Securing your Windows Machines

After a Long day at work, you sometimes feel like there isn’t much you want to talk about. Then this idea comes to me? Why do people blog and why do people talk about security?

I’ve come to realize something, I’m not one who was grew up understanding bits from bytes. I grew up as any family does fighting with my siblings.

Having been blogging the past few years, it seems like only yesterday that I started blogging. Cliche I know but still very much true. Most blogs do what they know, I aim to learn and teach each day I blog. Like days like this when the world is pretty much quite and the [intlink id=”3214″ type=”post”]remnants of the conficker[/intlink] worm dies to a rumble.

[ad#cricket-right-ez]So how do you secure your Windows Machine?

After a day long battle with  my wife’s system, I grow to wonder if there is something I should do differently with how to prevent Viruses and Worms on her system.  So I’ve groomed my Knowledge base and come up with 5 good points when it comes to locking down your Windows Machines:

  • [intlink id=”994″ type=”post”]Lock down your Router/Modem[/intlink]  — Some people don’t know that having an insecure router with weak passwords is a way to get on another system.   This can easily be prevented if the users takes some steps to prevent. it.  Although if a hacker wants to break your encryption and find your Signal there is really nothing you can do but try to prevent that.
  • [intlink id=”2205″ type=”page”]Firewall and Anti-virus[/intlink] —  Although I know people think I am a broken record this will always be something I encourage for everyone who reads my blogs.  I will never stop beating people over the head with this.   Seeing the [intlink id=”3272″ type=”post”]Conficker map[/intlink] tells me there are quite a few without an Anti-virus or a Firewall, which might of given someone a heads up find out if they do or not!!
  • [intlink id=”2984″ type=”post”]Disabling AutoRun[/intlink] —  This can prevent a USB stick from installing software it shouldn’t.  Remember Microsoft has issued an statement on how to disable it for sure.  Although I must say The Security Now episode 187 seems to talk about this really well and how to make sure you do disable it the right way.
  • Make sure it is a Limited user account —  Most people always run as administrator when in fact that sometimes makes you more vulnerable to viruses, worms, and trojans.   Any software you install as an administrator will automatically be given Administrator rights.  That can be very bad when it comes to virus and such.
  • [intlink id=”2883″ type=”post”]Keep your System up to date[/intlink] — This is essental for people who to prevent exploits to be used against you.  Although  if your like me and you want to make sure your software is up to date some of that can be done with [intlink id=”553″ type=”post”]APPSNAP[/intlink].

With These tips, your system can be a little more safer.  Just remember there is no perfect way to protect your systems 100% only some of the time.  The rest depends on you, because your the last layer of defense.  Also it isn’t a bad idea to [intlink id=”2407″ type=”post”]back up your system from time to time[/intlink].

Hackers Jump onto Power Point Exploits : KB969136

In my Previous post, we talked about Microsoft [intlink id=”3280″ type=”post”]Advisory for KB969136[/intlink] and the exploit was in the wild.  It looks like Trend Micro has published some new spam attempts to get the users to open up the Maleware for them to deposit TROJ_PPDROP.AB onto there systems.

[ad#cricket-right-ez]Trend Micro has some screen shots of the most common Fake Presentations for you to see just how they try to get you to open the file.

Although these are some common tactics for  attackers to use such as  nude pictures, Earth Hour, or Celebrities without Makeup,  users who don’t normally use PPT should check the files out before you load them.  You also should remember to save them to a file and [intlink id=”2205″ type=”page”]scan them with your Anti-virus software[/intlink], also it wouldn’t hurt to have a firewall software.  It looks like these exploits tries to connect to the internet and you might be able to find out by the request from the firewall.

According to Internet Storm Center, the CVE place Holder for this is CVE-2009-0556 and hasn’t become live yet. I do not think they will release that information until they get a chance for Microsoft to patch the systems.

This would be a good time to remind IT staff and anyone who might use Power Point that they should not open anything they aren’t expecting and even then they should verify with your IT staff that it is safe until Microsoft issues a patch for this. I expect that if this become widely used it will be released out of Cycle or even In May’s Patch Tuesday. According to Microsoft you could install Microsoft Office Isolated Conversion Environment (MOICE) but requires Office 2003 and Office 2007 systems. Find out how you can use this work around at Microsoft’s Advisory of KB969136 for further instructions.

Microsoft issues Advisory KB969136 (Zero Day Exploit in the Wild)

Well, this had to happen sooner or later.  It looks like Powerpoint can be exploited with a Remote Code Execution.   So Microsoft today has issued an Advisory for KB969136.

In there post they say:
[ad#cricket-right-ez]

At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. If you suspect that you were target for such an attack, you can scan your computer with the Windows Live OneCare safety scanner. The malicious PPT files are detected as Exploit:Win32/Apptom.gen. Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Products affected are Microsoft Office PowerPoint 2000 Service Pack 3, Microsoft Office PowerPoint 2002 Service Pack 3, and Microsoft Office PowerPoint 2003 Service Pack 3. Microsoft Office PowerPoint 2007 is not affected.
[Via Microsoft Blog]

Microsoft has even added a diagram on how an attacker could implement this into an email.

So what do you need to know:

If you receive a Power Point presentation from someone you aren’t expecting either scan it good with a[intlink id=”2205″ type=”page”] free anti-virus[/intlink]. There are no major workarounds to this because Microsoft is telling people not to open the Power Point files directly. I tend to agree you should however know if you are expecting something from someone by either emailing them back or if it’s an office situation pick up that phone for the time being. I am sure Microsoft will issue this patch in the coming months probably May or June at the earliest. I don’t think it will be April Patch Tuesday, they could however make this an out of cycle if enough hackers start to use this.

According to Micrsoft the Windows Live One care picks this up as Win32 Exploit so I am sure other [intlink id=”2205″ type=”page”]Anti-virus Software will do the same[/intlink].   Just for the time being you will want to scan any presentations that come your way.  I will update the blog as more information becomes available!!

Conficker maps of US!

conficker_us_map

The Conficker Work Group has been busy the last few days compiling data of where the [intlink id=”3240″ type=”post”]Conficker Worm[/intlink] is in the world.  I am just showing one of the many pictures they have compiled.

[ad#cricket-right-ez]

Now I must say this isn’t entirely accurate, but it gives a good impression of how many computers in the US have been infected and still need to be removed.   Giving that most of these are business that haven’t updated there Windows Machines, this isn’t surprising.  So I am guessing that if this map is close to what we expected, some of the companies didn’t do anything about[intlink id=”3214″ type=”post”] Conifcker during the hype[/intlink].

That being said, I would like people to answer this question?  Has any technicians had to disinfect systems that had the conficker worm?  Are you seeing a rise in repairs, in regards to conficker related problems?

I was look around there website, the Conficker Work Group, and I stumbled on a really good resource.  It is called Conficker Eye Chart.  If certain images don’t load then you might be infected.   If you want to find out if your infected go check the chart out for yourself.

The Group also has a great list of tools to remove the Conficker Worm.    Although, I have been saying for the past week that the best way to prevent from getting infected is having [intlink id=”2205″ type=”page”]Anti-virus, and Firewalls[/intlink].  You will also need to remember that only you can prevent from getting a computer virus or worm, you’re the last line of defense!!

The Register Goes down, People are asking is it the Conficker Worm?

twitterregister1

I’ve heard stories from other Twitter Folks about it being Denial of Service attack:

twitterregister2

[ad#cricket-right-ez]

Now it is possible to have[intlink id=”3236″ type=”post”] Conficker to all botnets[/intlink] to try to go to the site but I am not certian it is the Conficker.  It could be as simple as someone misconfigured a server and no one can get to it.  People who want to check out what people on twitter are saying can search for it and see for yourself.    I’ll update as needed when I find out more, but it will probably be a couple of hours before the site is back up, according to some reports.  I’ll know more later today, so keep tune.

Update at 6:30pm EST

We speculate that the source of the problem may have been a large scale Denial of Service attack against UltraDNS, or an internal operations problem. When we were able to sucessfully query UltraDNS servers, responses were slow to come back, or largely timed out. The problem began to clear itself up around 10:00 am Eastern, when we saw DNS responses returning quickly again, and our favorite sites coming back online.
[Via DynamicNetwork Service Inc.]

It looks like this might of been the cause for Amazon, and some other sites including the Register. I’m not quite sure what happened but someone talks about it on Redidit:

Wed Apr 01 | 14:37:03 >: nslookup xxx.xxx.com ;; connection timed out; no servers could be reached
Edit: Just got off the phone with Register.com support. The technician admitted to me that they have had a “server failure” and the problem is affecting all of their customers.

Although this post suggest they had a server failure, I am not quite sure what happened but I am going to let you figure that out!! This is some really good information go on Twitter. So you can try to figure it out some more for yourself.

Oh a side not, I’ve gotten the right RSS feed working, if you want to subscribe to my site and get automatic updates with full text just subscribe to my feed.