Archive

Archive for the ‘Security’ Category

FBI ALERT/IRS email is a scam

June 21, 2011 10 comments

Since I work in an accounting office a few people forwarded an email to me before clicking anything to see if it was harmful. The message title reads : “FBI ALERT/IRS” and here is the body:

—–Original Message—–
From: Seattle Washington [mailto:departmentfb@mail.com]
Sent: Monday, June 20, 2011 2:14 AM
To: undisclosed-recipients:
Subject: FBI ALERT/IRS

View attached file to read important Email from FBI/IRS. You are to contact
the Internal Revenue Service (IRS) in Seattle, Washington 98174 for your Tax
Fee Clearance. find below their contact details:

Contact Person: Mr. Jake Potter

PRINCIPAL STAFF OFFICER INTERNAL REVENUE SERVICE (IRS)

Contact Email : j.potter@blumail.org

Seattle Washington Department.

FBI_IRS.PDF FBI_IRS.PDF
245K   View   Download

As you can see the email includes an attachment to be clicked, a PDF in this case.  This email is definitely a scam. I tested the PDF on a test system and it appears to be clean.  However you can see the text of this PDF below and see that it most definitely is a scam:

I thought it was a nice touch having the CC include the Supreme Court of the United States.

No matter what do no send an email or call the number in the announcement. It’s definitely a scam!!  For one this is not how government agencies communicate!!!  If you find any letters like this you are unsure of its best to find someone who can make the determination for you!

Categories: Scams, Security

Adobe Reader shouldn’t be updating every day!

January 5, 2011 6 comments

I was looking at my blog statistics and noticed a lot of people hitting my site are using a search term similar to “why is adobe reader updated almost every day”. Since I wrote a blog post about Adobe some time ago my site comes up in this search. The following is my advice for people having this problem.

Adobe Reader should NOT be updating every day. If the reader is updating every day there is a problem. Looking at Adobe Readers downloads it can be seen that an update comes out about every couple of months or so.

The first suspect I would look at is malware/virus. TrendLabs released a warning last April about a Trojan (TROJ_FAYKDOBE.A) that looks identical to the Adobe Updater. The updater would then download other malicious files. I expect this type of attack to happen more often. It is imperative that you keep your anti-virus software up to date and do regular full scans of your computer.

If you are having a problem with Adobe Reader updating every day I would immediately update your anti-virus software and do a full scan. Trend Micro rates this type of attack as a high damage potential due to it being able to download anything to your computer.

If your computer is clean from virus/malware it is likely that your Adobe Reader has technical issues. One option would be to uninstall Adobe Reader, then install the latest version back on. The current version of Adobe Reader (Adobe Reader X at the time of this post) can always be found here.

Another option it to use an alternate PDF reader. I like Foxit as a PDF reader. It seems to work much quicker than Adobe and has fewer known security vulnerabilities.

Categories: Security Tags:

Some tips to find rogue devices on your network

November 30, 2010 6 comments

Any unknown entity on your network is bad, this is especially true for rogue devices. There are a variety of ways to protect your network from rogue devices, but honestly most small and medium businesses don’t have the resources to do this.  If you’re a network person with good switches you could track these devices down to a physical switch port fairly easily. However if you have unmanaged switches (yes, they still exist) or don’t know how to follow MAC addresses on a switch you may have to use other methods for your investigation.

To assist in finding rogue devices on your network it is helpful to determine the vendor for a MAC address. First, you will need to know the IP address of the rogue device. Chances are you already know the IP because you know this rogue device exists. Often these devices are found when you try to add an IP to a device on your network and find the IP is already in use.

Once you have the IP a protocol named ARP can be used to determine the MAC address. If your on a Windows machine do the following:

  1. Go to the command prompt.
  2. Ping the rogue device. It doesn’t matter if there are replies, this step gets the MAC address in your ARP table.
  3. Type the following command:  arp -a
    1. Here is a sample output:
      Internet Address      Physical Address      Type
      10.0.0.89             00-03-ff-d1-19-04     dynamic
    2. The MAC address is the Physical Address listed as 00-03-ff-d1-19-04
  4. Take the MAC address and enter it into a tool or website that lets you know the manufacturer. I use this website for my vendor lookups, but there others out there.
    1. Using the sample address from above I got the following vendor info returned:
      Prefix      Vendor
      0003FF   Microsoft Corporation (was: Connectix)
  5. Now that I know the vendor of the network card I have some clues as to what kind of device the rogue element is.
    1. Knowing the vendor is Microsoft narrows down my search, since computers won’t show Microsoft as the vendor.
    2. In this case I can assume it is coming from a Windows Virtual PC, since this is the most likely device on my network to show up with a Microsoft MAC address.
    3. This device is actually a Windows Virtual PC running on my laptop for testing purposes. I used this example specifically because I am seeing more and more rogue virtual machines created by IT staff in various companies.

Using the above method can dramatically cut down the investigation time to find rogue devices. Yes, it is much quicker/easier to track rogue devices through managed switches. However as I mentioned before this is not always a possibility.

Make sure you choose 2048-bit for key size in CSR’s

November 22, 2010 Leave a comment

Recently I had to order a bunch of new SSL certs for work and clients. It had been a couple of years so I didn’t realize Network Solutions and Entrust both require 2048-bit key size for their EV certs. This was no big deal, I just had to modify how I generate the keys. For instance here is how I generated the key on a Linux box:

[root@myhost]# openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

Notice, the only difference is I had to add “‘-newkey rsa:2048” to my command. I’m not sure if -new is really needed, I’ve always just put it there.

I decided to see why both Entrust and Network Solutions made the change. I probably had seen something about this in the last couple years, but didn’t take notice of it. I found the change was made at the recommendation from NIST in NIST Special Publication 800-57. Specifically this is addressed in Part 3 (pdf link).

Their specific recommendations are show in the table below:

As you can see they recommend all RSA keys after 2010 be at least 2048 bits. I have no problem with this, I was curious as to where the change came from and thought I would post it here.

Categories: Security Tags: ,

Don’t believe Facebook email asking to update your account!!!

February 17, 2010 Leave a comment

There is yet another hoax targeted directly at Facebook users. All Facebook has a good article on this latest email attack on Facebook users. I will let their article go into the details, they do a good job. I will just take this moment to remind people of some basic (yet IMPORTANT) email best practices:

  • Never click on an email attachment you are unsure of! NEVER!
  • Companies such as Facebook will NEVER send you an email attachment for updating your account information.
  • Never click a link in an email to update account information. If you get an email saying you need to update the account information log into the site the way your normally do and update then. NEVER click that link!
  • If you receive a ‘weird’ email or an email with an unexpected attachment from someone you trust contact them BEFORE you click on anything in that email. If they are infected it is quite likely you will receive an infected email from them.

With the rise in popularity of social media sites such as Facebook all of the above best practices are also true on ‘walls’. If someone posts something weird or suspicious on your wall then DO NOT CLICK THE LINK!!! Its likely a scam or worse.

Categories: Facebook, Security

With the latest round of Adobe Reader exploits please follow some simple best practices!

February 17, 2010 1 comment

PDF files have allowed computer users to share documents with a wide audience for quite some time now. They are great from an author’s standpoint. Just a few of their benefits include:

  • Documents can be viewed no matter what type of computer the audience has (Microsoft Windows, Mac, LINUX, Smartphone, etc…).
  • The author can control how the document will look when printed by the audience.
  • Documents can be locked to prevent them from being edited.
  • Documents can be digitally signed for security and/or legal reasons.

Those are just a few of the reasons people use PDF files every day. However, there is a downside to any type of document being so popular:  it will become a target of hackers!!!  In particular Adobe Reader has become a favorite target for software exploits.

There are some steps users can take to reduce the risk from these exploits. Here are some best practice items for everyone:

  • Insure you have anti-virus software installed. Also make sure it is set to automatically update its signature at least every day! Having an outdated anti-virus signature is almost as bad as having no anti-virus software at all.
  • Apply the latest security updates for you software. If you are using Microsoft Windows insure your computer is set to automatically update.  Programs like Adobe Reader are a little trickier, because people don’t think about them. But I would recommend going into any software you use often and do a “check for updates” on a regular basis.
  • Use a less popular yet equally functional competitor of the software in question. For PDF files in particular I no longer use Acrobat Reader. Instead I use a product called Foxit Reader. Foxit Reader has fewer known exploits. Notice I said “fewer known exploits”. The key is that Foxit Reader is not as widely distributed as Adobe Reader. Hackers are going to target the top software of a category for maximum impact. Foxit Reader may have as many exploits as Adobe Reader, but they haven’t been discovered because hackers are attacking Adobe.
  • NEVER open documents from a source you do not trust. Abstinence really is the best prevention!
  • Be wary of documents from trusted sources if you were not expecting a document. Just because a document comes from a friend does not mean it is safe. If you weren’t expecting a document from them I would email or call them to ask if they really meant to send it to me.

These steps will help for any software exploits, not just PDF’s.  However since Adobe Reader has become a top target of hackers it is very important that everyone take these few but necessary steps to protect their computer. I also hope the increase of exploits in Adobe Reader will not stop people from using PDF files. They really are great to work with. But just like any other software there are some security best practices which MUST be followed.

Categories: Security

Simple Juniper Cache Cleaner troubleshooting steps

January 21, 2010 4 comments

If you have a Juniper SSL-VPN appliance once of the biggest headaches you may deal with is cache cleaner. Its a great tool from a security standpoint, but most of the problems that get escalated to me have to do with this program. However, none of the problems have been with cache cleaner, rather the problems have been with IE not loading the ActiveX control correctly. Here is a simple list of things to check when having cache cleaner issues:

  • Clear the cache.
    • In IE7 or IE8 do the following
      • Go to Tools > Internet Options
      • In Browsing History click on “delete”
      • In the Temporary Internet Files section click on “Delete Files”
      • Click “yes” to delete temp internet files.
      • Close IE
      • Open IE and try again
  • Uninstall Cache Cleaner
    • Go Start > Programs > Juniper Networks > Cache Cleaner x.x.x > Uninstall Cache Cleaner
    • There will be no confirmation, it will simply uninstall Cache Cleaner.
    • Open IE and try again. When logging in the SSL-VPN the program will install again.
  • Delete the downloaded program from IE
    • In IE go to Tools > Internet Options
    • In the Browsing History section click on Settings
    • Click on ‘View Objects’
    • This will list all the active x controls installed.
    • Right-click on all Juniper programs and click “remove”
    • Also remove any with invalid names (a bunch of weird characters)
    • Close IE
    • Reopen IE and try again.
  • Install the Juniper Installer Service, I always leave this as a last option because I hate putting programs on users personal computer.
    • You can get the Juniper Installer Service from the Maintenance section within the SSL-VPN administration. As a last resort this has always fixed issues. You will need to find a way to get the file to your user. One way it to create a realm with its own URL. This realm only has a download link for this or another important files your user may need for VPN purposes.
Categories: Juniper, Networking, Security