When I started at UMW, as Director of IT Security in 2007, I had planned to remove computer administrative rights from staff, because they are more likely to access sensitive data, but continue with faculty having full control of their computers. My viewpoint aligned with VITA’s policy as well. Since that time both VITA and I have changed our minds. VITA explicitly removed the faculty exemption in June of 2008. At first I didn’t agree with their decision to limit a professor’s computer access, but now I do.

The Conficker/Downadup worm did a number on UMW, and it is probably still doing damage. Infections spread through departments across sections of  the network. There were over 100 known infections and it took DoIT, myself included, over 3,000 staff hours from mid November 2008 through April 2009 to attempt to clean some of these machines. I used to be very confident in my ability to remove viruses, but this worm is very insidious and it installs various other pieces of malware. Part of Conficker’s business model is to get a fee for each instance of malware it installs for clients. Machines of which I was certain were clean would then be reported by REN-ISAC as still containing malicious code.

Viruses have become more sophisticated. In fact, there is malware that can infect the BIOS which means wiping the drive has no effect. What is the best defense against such an attack? Don’t give it the ability to install in the first place. Anti-virus software alone is not enough because the code writers will just tweak the software until the latest definitions can be bypassed. Not surfing the ‘net or reading e-mail with administrative rights is the best protection, and if only everyone would color within the lines of that limitation.

That being said, I completely agree with UMW’s mission and I do not want to stifle academic freedom, especially being an adjunct for three semesters. I worked on several ways to attempt an alignment between security and convenience. You may have seen this page which allows the Help Desk to remotely do administrative tasks, avoiding the need for someone to make a trip to, or from, George Washington Hall.

Another option that I recommended was virtualization. One could have a virtual machine to use as a sandbox and have complete admin rights to it. An argument against that was “Couldn’t that still allow an infected machine on the network?”, and the answer is “Yes”. However, a virtual machine would not be a ‘member’ of the network and should not have the same access to sensitive resources, such as Banner, as a domain machine, and passwords on the VM should not match production passwords. VMs don’t usually run all the time and are often shut down reducing the spread of infection. Infected VMs are easier to replace than infected hardware and the non-physical BIOS can easily be cleaned.

Virtual machine snapshots allow one to return the VM to a known state. I use this technique when research, as a certified ethical hacker, is likely to take me to malicious sites. When done I revert to the previous point and all changes in the VM, including malware, are completely removed. If teaching a class, and encountering an obstacle requiring admin rights, a professor could install the needed application into a virtual machine, that is if assistance from DoIT was not readily available. Faculty at CGPS do not have local admin rights on any of the lab/classroom machines and virtualzation is used often by both students and professors.

The ‘admin rights for faculty compromise’ that DoIT came up with was to create local admin accounts for those requesting such access and demonstrating a need for this capability. This compromise is still a violation of VITA policy, but an exception could be made.  However, my experience has seen little understanding from that organization. Anyway, a local admin account could be used with RunAs to launch programs in the context of a computer administrator. A technique I used for years at the State Dept. was to run a CMD prompt as an admin and programs launched from that window would inherit the needed privileges. I was able to work around every perceived need to ‘log in’ as that account and only used the credentials within the context of my ‘regular user’ login. Web browsers can be launched temporarily solely for the purposes of installing plugins and extensions, for example.

Members of the UMW community have had personal credit card numbers stolen by ‘web browser hijackers’ and fraudulent purchases have been made, even as far away as Mexico. If UMW continues to follow the pre-2008 local admin policy then it is only a matter of time before significant quantities of personal information are compromised.

The decision to remove local admin rights is not a ‘control’ issue, it is a safety precaution.  There was once a time when many of us didn’t have anti-lock brakes, air bags, or even seat belts in our cars, but now we want them, expect them, for our safety and the protection of those riding in our vehicles.  Not using a computer as a local administrator helps protect not only our own computer and data, but also those using the network along with us.

John W. Thompson (Chairman of the Board and CEO, Symantec Corporation) speaking at the RSA 2008 security conference said that, based on data gathered from Symantec’s products, there is more malicious software now that users are encountering than good.

These statistics are good reasons to use Secunia PSI to check for files that need patching. In addition to other things to keep our computers safe such as patching, anti-virus, etc.

Secunia has both commercial tools and free tools that search for software that needs updating on a computer. One of the free versions, for personal use, is called PSI (Personal Software Inspector). PSI doesn’t just look for files that need patching, it is also nice enough to let you know that there is a newer version of installed software and even if software has been EOL’ed (end of life). Of course, the utility has to have information about installed software to keep customers up to date. The application has a “Missing software?” feature so that data about programs can be uploaded to Secunia’s databases.

I’m impressed. Several problems were found on my computer and there was a button for each item that linked to a download to help resolve the issue. By default, PSI only shows “easy to fix” problems but that mode can be turned off. Several other things needed to be fixed and a couple of them were, as indicated, not easy to resolve. For example, after several attempts to update Flash, even after using the utility PSI links to for uninstalling Flash, I had to manually delete some files and then reinstall. Along the way, one of the Flash files that needed deleting was locked and I used handle to find out what program was using it. PSI itself was holding it open, ironically (bug report time).

PSI also gives a button to open up the folder containing the files that need patching. This is handy because on my computer it said that my XML needed updating. At first I thought this to be a false positive but I went through the steps it recommended but the utility still said XML needed patching. There are hints that PSI gives and one of them said to look at the directory where it finds the file(s) in question. The outdated XML binary it found was actually in a directory where I had downloaded and unzipped a program to be installed. Good catch, PSI. Even though that file probably wouldn’t have overwritten the one currently installed, the vendor can now be made aware that the installation bundle needs updating.

I would recommend using Secunia’s PSI on personal computers, unfortunately use on computers owned by “educational institutions”, among others, are not allowed.

There is a new exploit that can take advantage of FireWire ports. Actually, it isn’t that new. Discoverers of the vulnerability notified Microsoft years ago but the world’s largest software maker didn’t consider it that much of a risk. Unfortunately, a hacker has made this a much greater risk by publishing the tools to take advantage of this weakness. An attacker can connect his/her computer to your computer with a 1394 cable and pull your password out of memory…. at in only takes a few seconds. Having a password protected screensaver does not help.

The method used can, actually will, be modified to extract more then just a user’s password. New programs will try to gather disk encryption keys (if any) and even try to get data out of RAM such as information in an open spreadsheet. In short, until OS makers come out with a patch, the current defense is to disable the FireWire port when not in use, or to log off all accounts when the computer is not in use. If a computer is suspended (sleep mode), even hibernating, then it could still be attacked just by waking it up. As much as I prefer using external FW drives, it is wiser to use USB attached drives instead. If you would like steps on how to disable FW ports in Device Manager, post a comment or send an e-mail to ccalvert (at) umw (dot) edu.

1. Having a password change schedule reduces the likelihood that the same password is used for multiple accounts. For example, we wouldn’t want our MySpace.com password to be the same as our UMW password. Right? : )

2. Passwords can be guessed over time. ‘Shoulder surfing‘ helps.

3. Passwords can be attacked with brute force. Periodic changes reduce the effectiveness of this type of attack.

4. Password can be ’sniffed’ with older insecure protocols.

5. If someone has captured your password, then changing it will take care of that issue.

Other then making sure one’s computer is turned off completely — no sleep mode, even hibernation in some cases — there isn’t a good defense for software based full disk encryption. Segate’s Momentus FDE isn’t currently subject to this attack because the drive stores the key in it’s own memory chip independent of the system RAM.

This research from Princeton is certainly going to cause manufacturers to make new hardware technology to protect against RAM dump attacks.

Truecrypt also released versions for Mac OS X, though not full disk encryption. Along with Windows and Linux support Truecrypt volumes can be very portable between systems.

In addition to Truecrypt, FREE Compusec is a free, though not open source, product for full disk encryption for Windows. This product does support hibernation and it has some other features not currently in Truecrypt. I will do an evaluation of this product as well.

After patching and having a firewall, including a home router, the main ways that machines are compromised are through malicious web sites or e-mail. Using one’s web browser as a full administrator makes it much easier for a computer to get ‘owned’. Where I used to work the vast majority of the users were not local administrators. Scans would be done to look for malware and occasionally there would be machines that had lots of spyware installed. In every case the user’s account would have elevated privileges.

That being said, it can definitely be a pain to have two different accounts (though there are techniques that help quite a bit. RunAs.exe, for example). Since most attacks come through web browsers or e-mail, there is a way to run them in a safer way.

One way to surf safer is to use Firefox, Opera or some other web browser besides Internet Explorer. I’m not saying IE is poorly coded but it has three things working against it:

1. It is the most commonly used browser so it is the biggest target
2. It is closed source which prevents thousands of security experts looking over the code
3. It has Active-X which is basically a way to install a program over the Internet.  Actve-X is not as ‘contained’ as Java and can do more damage.

Many pages don’t work properly in non-IE browsers. There is great plugin that allows pages to opened inside of Firefox being rendered by IE. This plugin is set to always open Microsoft or MSN sites in IE. Other pages can be opened in IE with a right-click.

Instead of Outlook or Outlook Express for e-mail use Thunderbird or Eudora (which will be open source soon). Regardless of the e-mail client, attachments should be considered unsafe by default. Gmail is a great way to protect one’s computer from malware via e-mail as they have quite a few layers of protection.

Another option, which may not be for everyone, is to launch programs with fewer privileges. There is a tool that was recently purchased by Microsoft called PsExec which can, among other things, launch processes but it “strips the Administrators group and allows only privileges assigned to the Users group.” What is handy about this method is that all bookmarks (excuse me, Favorites) are still the same and it is possible to run the program as an admin if necessary. Here is sample syntax for launching IE with PsExec.

psexec -l -d “c:\program files\internet explorer\iexplore.exe”

I’ve changed most of my IE shorcuts to use the above syntax. I’ve been using it for about a year now and most sites work just fine. Ironically, the Windows Update site does not work unless it is running as an admin. No problem, I just launch IE from an unmodified shortcut.

Once again, none of the above techniques help with saving attachment or downloading malware and then launching it separately. Don’t trust attachments. Gmail won’t even let you download a .EXE file.

Oh yeah, some of you are wondering about Vista. Well Vista, by default, runs account with reduced privileges and then asks “Are you sure”, if the program wants to do something normally requiring admin rights.

PayPal, though great, is still susceptible to attacks in that a password can be guessed or keystroke loggers can capture login credentials. The new security key takes care of those two attacks. Read more, or order your own, here.