, I had to force a cleartext password to go across the wire, as almost everything on our network is encrypted. I logged into an FTP server anonymously. Cain & Abel picked that up.

Cain & Abel

As you can see down the left side, there are a few types of passwords that can be picked up.

Dsniff is all command line, and doesn’t pick up as many protocols, but it works for most of them. In the screenshot, I used the -d option, but it’s not necessary.

Dsniff

You can see that it can be pretty easy to sniff cleartext passwords, so don’t use them!

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post.

2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised.

The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million is a lot of compromised records. Wonder if mine was one of them.