I grew up listening to the Royals on the radio almost every night. Those were the days when the Royals were almost always in contention for the top spot in their division, led by players with names like Otis, Rojas, White, Brett, Mayberry, Busby, and many others. That does not seem to be the case now…

I keep wondering how this can happen? Last night it came down to pitching and hitting. The Twins kept hitting everything that the Royals threw, and the Royals didn’t. Someone on the Twins roster hit his very first major league home run – and it was a grand slam! (not good) The inability of the Royals over the past 20 years to regain their former status comes down to execution by players and management.

Now, let’s take a leap over to the information security things that I normally write about.

Last night’s loss illustrates an important point that we all should remember. Unless we are diligent, it is easy to allow gaps to appear in what we are doing to protect our networks and important information.

Just as there was a huge gap last night between what the Royals didn’t do and what the Twin did do, so there is often a big gap in our protection measures. We get busy doing stuff, and allow little holes to appear.

This easily happens regardless of industry. There are federal regulations and industry guidelines to help us do the right thing. But if we don’t regularly evaluate what we are practicing, then gaps appear.

• How long has it been since you have reviewed your firewall configuration?
• How about reviewing your logs for suspicious activity?
• When was the last time that your policies were reviewed? Do they still fit your organization?
• Is your patch management plan being followed?
• Are you doing vulnerability assessment? How about pen testing?
• How do you ensure that your software developers are baking good security practices into their code?

Thought should be given to these, and many more, questions about your security practices. The Bad Guys are constantly looking for gaps in your coverage.

Don’t let yourself develop gaps that are too big and costly to overcome. Don’t have a game like the Royals did last night.

- Dan

Even more alarming is that a tool to exploit this vulnerability is to be released at Black Hat 2010 in just a few days.

What can you do to protect yourself from this exploit?

1. Change the administrative passwords on your routers. All of your routers come with a well-known default administrative password. You should connect to the router and make sure that you are not using the default. You should also use a complex password.
2. Disallow remote administration of the device. Many routers allow administrative access from the Internet. This should be allowed only in rare and well-defined situations. Although this is not directly related to the DNS rebind problems, you should still verify this setting.
3. Upgrade the firmware to the latest version available from the manufacturer. Most manufacturers put out updates to the firmware that is running on their routers. If you are not running the latest version of the firmware for the router, go get it from the manufacturer’s website and do the upgrade. This will protect you from other attacks.
4. If you are using wireless, be sure to use WPA2 to protect your wireless connections. I hope you are not using WEP. Using WPA2 is much better. (A technical explanation is beyond the scope of this post.)

These steps will minimize the attack surface on your devices.

Good luck!

- Dan

I have used the Big Names in the past – Norton/Symantec, McAfee, Webroot – and they have provided the necessary protection. I have also used the Free ones – AVG, Avast, MS Security Essentials – and they also have worked.

So, why did I decide to use a relative newcomer?

1. It is lightweight. This doesn’t mean that it cannot handle the big problems, but rather that it uses a small amount of memory and processing cycles to do the job. Some of the Big Names just suck up more of the computing power than I like.
2. Sunbelt offers a home site license. For $49/yr, I can use it on as many Windows computers as I have at home. Right now that is 4 physical machines and another three virtual machines – all for $49/yr.
3. Tech support and help with virus removal is included in the cost of the product. For many non-technical home users, the removal of a virus is extremely difficult. Sunbelt includes tech support to help with this.
4. A robust firewall is included with the product. I know that every version of Windows since XP sp2 has included a firewall. But I have found that the firewall included with VIPRE offers flexibility greater than the normal Windows firewall.
5. In addition to the home product, Sunbelt has an enterprise version of VIPRE. I’ve not worked with it yet, but this is a Good Thing.

Get yourself the 30-day, fully functional trial of VIPRE. I think you will be pleased with the cost (both $$$ and cpu cycles), as well as the protection.

- Dan

7 Reasons Websites Are No Longer Safe – Network World

And so that you don’t have to read the long version, here is the short version…

1. Polluted ads
2. SQL Injection attacks
3. User-provided content
4. Stolen site credentials
5. Compromised hosting service
6. Local malware
7. Hacker-engineered fakes

Information technology professionals should take the time to understand each of these attack vectors. Users should look at this as an opportunity to increase their awareness.

- Dan

While this was limited to sites that, admittedly, have little measurable business value, what if it was a business-critical site that was knocked off-line?

Now, stay with me while we take a bit of a leap…

Many small businesses and individuals are moving to “cloud computing”. Working documents are in the “cloud”. Software as a Service (SaaS) is finally starting to take off.

Now, if the “cloud” and SaaS provider that you are using are being hit with a DDoS, what plans do you have for your business?

Lessons for the small business…

1. Know the risks associated with your technological model – in this case “cloud” vs local.
2. Make your DRP/BCP include plans in the event your providers are unavailable.
3. Finally, know what response you will have if your providers never return.

Here’s hoping you have a weekend full of availability!

- Dan

UPDATE: The reports now are that many more sites were affected as a result of targeting ONE user (from cnet.com) !

This came across Twitter this morning. If you have any interest in cyberwarfare and the implications, you should read this. According to the article, this was scrapped, but yet many aspects are still classified.

The plan was to use a cyberattack to freeze financial assets of Saddam Hussein.

Take a look at this…

“We knew we could pull it off — we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.

The U.S. Government had the technology and abilities. Later it is revealed that the attack was not authorized because of fears over worldwide financial fallout.

It seems like the prudent course of action was taken here. Just because you can do something doesn’t mean that you should.

- Dan

“Dripping with irony” is how Network World magazine describes this situation.

The lesson for the small business is that regardless of how advanced, or secure, your organization is, there needs to be constant vigilance.

You don’t want to be the next company that has a major breach with a loss of customer information or intellectual property.

- Dan

I’ve never really thought USA Today was a bastion of InfoSec news, but they have a report here that gives a basic understanding of what is going on.

It is evident that the information is not complete. Unnamed sources that are “not authorized” to speak are providing sanitized information.

I would expect there to be more information coming out a little at a time.

UPDATE: Information is starting to come out http://www.google.com/hostednews/ap/article/ALeqM5icTKBW9_fm-oKDzns75BI-ykokSwD999UN580.

My plan is to use this as an opportunity and reminder to revisit our plans and procedures in the event any of our computers are a part of a botnet, or in the event our organization becomes a target.

Steps I plan to take specifically for this threat:

• Work with ISP to make sure that they are filtering DDoS at their routers for traffic that is headed our way.
• Verify that all of our computers have current antivirus running and that signatures are current.
• Force an AV scan on all workstations.
• Force an AV scan on all servers using a secondary AV engine.
• Monitor in-bound traffic closely and pay attention to alerts.
• Notify Management of the situation if anything begins to develop.

Sleep tight, y’all.

- Dan

Taking over the Torpig botnet

This botnet is used for the normal activities of harvesting sensitive information from computers that are controlled. Using Domain Flux, the botnet generates lists of servers for drive-by spreading by using information from Twitter trends. Pretty clever.

If you are interested in the details, be sure to download The Report.

Thanks to my bro, Steve for pointing this project out to me.

- Dan

Yep, they will fire up Google and do a search.

It is good practice to periodically search for yourself on Google. Be sure to include any variations on your name.

Here’s what I would use…

• “Dan Strom”
• “Daniel Strom”
• “Daniel L Strom”

There are some other variations, but I never go by those, so I would not check them.

This might be a particularly wise thing for college students to do, especially if they are looking for a job.

So what do you do if the search returns some pages with inaccurate, or not-so-nice information about you?

• You can contact Google to have the search information purged from their indices.
• You can also contact the authors of the pages to request that they remove the information.
• In the event of serious libel, an attorney specializing in Internet issues might need to be found.
• If nothing else, at least you now know what is out there and you can be ready to address the issue if it ever arises.

So, here’s the warning. Information put on the Internet is available even after it is removed. The Wayback Machine has historical views of many pages on the Internet.

The final bit of advice is that you need to be careful about the information you choose to put on the Internet about yourself. But, you also need to be diligent in checking what others have put out about you.

What else can you think of to protect yourself?

- Dan