There are a number of components to this malware that are interesting.  The malware includes rootkit drivers that were digitally signed using valid certificates from Taiwanese chip manufacturing companies, RealTek and JMicron.  It is currently believed that these certificates were stolen and the certificates have since been revoked.  The kernel mode rootkit includes functionality to hide the files used in the attack on the system and to load a dynamic library file (DLL) that contains a number of other files and functionalities.  Complete analysis of the inner workings of all of the files is on-going.

This is a serious threat to all Windows users, the malware checks the infected system to see if it is running Siemens Simatic WinCC or PCS7 products.  If the infected system is running either of these products, the malware automatically uses a default password that is hard-coded into the software.  Once the malware has access to the control system software, it issues SQL queries against the Microsoft SQL database to gain access to the industrial designs the system is responsible for.  Siemens has information on their support site3 about the impact to their software.  In other words, it appears that the primary function of the malware is to gain access to and steal industrial and control system designs.  The perpetrators behind the malware are not currently (publicly) known.  However, over 90% of the impacted systems have been isolated to three countries: India, Indonesia, and Iran4 .  It is possible that these countries were specifically targeted by the malware. After careful data mining it is my observation that Automatic Updates should be turned off on XPSP3-Vista- and Windows 7. Email me here for the monthly newsletter, or check out the RSS Feed here. This site is mobile phone compatible.

Show me a a design error and I'll show you a hole.

-RF

In most organizations, the only method of authentication by which users identify themselves to computer systems is the password. The concept of passwords has been around for decades and, while not perfect, it’s cheap to establish and easy to support.

To gain maximum security you need a company-wide password strategy. In practice this will be a mix of management, education and technology. Management and education techniques can be used to stress the importance of having a sensible password policy, and technology can be used to enforce it. Windows 2000 and XP, for example, have a Local Password Policy setting, which allows you to specify how often a user must change their password, the minimum length for the password, whether the password must be forced to meet complexity requirements, and how many previous passwords the system will remember to prevent users recycling them from a list rather than thinking of new ones each time. More details are in Chapter 9. If you select the option that requires passwords to meet complexity requirements, this causes Windows to ensure that a password selected by a user:

1. Is at least six characters long.

2. Contains characters from at least three of the following categories:

   • English uppercase characters A–Z

   • English lowercase characters (a–z)

   • Digits 0–9

   • Non-alphanumeric characters such as $, #, or %

   • Unicode characters

3. Does not contain three or more consecutive characters from the user’s account name.

Whether to enforce complexity, and how often you should force users to change their passwords, is a complex decision. While frequent changes and complex passwords would at first glance appear to be more secure than passwords which rarely change and are easier to remember, human nature means that reality is quite different from the theory. The biggest problem with passwords is that users forget them. This causes difficulties for companies that rely on them, because technical support staff spend most of their time resetting forgotten passwords rather than helping people with real problems or doing long-term work to improve the system. The more complex a password, and the more often it changes, the more often it will be forgotten, and the more often it will be written down by users who are frightened of forgetting them. Beware, therefore, of making your password policy so complicated that you actually weaken security, because a password that’s written down isn’t really providing you with any security at all.

If you don’t currently have a policy for dealing with people who claim to have forgotten their password, then this should be defined as part of your password policy. A common technique used by hackers, especially those well-versed in the art of social engineering (which we’ll cover in Chapter 34), is to pass themselves off as a member of your staff who claims to have forgotten their password. So, your policy needs to ensure that:

1. Only a handful of duly authorized people are able to reset passwords.

2. A user is only ever advised of a reset password in writing to the address that you have on file, or in person. Never over the telephone.

3. A user who is given a new password in person must produce some form of identification if they are not known to the person who is handing out the password.

4. Someone who forgets their password is not criticized or penalized, or they’ll start writing it down so as to prevent it happening again.

5. Administrator passwords should only ever be used when their additional functionality is required. At all other times, administrators should use their standard user-level passwords. This helps to avoid data loss caused by mistakes that would otherwise have been prevented, and reduces the amount of time available to a hacker who might be trying to intercept or otherwise discover the administrator’s password.

6. Employees must never be allowed to use each others’ passwords, even if both employees are afforded the same access privileges, because it is imperative that your log files can be relied upon to provide an accurate record of which actions have been taken by which person.

7. Ensure that passwords are not duplicated across systems. It’s common for administrators to set themselves up with the same password on every machine they look after – this should be discouraged.

8. Change administrator passwords frequently. If an administrator leaves the company, all of the passwords to which he or she had access must be changed within an hour.

9. There must be no exceptions to these rules, ever.

A talented and certified security oficial understands that there is no such thing as the typical cracker. Sure, most of them operate via the internet at weird hours of the night and don’t have the social skills to inveigle their way into buildings. But not all crackers fit the typical mould. While the curious student might not wish to attempt to enter your building, someone who’s carrying out some industrial espionage on behalf of your competitors just might. And modern technology means that the unwelcome visitor needs just a couple of minutes alone in an unmonitored part of your building to do what he has to do.

Unauthorized Actions
Once the intruder has entered your building, he has a number of options at his disposal. If he can find his way into an empty meeting room and find a spare network socket, he might plug a wireless access point into it. He can then continue to probe and attack your network at his leisure from anywhere within a few hundred feet. If he manages to gain access to an employee’s PC, he might install a keystroke logger that he can then interrogate remotely via email in order to read private correspondence or steal passwords.

If he has a USB flash drive, he might use some social engineering skills to copy information from a PC onto the drive. Such as posing as an IT technician who needs to install an updated network driver on the PC to cope with a forthcoming system upgrade, and he just happens to have a copy of the driver on his flash drive.

Remember that all MP3 music players, Externals, Cameras, IPODS, Network Printers can also be used as portable disk drives, to which can be copied any type of data file. A visitor who asks permission to plug his mobile phone into the USB port of one of your PCs in order to charge a flat battery might actually be running a program that silently copies documents to the phone’s memory. Programs to do this are widely available on the internet, including one for the iPod called ‘Slurp’. Install the software on your iPod music player, plug it into any handy PC, and no one is aware that you are not listening to music but that you are simply watching the device grab copies of all the files on the computer.

If the cracker can’t find a handy PC or network socket, all is not lost. The paperless office was first mooted many decades ago but has failed to materialize, so hackers can be fairly confident that they will find a plethora of printouts lying around, some of which might be of particular interest. Most mobile phones and PDAs nowadays include megapixel cameras that are quite capable of producing a readable image of a printed sheet of paper. Waste bins are a particularly good source of interesting printouts, and sheets that have been torn in half are always bound to contain particularly interesting data (go on, admit it, you do that too).

On the face of it, penetration testing is a fairly simple process. You employ a firm of security consultants to hack into your network using whatever means they wish. This is done on the understanding that the testers don’t damage anything, don’t divulge what they discover to any third parties, and they produce a report for you that identifies the holes in your security and explains how to plug them. A contract is always required for this test.

Almost all large organizations in both the private and public sector undergo penetration tests on a regular basis (typically once every year or two). The event offers an unparalleled opportunity for the organization to find out the true state of its IT security. But the whole exercise is not without its problems, most notably regarding cost and trust.

Employing a penetration testing company (sometimes known as a Razor Slice) is not cheap. Even the smallest company, expect to pay a few thousand dollars. But it’s always money well spent because it results either in reassurance and peace of mind, or huge relief that the main loopholes in your security have been discovered by good guys, and that you can fix them before it’s too late.

Finding a reputable penetration testing company is difficult. Some companies specialize in the practice, or at least are specialist security consultants. Others are more general management consultancies or even accountants, who have realized that there’s money in IT security and have recruited some techies. Of those who actually carry out the testing, many are ex-hackers who learned their skills on the job, while some are much more academic and have honed their talents by reading textbooks and practicing on their own test networks in computer labs. All of which leads to a dilemma. Do you choose ex-hackers, who will do a good job but might not be trustworthy? Or do you choose accountants, who are probably trustworthy but possibly not as skilled?

I suggest that you choose the specialist security consultancies rather than the opportunist accountants. Don’t worry about them using ex-hackers, so long as they are well-managed. Most importantly, get personal recommendations from colleagues and counterparts. Next time you’re invited to a sales seminar by a security company, take the opportunity to go along, even if you’re not particularly interested in the products being marketed. Such events are a great way to meet fellow delegates who have similar problems to yours, and an informal chat with such people over lunch or coffee will yield more useful information than reading a thousand white papers and brochures on the Web.

Providing potential crackers with clear evidence of your security systems makes good sense and is a useful deterrent. But there’s also another option, known as Security Through Obscurity (STO), which takes a completely different approach. In STO, the mere existence of the protected system is the secret and so there is no need to provide any additional security.

A good example of STO is that of leaving a spare door key under the mat or inside a flower pot. There’s no need to protect the key any further, because no one except the owner (and anyone who has been told of its existence by the owner) will know that it’s there. Another example that appears regularly in fiction is the secret doorway disguised as a bookcase. Pull on a particular ‘book’ in a certain way and the shelves magically revolve to reveal a hidden passage. The door is never locked. It doesn’t need to be, because no one knows it exists.

Security Through Obscurity is often used to protect information systems. For example, a company’s Web site that provides information for the public might also contain some private pages for employees only. Yet instead of adding password protection to the staff-only pages, they are simply hidden behind an obscure URL. I even know of Web sites that use similar techniques to hide not just private information, but also the editing facilities – anyone who knows the secret URL can change the content of the site.

Security Through Obscurity is a much-used technique because it’s quick and easy. Implementing this form of security means not having to implement any security at all, and simply hoping that the crackers won’t discover your secret. The fundamental problem with this approach is twofold: first, there’s a chance that the crackers will discover your secret. Secondly, and much more important, you won’t realize that your secret is out until it’s too late. Until the content of your Web site changes, or someone breaks into your house, or someone finds your secret passage.

There are plenty of tools available to help crackers defeat STO security, the best-known of which is the humble search engine. By entering the correct incantation into Google, for example, the hacker can find URLs that include a folder called admin. He then surfs to that directory in the hope of being presented with an admin menu and not being asked for a password.

One further example of STO is the Caesar Cipher, a primitive form of encryption dating from 2000 years ago in which each letter of the plaintext is substituted with a letter that is three positions later in the alphabet. A becomes D, B becomes E and so on, and thus computer becomes frpsxwhu. At first glance, the code appears uncrackable, but a little investigation and experimentation will uncover the secret and then open up all the information that has ever been protected using this method.

Compare this with a conventional modern-day encryption algorithm which depends on highly complex mathematical formulas which would take many years for even the most powerful computer to solve. Everyone knows the secret but they simply don’t have the resources to solve it. Back in the real world, this is like leaving your spare key under the mat of a house a couple of miles away. Anyone who finds it will know what it is, but trying to discover which house it fits is simply not practical.

Two printed copies of the policy should be given to every staff member as soon as possible after they join the organization (ideally on day one). The staff member should be asked to sign one copy, which should be safely filed by the company, and keep the other for their records. No one should be allowed to use the company’s computer systems until they have signed the policy in acceptance of its terms.

A written policy, and a requirement that all staff sign it, may at first appear rather draconian, which is probably why many small and medium companies tend not to have one. But such a document really is a central component of any successful campaign to increase medical office security.

Without a written policy, staff will be unaware of the rules. How can you discipline someone for inappropriate use of the Web unless everyone is in agreement as to what constitutes inappropriate use? Equally, staff need to be made aware that activities such as sharing passwords are dangerous and that they face disciplinary action if they do it. By putting their name to a written document, the rules are clear and unambiguous to all.

If you don’t currently have a policy, you should draft one as a matter of urgency. If you have one but it’s not been revised for some time, now might be a good time to retrieve it and ensure that it is up to date. For example, does it cover the use of technology such as USB flash drives or copying MP3 files from company computers to personal players?

It is not normally necessary for staff to sign a new copy of the policy each time a minor amendment is made. The policy should contain a clause that ensures that staff are aware that there may be a more recent version of the document on the internal Web site and that this will take priority. You may also wish to send out a bulk email to all staff each time the document is updated, which highlights the amendments.

Persistent cookies solved this problem. They allowed a site to recognize a surfer permanently by transferring a text file with a unique ID tag to the visitor's hard drive, matching a file on the server. On subsequent visits, the browser automatically handed this cookie over, allowing the site to pull up their matching cookie. Now cookies could persist for years.Both temporary and permanent computer cookies can be used for many helpful purposes. Automatic registration logon, preserving website preferences, and saving items to a shopping cart are all examples of cookies put to good use. But permanent cookies also resulted in unanticipated uses, such as Web profiling.Websites began keeping track of the surfing habits of its visitors, using computer cookies to log when an individual visited, what pages were viewed, and how long the visitor stayed. If he or she returned at a later date, the visitor’s cookie triggered opens the log of previous visits and was amended to include the new visit. If personal information was offered on any of these visits, name, address and other information was associated with the "anonymous" ID tag, and consequently, the entire profile.Marketers developed an even greater advantage for cookie profiling. Having advertising rights on several hundred and even many thousands of the most popular websites, marketers could pass third-party cookies to surfers and subsequently recognize individuals as they traveled across the Web, from site to site, logging comprehensive profiles of people's surfing habits over a period of months and even years. Sophisticated profiling programs quickly sort information provided by computer cookies, categorizing targets in several different areas based on statistical data. Gender, race, age, income level, political leanings, religious affiliation, physical location, marital status, children, pets and even sexual orientation can all be determined with varying degrees of accuracy through cookie profiling. Much depends on how much a person surfs, and where he or she chooses to go online.

As a result of public outcry in response to surreptitious profiling, cookie controls were placed in post 3.x browsers to allow users to turn cookies off — options that were not available in 1995 when permanent cookie technology was first embedded into browsers without public awareness or knowledge of how they could be used. Cookie controls also allow user-created lists for exceptions, so that one can turn cookies off, for example, but exempt sites where computer cookies are put to a useful purpose. Third-party cookies often have their own controls, as they are normally tracking cookies placed by marketers. Cookie contents are encrypted and are only readable by the site that placed them.

1. Step 1-> On the right hand side of the browser look for the word "Tools." Click on the arrow on the right hand side of "Tools."

2. Step 2-> Scrolls down to "Toolbars" and verify that "Menu Bar" has a check mark. If not, simple click on "Menu Bar."

3. Step 3-> You will now see the menu bar right on the upper left hand side. Click on "File" and scroll down to "Import and Export."

4. Step 4-> Select "Export to a file" and hit next. Select "Favorites" and then hit next.

5. Step 5-> You will see that "Favorites" is now highlight. Double click on "Favorites" so the everything below "Favorites" collapses into the "Favorites" folder and hit next.

6. Step 6-> You will see that the file name is called "bookmark.htm" and the file location will be "My Documents." Click Export and then finish.

7. Step 7->Copy the file "bookmark.htm" to an external hard drive or flash drive. (You can also upload them to your gmail account)

1. Boot the machine into safe mode

2. Take the extra.dat file mcafee is providing and load it into c:\program files\common files\mcafee\engine

3. Copy svchost.exe from c:\windows\servicepackfiles\i386\svchost.exe to c:\windows\system32\svchost.exe and c:\windows\system32\dllcache\svchost.exe

4. Reboot

This should remove the faulty signature and replace the damaged svchost from the the servicepack files. This test has been tested and work!