Network security
Conficker.C Activates on Schedule Quietly
Here are some excerpts on the latest about the Conficker Worm from ars technica and PC World:
Conficker.C appears on schedule, but only as a whisper. It’s April 1—do you know where Conficker is? The worm’s reactivation date has passed relatively quietly, but security researchers warn that the worst could still be coming. Keep your scanners updated, and watch your network traffic.
The Conficker worm today has begun to phone home for instructions but has done little else. Conficker was programmed to today begin actively visiting 500 out of 50,000 randomly generated web addresses to receive new instructions on how to behave. Conficker has begun to do this, according to security company F-Secure, but so far no doomsday scenarios have emerged.
April 1, thus far, is pretty clean. Let’s see what happens over the next few weeks before we draw a final judgment on the success or failure of the anti-Conficker associations. Hopefully the new detection scanners (and a comprehensive report just released by Leder and Werner) will turn the tide and begin to shut the worm down.
This will probably be my last post on Conficker for now, unless something major really does happen. On to other topics for the next posts!
Photo Credit: Andrew Scott
Got Conficker Worm? Hopefully, no.
To know if you’re actually infected by the Conficker Worm, a fast way is to try visiting any major security software publisher’s site such as AVG, McAfee, Symantec, Avira, etc. If you cannot load them, then you might be infected because Conficker blocks access to them.
Also, check if your Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services are working, that is, none have been disabled without your consent.
If you have confirmed that you have Conficker on your system, then download one of several free removal clients, such as McAfee’s Stinger, Eset’s Win32/Conficker Worm Removal Tool, Symantec’s W32.Downadup Removal Tool, and Sopho’s Conficker Cleanup Tool.
More details HERE.
Hopefully, all this fuss about it is just a cruel April Fool’s joke.
Cisco PIX Firewall Basics
Firewalls are essential components of an effective information security infrastructure. At its most basic level, a firewall is a hardware or software that filters traffic between your network and the Internet. The firewall (hardware) I am most familiar in using is the Cisco PIX (Private Internet eXchange) Firewall. It was one of the first products in the IP firewall and NAT appliance market segments.
PIX firewalls include the following security and network services features:
- Network Address Translation (NAT) or Port Address Translation (PAT)
- Content filtering
- URL filtering
- IPsec VPN
- DHCP client/server
- PPPoE support
- Advanced security services for multimedia applications including Voice over IP (VoIP), H.323, SIP, Skinny
Managing the firewall can be done through its integrated web-based management interface called PIX Device Manager (PDM), command-line interface (CLI), Telnet, Secure Shell (SSH), console port, SNMP, and syslog.
Here are 10 steps to ensure your PIX Firewall is as secure as it can be:
- Password protect it
- Know your access-lists
- Log denials and errors
- Use SSH in place of Telnet
- Understand the ASA
- Enable optional security
- Keep the PIX OS and PDM patched
- Back up your configuration
- Use secure encryption
- Know your network
Read more in detail here: Cisco PIX Firewall: Lock it down in 10 steps
Most PIX Firewall models optionally support multiple outside or perimeter networks (also known as demilitarized zones (DMZs)). Connections between the networks can be controlled by the PIX Firewall.
A Demilitarized zone (DMZ) is the most common and secure firewall topology, often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network. It will typically contain the following:
- Web server
- Mail server
- Application gateway
- E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)
In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA) firewall that inherited much of PIX features, and in 2008 announced the PIX end-of-sale. I actually just found out about their discontinuity of the PIX firewall as I was doing some research for this blog post. However, the PIX technology is still sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series.
Photo Credit: fzurell
Conficker Worm – FYI (Alert!)
The Conficker Worm is the latest buzz right now in IT security. Conficker, initially just considered a trojan but now considered a worm, is now said to have the ability to identify antivirus software and/or malware scanners running on the infected PC along with the ability to disable the identified applications.
Side note: Trojan horses are files claiming to be something desirable but actually contain malicious code that when triggered cause loss, or even theft, of data. Worms, on the other hand, are programs that replicate themselves from system to system without the use of a host file. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action.
Conficker, also known as Downup, Downadup and Kido, is a very sophisticated worm that surfaced in October 2008 and took advantage of a security hole in the Microsoft Windows operating system. It is also known by the following names:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.worm.62976 (AhnLab)
Trojan.Downloader.JLIW (BitDefender)
Win32/Conficker.A (CA)
Win32/Conficker.A (ESET)
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
W32/Conficker.worm (McAfee)
W32/Conficker.E (Norman)
W32/Confick-A (Sophos)
W32.Downadup (Symantec)
Trojan.Disken.B (VirusBuster)
The hole affected all 32-bit and 64-bit Windows operating systems even those with latest service packs. The hole allowed the virus to infect the computer without any user interaction via the Internet, local network or USB thumb drives. Once infected, it stops the computer’s security services as well as Windows update service and disabled tools and software designed to remove it. Apart from that, the worm also allows the creator to remotely install other malicious codes on the infected computer.
Consequently, the worm is programmed to update itself from domains it randomly generates. By April 1, 2009, the mount of domains the worm generates and goes to find update could grow to 50,000 a day. The owner of the virus only needs to use one of these domains to host the update. This makes it virtually impossible for authorities to track the source of the update.
Now, what do we do?
Applying the MS08-087 patch to Windows would have been sufficient initially, but unfortunately, it may not be that simple now. Antivirus applications are trying their best to keep up and provide solutions that will remove the malware, but as previously mentioned, those are being shut down by the worm. Still, I suggest regularly updating your antivirus software especially as April 1st , the presumed date of worm activation, looms near.
Michael Kassner wrote on TechRepublic:
Officially, the only real resolution is to reformat and reload, especially since Conficker.C still resides at the application level. If the developers decide to bury the malware in the BIOS or SMM, it could get ugly.
I would just suggest to constantly keep yourself updated for whatever developments experts will find so you would know what to do just in case.
Photo Credits: Wikipedia; registrycleanerz.com
Network Security Basics
Securing the network may include implementing technologies such as firewalls, VPNs, antivirus, and anti-spam software. These are for first line of defense of the network. In addition, for enterprises, they need to have a comprehensive approach that includes Access Control, Data Privacy, and Compliance.
Firstly, in order to know what kind of security measures should be implemented, it is imperative that you know the network inside out. It is not possible to protect anything unless you clearly understand what you want to protect.
Secondly, you need to understand the different threats, both from internal and external sources. They may be human-based, automated, or a natural phenomenon.
Thirdly, physical security should be established, then partitioning and protecting network boundaries with firewalls, and also putting up workstation firewalls.
For the enterprise security network, Access Control will include Authentication, Authorization, User Provisioning & Identity Administration, and Role Management.
Authentication includes the use of passwords, token cards, and/or biometrics. Authorization policies should be centralized. User Provisioning & Identity Administration should be automated to prevent human errors. As well, user roles/privileges should be properly managed.
Data Privacy will include encrypting data, classifying data based on sensitivity, and putting up access control lists. Adding a security layer to enterprise search results will additionally prevent access of confidential information.
Automated Compliance controls and processes flexible enough to adapt to meet changing requirements should be used to conform with governance and privacy regulations.
Read these whitepapers for more detailed information:
Security Inside Out
Fundamental Principals of Network Security
Photo Credits: Javier Aroche, JoePhoto
Tech-Life in Pink 