Most folks will not understand (or even care about) the details of the recently reported DNS rebind vulnerability. But this problem affects many of the low-end cable and DSL routers that are used in homes and small businesses.

Even more alarming is that a tool to exploit this vulnerability is to be released at Black Hat 2010 in just a few days.

What can you do to protect yourself from this exploit?

1. Change the administrative passwords on your routers. All of your routers come with a well-known default administrative password. You should connect to the router and make sure that you are not using the default. You should also use a complex password.
2. Disallow remote administration of the device. Many routers allow administrative access from the Internet. This should be allowed only in rare and well-defined situations. Although this is not directly related to the DNS rebind problems, you should still verify this setting.
3. Upgrade the firmware to the latest version available from the manufacturer. Most manufacturers put out updates to the firmware that is running on their routers. If you are not running the latest version of the firmware for the router, go get it from the manufacturer’s website and do the upgrade. This will protect you from other attacks.
4. If you are using wireless, be sure to use WPA2 to protect your wireless connections. I hope you are not using WEP. Using WPA2 is much better. (A technical explanation is beyond the scope of this post.)

These steps will minimize the attack surface on your devices.

Good luck!

- Dan

Fred Langa with Windows Secrets has written about his experiences with Microsoft Security Essentials (MSE) running on Windows 7.

http://windowssecrets.com/2010/05/06/01-The-120-day-Microsoft-security-suite-test-drive

Important points…

• Use firewall, filters (in browsers & email), and anti-malware.
• Products from Microsoft are finally easy-to-use for normal users.
• MSE can be configured to be very unobtrusive.
• MSE will frustrate advanced users, or those who need more complex customization.

Personally, I’ve had MSE running on a virtual machine that I use every day, and have been pleased. It is lightweight in it’s use of system resources.

It seems that for most home users who are running Windows 7, there is no need to purchase a security suite.

- Dan

For most folks, FREE is a word that they makes their ears perk up.

Microsoft Security Essentials is a FREE anti-virus and anti-spyware offering from Microsoft. They bill it as a light-weight product that has a smaller footprint than commercial products. It is intended for the home user. It can be found at www.microsoft.com/security_essentials/

Obviously, it runs on the Windows platform. You’ve no doubt noticed the Mac bias from other posts. My interest comes from supporting the XP Pro notebook my wife uses and the Vista Home Premium notebook that one of my son’s uses. Other extended family members also use Windows.

The installation was amazingly simple. But, before the install, you should uninstall any other AV products you may be running. Go to the Security Essentials site and download the installer. Double-click on the downloaded installer program and follow the prompts. When the install is done, Security Essentials does an update of the signatures, and then you are encouraged to do a complete system scan. That takes a while.

The scan produces a report of any threats that are detected on your computer.

The Security Essentials console is arranged in a reasonable fashion. There is the Home tab which gives a quick overview of the state of AV protection on your computer. The Update tab allows you to force an update of signatures. The History tab let you see what threats have been found and the action that was taken. Finally, the Settings tab allows for modification of behavior of Security Essentials. The defaults are reasonable.

Following installation, I noticed that there are two new processes using memory. On my test XP Pro test machine, msseces.exe uses 11,820K and MsMpEng.exe uses 70,052K.

Very few CPU cycles are used when doing real-time protection. But, you will notice a performance impact when a full scan is running. This is similar to what you would experience with other products.

In summary, Microsoft Security Essentials was very easy to download and install. I found it simpler to use than competing free products like AVG Free. Several independent labs tested the efficacy of the product during the beta period. They all report sufficient detection and remediation of threats.

So, if you have a Windows XP, Vista or 7 computer at home and don’t want to spring for a commercial product, it looks like Microsoft Security Essentials is a winner!

- Dan

Sorry to bring this up, but your computer is not perfect. Neither were the programmers who wrote the programs. Neither were the dude’s who designed the hardware. And of course the user is not perfect!

Patches and Updates are used to correct programming errors and fix vulnerabilities in the software.

It is difficult to keep up with the vulnerabilities that are found for Windows, OS X and all the programs that are running on them.

So, today’s tip is to use the automated facilities of Windows and OS X to automatically update the operating system and applications.

To enable this in Windows, go to the Control Panel and look for Automated Updates.

For OS X, go to the System Preferences application and open Software Update.

Both Windows and OS X allow for the computer to download the updates on a set schedule. When you are notified of updates, you should let them install.

It’s convenient to just turn on your computer, go get a cup of coffee and have the desktop waiting for you when you come back. Right?

But do you realize that you are putting your sensitive data at risk when you do that?

What if you lose your computer? One barrier to the Bad Guys accessing your files is removed. I can think of countless scenarios similar to this.

If you are running Mac OS X, here are the steps to turn off automatic login…

1. Open System Preferences and then open the Security pane.



2. Put a check mark beside “Require password to wake this computer from sleep or screen saver”, and also put a check mark beside “Disable automatic login” for all accounts on this computer.

What about Windows XP or Vista? First off, you need Local Administrator rights to make this change. Second, if you are joined to a Domain, then by default your auto-login is turned off and this is managed by the Domain Administrator.

Here are the steps to turn off automatic login in a Windows XP and Vista environment…

1. Go to Start… Run… and then type control userpasswords2 in the Run… box and hit enter.



2. Put a check mark in the box beside Users must enter a user name and password to use this computer. Click Apply, then OK.

That’s all there is to it! Pretty simple, and greatly increases the security of your files in the event you lose your computer, or someone without permission turns your computer on.

- Dan

We’ve all let things slide. You have. I have.

Like the auto mechanic with bad brakes on his car. Or the home remodeler who never quite finishes the woodwork. Or the InfoSec pro who occasionally doesn’t follow his own advice!

Here is a list of some of the things I have advised others to do that I have occasionally not done – and that have caused me grief!

Clicking on unexpected pop-up windows – Yep, I’ve fallen for this one a couple of times. One time it resulted in a virus infestation that was a bugger to clean. Another time I clicked on a pop-up and suddenly my screen began filling with other pop-ups containing images of things that I’d rather not discuss here!

My remedy is two-fold. First, I turn the pop-up blocker on for each browser that I use. Second, if for some reason a window pops up, I generally just close it without clicking any of the buttons. Funny thing is that I use a Mac and most pop-ups are made to look like a Windows dialog box. It’s pretty easy to tell if it is legitimate, or not.

Assuming people know what I’m talking about – I have had many people ask my opinion or help with computer security issues. I used to give a very complete, and often highly technical, answer. The result of this generally is that eyes roll or glaze over and they say something like, “ok, yeah, Uh-huh”, but they really got lost about 10 seconds into my speech.

So, now I try to give answers that are simplified with one or two steps that can be taken immediately. Sometimes I even pull out a business card and write the steps down for them.

Outdated anti-virus – In another post, I made reference to a time when I had a worm that compromised my personal banking information. That was a result of outdated anti-virus on my computer.

I now ensure that the anti-virus software is current with both the application and the virus signatures. In addition, I make sure that anti-spyware software is also running as it should. At some point in the future, these two malware solutions will probably merge, but until then, they must both be kept updated.

Not patching the OS – This is kind of like polishing your shoes. You can see that it needs done, but it is hard to make the time to get it done. But, these patches are important. I used to think that I could manage this on my own and that I needed to let every patch have some time before I put it on my personal computers. But not any more. Too much malware is easily spread when the patches are not applied.

Now I have Automatic Updates turned on for each of my Windows computers. It is set to download the updates, and then install at night. This also covers my Microsoft applications that are installed. On my Mac computers I make sure that Software Updates are enabled and that each application is set to check for updates automatically.

No backups – This one hit me hard a few years ago. I had just converted to a digital camera and had all the new photos stored on a computer at home. It was a new computer and I kept thinking that I would get around to setting up a backup system. I never to this done before the drive crashed and I lost nearly a years worth of family photographs.I learned my lesson.

Now I use Time Machine backups on my Mac, and Shadow Copy on my Windows boxes. With both of these I really don’t have to think too much about backups, just periodically check to see if they are still running. No only are they good if there is a drive crash on the computer, but I can go to my Time Machine backup to recover a file that might have been accidentally deleted.

So, as you can see, I have made my share of mistakes. Learn from them. As Edmund Burke said, “Those who don’t know history are destined to repeat it.”

Don’t repeat the history of my mistakes!

- Dan

So, by now you’ve realized that you really should provide some content filtering of your Internet connection. A reasonable first-step is to configure your connection so that you are using OpenDNS as your DNS service. It is very simple to start using OpenDNS…

If you are serving DCHP to your internal network from a router, you should simply change the DNS entries from what is supplied by your ISP to the OpenDNS addresses – 208.67.222.222 and 208.67.220.220. This simple configuration change is all that is required for most home, and many small business networks.

If your network is configured for split-DNS, then you should configure the internal DNS server so that it forwards to the OpenDNS addresses for external resolution.

To gain the greatest advantage from using OpenDNS, you need to create an account that is linked to the IP address of your network. Most often this is the IP address of the external interface of the router. OpenDNS is located at www.opendns.com. Select Start using it now… and you are allowed to create your account and specify your IP address to OpenDNS.

Once the account is created, go to the Settings tab. You will see the screen where you have the option to select the filtering level. The filtering levels are defined as:

• High – Protects against all adult-relates sites, illegal activity, social networking sites, and general time-wasters.
• Moderate – Protects against all adult-related sites and illegal activity.
• Low – Protects against pornography and phishing.
• Minimal – Protects against phishing attacks.
• None – Nothing blocked.
• Custom – Choose the categories you want to block.

Apply the settings and your network will be using OpenDNS for Internet content filtering.

Customization of the filtering level is allowed. You can whitelist certain domains so that they are never blocked. Likewise, you can blacklist certain domains so that they are always blocked.

Obviously, your network may be more complex than what is presented above. If you don’t have someone available who knows how to properly configure DNS, the OpenDNS folks have several help documents ready for you to read.

That’s about all that is required. I hope that it works well for your organization.

- Dan

Last time we discussed the need and benefits of implementing Internet content filtering. Now, we will look at some of the options available for a business or home to implement filtering and which options are best suited. Please keep in mind that this is not designed as a purchasing guide or product evaluation. It is more designed to give an idea of the possibilities.

Option 1 – Dedicated appliance

This option uses a dedicated appliance to do the filtering. A common configuration is for the filtering appliance to be installed in-line on the segment between the firewall and the protected network. This forces all traffic to pass through the device. Content inspection takes place as packets pass. The following are two examples of dedicated content filtering appliances.

• St.Bernard iPrism
• Barracuda Web Filter

Dedicated appliances may be considered reasonable for small organizations who do not have the manpower to manage a dedicated server. An advantage of this option is that it is independent of the OS used on the client machine. No software is installed on the client.

Option 2 – Dedicated server

Dedicated servers is the option chosen by organizations needing a high-level of control over the filtering. They consist of software that is installed on either a Linux or Windows server. Often they use software that “proxies” the connection from the workstation to the web site. Here are some examples of software that requires a dedicated server for content filtering.

• Dan’s Guardian
• SafeSquid
• WebSense Web Security Gateway

The dedicated server option requires an administrator that is knowledgeable of hardening the underlying operating system and can manage the software installation. This option also is independent of the OS used on the client machine. No software is installed on the client.

Option 3 – Host-level software

This option is a common personal solution. Software is installed on the client computer. It requires a separate password to make changes to the filtering level. The following are well-known examples.

• NetNanny
• CyberPatrol
• bSafeOnline
• SurfWatch

This option is best suited for the home or individual. It is dependent on the operating system of the computer.

Option 4 – Filtering services

This is fairly recent option. These services require a change to your network settings so that your requests for web pages are routed through their service. They seem to work pretty well.

• Google Apps Security Service
• OpenDNS.org

The advantage of using filtering services is that someone else is configuring and running the servers. Also, no software has to be installed on the client computer. The primary disadvantage is that this filtering solution can be straightforward to bypass if a user has complete local admin rights to their computer, and they know basic tcp/ip.

I hope this discussion helps clarify the options.

- Dan