Disable Proxy Autodetection

Yesterday, I was wondering why my PC was getting logs of these NetBOIS Name queries to WPAD:

WPAD

Turns out that WPAD is one of Internet Explorer’s worst features. It’s just one of those stupid little things that may be turned on by default that leaves your PC open to hackers.

What can you do to protect yourself? Go into your browser settings and disable proxy autodetection. It will even help your web pages open quicker– a win-win situation!

For more on browser security, read:

Keep This in Mind When Downloading Software

Software is a fact of modern life, but not all of it is safe to use. The real problem is that there is no way for us to tell if a program is good or not.  There is no software vetting process, no “seal of approval” that our programs are good, so all we can do is trust and hope that the programs we run on our computers are good.  There are three strikes against us:

  1. All programs have defects (bugs).  If a vendor tells you their software doesn’t have defects, they are ignorant or lying.
  2. Most programs will do some things that, if you were told they did it, you would question why they needed to do it (data collection, advertising, etc.)
  3. A small percentage of programs are intentionally deceptive and malicious, causing damage, stealing data, stealing passwords, attempting fraud, etc.

If we run a program when we are logged in as “John Smith”, we are hoping that:

  • The software defects aren’t bad enough to hurt us.
  • The data collection won’t jeopardize our privacy, and the advertising won’t be too annoying.
  • The program isn’t intentionally deceptive and malicious.

That is true most of the time, but not all of the time.  And, when we run a program when we are logged in as “John Smith”, it has FULL CONTROL of ALL of our data files.

Because of this, we really need all programs to run in a security sandbox.  The sandbox needs to be big enough so programs can do what is reasonable that they should do, but small enough to protect the confidentiality and integrity of our data (more relevant concepts here: http://en.wikipedia.org/wiki/Information_security).  Certainly, the sandbox needs to be small enough so the programs can’t do any damage.

Joanna Rutkowska, someone much more knowledgeable about this than I am, has come to the same conclusion.

To learn more about security sandboxes, check out:

 

How To Protect Your Quicken Data from All Your Programs

By now, I hope you’re aware that all of your programs can access your Quicken data. If you don’t care if your data is lost, destroyed, stolen, or published on the Internet, then you don’t have anything to worry about. For the rest of us, it’s an issue that needs to be addressed immediately. Here’s what you can do:

  • If you think this information is important, tell your friends.
  • Implement security sandboxes.  (Learn what a security sandbox is.)
  • Another potential solution is to run different programs as separate users.  Still researching this.  Will let you know what I find out.
  • Review the data protection laws that govern your region.  If you have any data protected by those laws, make sure the data is protected.  It would be safer to move the protected data off PC and Macs completely, and onto servers inside your organization.  In the US, some examples would be:
    1. any data protected by HIPAA
    2. any Personally Identifiable Information
    3. any data protected by security breach notification laws
    4. any data that could be used for identity theft
  • If you have any personal data that you want to keep private (financial data, business plans, correspondence, etc.), the only way to guarantee that the data won’t be leaked to the Internet by a rouge program is to disconnect the PC or Mac from the Internet.

Your Mac is Not Immune to Hacking

My wife and daughter use Macs, so I need to be at least somewhat aware of Mac security. The general consensus is that Mac security is better than Microsoft… but that’s a pretty low bar. How vulnerable are Macs?

I’m tired of hearing from Mac people how secure Mac OS X is.  Apparently, I’m not the only one.  An anonymous blogger has written a blistering, well-documented article about Max OS X security.  The take-away?  Don’t assume that Mac OS X is more secure than Windows.  More hackers target Windows because it is a bigger target.  But Mac OS X has its own vulnerabilities and is not immune to hacking attacks. 

Kaspersky Lab is a leading provider of security software. Kaspersky’s chief technology officer Nikolai Grebennikov has said that “Mac OS is really vulnerable.”  Kaspersky founder and CEO Eugene Kaspersky commented on Apple security: “I think they [Apple] are ten years behind Microsoft in terms of security.”  Sure, they have something to gain by scaring people into buying antivirus software. But they are also experts in this field.

So, what can you do to protect yourself from hackers? Many Mac users chose the operating system because they want something that’s easier to use, and they like the idea of single package that contains everything they need for home computing. Naturally, these users balk at installing extra security software. (My daughter especially!) So, for those who just want to keep things simple, here’s a user-friendly guide to computer security for Mac users. For those of you who are feeling ambitious, check out the Mac OS X Security Configuration Guides published by Apple.

How to Protect Yourself from Hacking Attacks

Hacking attacks happen all the time and pose a real security threat. Here are ten things you can do to protect yourself:

1) Don’t use the same password for all of your user accounts. Choose a variety of passwords, and make each one strong (no full words, use both numbers and letters). Keep your list of passwords in a safe place– NOT on your computer!

2) Don’t share personal information on any website unless you have a secure connection (i.e. the url starts with https). Log out of all personal accounts at the end of each session.

3) Install firewalls.

4) Update your machine and software to take advantage of new security sandbox technology.

5) Don’t run free software downloads unless you trust the source.

6) Strengthen the security of your home wifi network by using a WPA-2 protection protocol.

7) Install software updates when they become available– many contain patches that improve your software’s security.

8) Keep abreast of current security issues:

  • For Windows PCs: Subscribe to: http://www.microsoft.com/security/resources/newsletter.aspx.  Microsoft is a leader in the security field, in many respects.  They have to be; they are the biggest target.
  • For Macs: Scheduling regular software updates through System Preferences. If you really want to beef up on security for your Mac, check out the Mac OS X Security Configuration Guides published by Apple. Unfortunately, the newest guide is for Snow Leopard (10.6).  Some guides for older versions of Max OS X are missing; the links are dead. You can find the Tiger (10.4) guide still on the NSA site.
  • For Linux: Each Linux distribution will have its own website.  Check that website for security information.

9) Be hyper-vigilant if you provide Internet content (for ANY website, including WordPress websites).  After hearing the story of a friend of mine who runs a WordPress site, I realized that if you’re not careful, you can be held for ransom by hackers who threaten your website.

  • If you’re not doing it already, make the Internet Storm Center part of your normal daily reading.  These folks are GREAT!  Their business is computer security education, and they have lots of great classes on various computer security topics.  The Internet Storm Center website has the latest news about the hacking going on on the Internet.  It’s one of the best computer security websites I know of.
  • If you’re not doing it already, go to SecurityFocus and subscribe to the Bugtraq mailing list.  You will get email about software vulnerabilities and updates.  The notifications include information about WordPress and WordPress plugins.  It’s a fairly active list.  If you see a vulnerability for a software package you are running, you should research it, and see if there is a workaround you can implement.  If you see an update for a software package that you are running, you need to apply the update ASAP.

10) If you’re still nervous (or if, like me, you’re really interested in this stuff), do more research! Here are some resources:

 

How to Implement Security Sandboxes

You may not know it, but ALL your programs can access your Quicken data. Not good.  So, what can you do?

One solution to this nasty problem is to run all programs in a security sandbox.  Unfortunately, the sandboxes in Windows 8 and Mac OS X Mountain Lion (10.8) are voluntary.  Programmers can choose to use the sandbox security model, or they can choose to use the original user-based security model.  All that it takes to subvert the new sandboxes is to install a program that is written for the old security model.

McAfee has some very interesting articles about the Windows 8 sandbox. 

1)      https://blogs.mcafee.com/mcafee-labs/windows-8-metro-brings-new-security-risks

2)      https://blogs.mcafee.com/mcafee-labs/metro-interface-improves-windows-8-while-increasing-some-risks

3)      http://blogs.mcafee.com/mcafee-labs/stronger-windows-8-still-vulnerable-through-apps-users  This blog has one comment that I find really interesting:

“With Windows 8, desktop and Metro applications coexist to maintain backward compatibility with current Windows desktop applications. Windows also allows desktop applications to be installed and executed outside the usual constraints of Metro applications. This presents an interesting situation: Metro apps cannot get out of their sandbox; but desktop apps can enter the sandbox.”

What does this mean?  It means that participation in the Metro sandbox security mechanism is voluntary, and that desktop apps don’t play by those rules.  So, the Windows 8 sandbox is really easy to subvert – just install a desktop app. So, if you’re counting on sandboxes to keep your information secure, be careful what software you run! [INTERNAL LINK]

Here’s how to implement a security sandbox:

a)       For Apple iPads and iPhones: these devices are running iOS, and all programs run in a sandbox.  So, you don’t need to worry (as much) about those devices.

b)      For Windows, you’re going to need to buy all new software, so you might as well buy a new PC.  It must be running Windows 8 or later.  Once you have done that, purchase and run only programs that are available from the Windows App store. If you’re not happy with that alternative, let Microsoft know.  But, from a security perspective, it looks like they are doing the right thing.

c)      For Mac OS X, you’re going to need to buy all new software, so you might as well buy a new Mac OS X computer.  It must be running Mac OS X Mountain Lion (10.8) or later.  Once you have done that, purchase and run only programs that are available from the Apple App store, or are deemed acceptable by Gatekeeper . If you’re not happy with that alternative, let Apple know.  But, from a security perspective, it looks like they are doing the right thing.

I heard from a friend of mine, Paul Adams, who is very knowledgeable about Apple products:  His comments:

a)      All apps purchased through the app store for Mac OS X are sandboxed.  It’s a requirement for developers who submit apps to the store to support it.

b)      Look at the “gatekeeper” in Mac OS X 10.8 as well.  It checks apps you install from the internet and will only let you run apps from “Trusted Developers” (an online list maintained by Apple), it’s a medium type setting for people who don’t want to be restricted to only the app store downloads but want to have some restrictions from the free-wheeling internet.

To learn more about security sandboxes, check out:

All Your Programs Can Access Your Quicken Data

Note: The issue discussed on this page affects you if you use Windows or Mac OS X, unless you have taken the following precautions:

  • For Windows: You are running Windows 8 or later, and only purchase and run programs from the Windows App store.
  • For Mac OS X: You are running Mountain Lion (10.8) or later, and only purchase and run programs from the Apple App store.

This is such an important issue that I submitted a vulnerability report to CERT. It’s a long post, but I encourage you to take the time to understand it. It’s at the heart of many other security issues that I’ve written about on this blog. Also, make sure you read my follow-up post, How to Protect Your Quicken Data from All Your Programs.

Suppose you are running a program where you enter (and store) sensitive financial data (I chose “Quicken 2002 Deluxe” as an example program).  And, also suppose that you like to cook, so you download and install a recipe program (I choose “Living Cookbook 2013” as an example program).

Note: I am not trying to pick on Quicken 2002 Deluxe and Living Cookbook 2013.  They are just the example programs I chose.  Any other Windows program that you install would have the same issue.

When you login to your PC, you login as your user.   Let’s say your user name is “John Smith”.  OK, John.  Login to your PC.  Once you have logged in, you can see your user name is “John Smith”:

Windows_Security_Model_Vulnerability_1

 

 

 

 

Note: If you have trouble seeing the images, click on them to make them bigger.  Then click on the browser’s Back button to come back to the article. 

 

 

 

 

When you run your Quicken program, it will be running as user “John Smith”.  You can see this in the Task manager:

Windows_Security_Model_Vulnerability_2

You can see that your Quicken program (QW.EXE) is running as user “John Smith”. Let’s take a look at your Quicken Program:

Windows_Security_Model_Vulnerability_3

If you click on “File” to see the pull-down menu, you can see what file Quicken is using to store your financial data:

C:\Program Files\QUICKENW\QDATA

Let’s go look at the data file created by Quicken:

Windows_Security_Model_Vulnerability_4

If you navigate to the C:\Program Files\QUICKEN directory, and do a right-click on the QDATA file, click on Properties, then click the Security tab:

Windows_Security_Model_Vulnerability_5

So, for the QDATA file, a person logged in as “John Smith” has these permissions:

Full Control

Modify

Read & Execute

Read

Write

OK, are you with me so far?

Now, let’s run the recipe program.

Windows_Security_Model_Vulnerability_6

And, then run Task Manager again:

Windows_Security_Model_Vulnerability_7

You can see that Living Cookbook 2013 is running as user “John Smith”.  This means that it has FULL CONTROL over your Quicken data file.

Huh?  OK, let’s think about this: When the Living Cookbook 2013 program is running, what user is it running as?  John Smith

What permissions does the user John Smith have on your Quicken data file?  Full Control.  

What does FULL CONTROL mean?  It means the Living Cookbook 2013 program can read your Quicken data file, it can overwrite your Quicken data file, and/or it can delete your Quicken data file.

To fully understand the scope of this, it means that ANY program you run while you are logged in as “John Smith” has FULL CONTROL over your Quicken data file QDATA.  It can read it, modify it, and/or delete it.  If it wants to, it can send your Quicken data file over the Internet to a hacker site HACKERS_R_US.COM, and the hackers could look at your financial data.  If you did online banking, and you store your banking passwords in Quicken, the hackers might be able to extract your banking passwords too.

Actually, it is worse than that.  It applies to any program you run while you are logged in as “John Smith”.  Quicken can obliterate your recipes, Skype can erase your Word docs, AOL Messenger can destroy your spreadsheets, and your cool new download can send ALL your files to HACKERS_R_US.COM.  The main message is that, if you are logged in as the same user (which is what most of us do on our personal computers), there is no inter-application security at all.

That is how the Windows security model works.

Now even though the examples are from Windows XP, the Mac OS X security model works the same way, so:

That is how the Mac OS X security model works.

I have spent years working on Linux and Unix, so I can say with certainty:

That is how the Linux and Unix security models work.

Now, if all programmers played by the rules, and restricted themselves to data files maintained by their own program, this wouldn’t be a problem.  However, you have no guarantee of that, and the current security models don’t help you protect your data.   If you install and run any malicious programs that don’t play by the rules, all bets are off.

Now, I raised this issue to the Microsoft Security Response Center.  It took a few back and forth emails to fully explain my concern.  When the Microsoft Security Response Center understood my concern, here is the response I got:

Windows_Security_Model_Vulnerability_8

An authenticated user can see all of their documents, and so can the running programs. This is the basic security design of Windows, and not something we intend to change.

I expect that this is true of both the server and desktop versions of Windows.  I hope the the answer is a little more nuanced with some of the newer security features.

Sorry to be the bearer of bad news, but it is what it is.  My goal is to educate, so that people know the risks, and can make informed decisions about what to do to protect their data.

To learn what you can do to protect your sensitive data, read How to Protect Your Quicken Data from All Your Programs.

Security Sandboxes and Virtualization

The easiest way to take advantage of the new security sandbox technology is to upgrade your hardware and software. Not everyone can afford to do that. What other options are there if you want a security sandbox?  Sandboxing is closely related to virtualization. Virtual computing is a good way to get some of the benefits of sandboxes without having to pay premium for a new machine.

This recommendation comes with two disclaimers. First of all: virtual machines may not be completely isolated, so if you decide to use them, you will still need to be vigilant. Second: as Joanna Rutkowska has rightly pointed out in her blog, hosted hypervisors (like VMware Workstation) are only as secure as the underlying host operating system.  A more secure solution would be to use bare-metal hypervisors, like VMware ESX, that are installed directly onto the hardware.

My next PC will be a macho laptop (lots of RAM, CPU, and disk), with a bare-metal hypervisor like VMware ESX.  (When Qubes OS supports Windows guest OSes, that would be a great choice too!)  Then, I will install Windows or Linux as a guest operating system, and use that for my regular computing needs.  Swa Frantzen from the Internet Storm Center suggested this:

That said, I think there’s an easier future for sophisticated users in running a number of virtual machines for their needs (e..g one VM for online banking and nothing else, one for data storage and nothing else (using virtual networking to the other VMs as needed), one for browsing the internet, one for working on private documents, one for working on work related documents, one to act as a firewall, one to play games on, one to watch ???? on, … That’s something one can do today already, it’ll work and it’ll have as much hassle as you set for yourself.

Below, I’ve put together some virtualization resources, categorized by operating system.

Microsoft Windows

  • Microsoft Windows 8 plus limiting yourself to buying programs from the Windows App Store.
  • Microsoft Hyper-V: if you are running Windows 8 Pro or Windows 8 Enterprise, you can run Hyper-V.
  • VMWare Workstation: I use it.  It is awesome.  But, it’s not as secure as Qubes OS.
  • Bromium: I haven’t tried this yet, but it sounds really interesting. If you try Bromium, let me know in the comments how it works for you!
  • Qubes OS: this bare-metal hypervisor is based on Xen, but with significant security enhancements.  Qubes looks like the most secure architecture of all.  Here is a great article about Qubes and how it compares to other potential solutions. It looks like the Qubes OS team is adding Windows support in the near future.  Once that is accomplished, this will be the most secure alternative of all for running Windows VMs.  Joanna Rutkowska is the force behind this, and she knows what she is talking about.
  • Linux Xen: less secure than Qubes OS, but has support for Microsoft Windows.

Apple Mac OS X

  • Mac OS X Mountain Lion (10.8) plus limiting yourself to buying programs from the Apple App Store.
  • VMware Fusion: VMware’s hosted hypervisor for Mac OS X.  In addition to enhanced security, it also allows you to run Windows programs.  The author of this article thinks Fusion is the best bet. 
  • Parallels Desktop
  • VirtualBox

Linux and Unix

  • Solaris Containers
  • Qubes OS: this bare-metal hypervisor is based on Xen, but with significant security enhancements.  Qubes looks like the most secure architecture of all.  Here is a great article about Qubes and how it compares to other potential solutions. It looks like the Qubes OS team is adding Windows support in the near future.  Once that is accomplished, this will be the most secure alternative of all for running Windows VMs.  Joanna Rutkowska is the force behind this, and she knows what she is talking about.
  • Linux Xen: less secure than Qubes OS, but has support for Microsoft Windows.

Java

JAVA’s security sandbox is getting a bad rap. Java implemented a security sandbox with version 1.0.  Now, it may not be perfect, and many people are trying to break into Java now (because hackers have already found the easier security vulnerabilities in Windows and OS X), but hey: the developers of Java are really trying, and they have done a lot of things right!!  Give James Gosling of Sun Microsystems, the creator of Java, some kudos.  Thank you, James!!  You are an incredible rock star!!  In Java, James implemented a security sandbox technology in 1995.

How to Use Facebook Securely

There’s a lot of routine activity on Facebook that I bet people would think twice about if they considered it from a security perspective:

  • How many times have you seen posts like, “I’m out at Starbucks getting my morning coffee and reading the paper…” Great!  All a burglar (or the NSA) needs to know is WHEN you are at Starbucks, so they can ransack your house, and carry off your computer with your top-secret documents.
  • If some creep thinks you’re cute, all they need is to know WHEN and WHERE you are so they can start stalking you.
  • What about when a prospective employer asks to see your Facebook profile, and starts looking at the pictures of you at that drunken party last night?  Oops.

How much information about yourself are you putting online? Whatever it is, it is probably too much. I do have a Facebook account, but there’s not much on there.  What is safe to post? My daughter, a 20-something, uses two rules of thumb:

  1. She only posts about past events (things she’s already done)– that way there’s no “where and when” information to tempt stalkers or robbers.
  2. She doesn’t post anything that she wouldn’t want her family, employers, and the kids she volunteers with to see.

I do have a Facebook account, but there’s not much on there (besides the photos that my daughter tags me in). That’s because I just don’t trust Facebook. Have you ever watched the movie “The Social Network”?  What an insight into the creation of Facebook.  Consider carefully:

  • How does Mark Zuckerberg choose Facebook’s first employees?  Remember the scene when they are having a race to break into a computer, drinking shots of alcohol, and the first hacker that breaks into the computer becomes an employee of Facebook?  That scene was terrifying to me!  You have the brightest hackers in the world (remember, this happened at Harvard), very knowledgeable, malicious enough to break into a computer, and THOSE are the people who are programming Facebook?  They are telling you that your Facebook account is secure?
  • Remember how Mark Zuckerberg treats Eduardo Saverin?  Eduardo Saverin is the guy that put up the money that Mark Zuckerberg needed to create Facebook.  Initially, Eduardo Saverin had a 34% ownership in Facebook, because he was the guy with the money.  Then, later in the movie, in a malicious deal, Mark Zuckerberg screws Eduardo Saverin out of his ownership share, and dilutes his Facebook ownership to 0.03%!!  Consider, if Mark Zuckerberg treats his FRIENDS like that, how is he going to treat YOU?  He doesn’t know you, and judging from past behavior, he probably doesn’t care very much about you, or the security of the personal information you enter into Facebook.

If Facebook says they are concerned with security, it is only because they are being forced to by some competition (Google+) and some bad publicity.  Facebook isn’t concerned about the security of your information. They are more interested in how to leverage the information you enter into Facebook to do some Targeted Advertising.

After all, Facebook makes its money by advertising.  That’s why, amongst my friends chatter,  I am seeing come-on pictures of women that I don’t know trying to sell me stuff.  These “saleswomen” used to just be on the side.  Now, they are inline, in the middle of my friends chatter, where I have to glance at those ads.

Just remember, whatever you post out there in public will be viewable by many, many people (maybe millions of people) for a very long time, maybe for your entire lifetime.  And the vast majority of those people are not your “friends.”

To summarize, here are some pointers for using Facebook securely:

  1. If you want something to be private, don’t post it ANYWHERE on the Internet— and especially not on Facebook!
  2. If you must use Facebook, then only post about past events and stuff that’s not in any way incriminating.
  3. Don’t “friend” people who you’ve never met in person.
  4. Don’t assume only your “friends” will see your posts.  If there are any security weaknesses at all, your posts may become accessible to the entire Internet.
  5. If you have overly chatty friends on Facebook, refer them to this post.
  6. Don’t judge people by what you see online.  Online identity and real identity are two completely different things.
  7. If you want to meet someone, meet them at public place surrounded by a lot of other people.

 

Targeted Advertising

Ever been interested in a certain product, and done some Google research about it?  Then, for days afterwards, whenever you go to a website, you see ads for that very same thing?  What a coincidence!  Well, actually, it is not a coincidence.  It is called Targeted Advertising.  Whenever you browse to a certain site, the site can store “cookies” on your computer.  These are not cookies you can eat (I know, what a bummer).  Browser “cookies” are small bits of information that your browser stores, based on instructions sent from the websites you visit.  Once a cookie is stored, if you browse to that site again, your browser can read the cookie, feed that information back to the website, and voila, the website content is magically tailored for you.  That is targeted advertising.

I’ve already discussed “unsolicited incoming packets.”  Now that you have browsed to the website, your traffic is not “unsolicited” anymore, so your firewall won’t block it.  If some program (ANY program) on your computer initiates a connection to the Internet, the request (and the rest of the Internet “conversation”) is no longer “unsolicited”, and your firewall will not block the traffic.  This goes for all the third-party ad servers that are referenced in the webpage you browsed to.  Now, you didn’t ask to go to the ad server, but it is referenced in the webpage you did ask for, so it has the same access to your information that your browser has.  I’m not sure of the security implication of this, with browser sandboxes and all, but after the earlier experiment with TOP_SECRET.html, I am nervous about it.

The New York Times has a good article about this called “Resisting the Online Tracking Programs.”  It points to another article titled “Removing and Blocking Ad Cookies, Browser by Browser.”  I recommend that you review these two articles and implement some (or all) of their suggestions. Make sure your browser is also configured securely.

One method I just tried is to install AdBlock Plus (https://adblockplus.org/en/internet-explorer).   I sure hope it works.  I’m keeping my fingers crossed…