Protecting my Mom – Part 3 – How Easy is it to Get Hacked?

Keeping our moms safe can be a daunting task.

Keeping our moms safe can be a daunting task.

In our first installment of “Protecting my Mom” we discussed some phone phishing attack that I was targeted for. This was followed by our second part where I found myself being attacked over a Wi-Fi network that was setup for the express purposes of compromising machines that roamed onto it. In this final installment, we take on the role of an attacker and are reminded of how easy it is to be hacked.

My challenge to myself was simple,  how fast could I target a machine and compromise it using off the shelf tools. My goal: 5 minutes from start to finish. How much time did I need? The stopwatch showed a mere 2 minutes and 13 seconds. Scared yet?  — After doing that I was. After being the target of a hack twice in the span of less than a week, I decided to go from being the “prey” to being the “hunter.” How hard is it to be hacked? And if I was hacked, how long does it take me to start grabbing data that I could use? Don’t worry, I’m doing this as a bit of a test and I’m using my own Virtual Machines, so I’m not turning my abilities on any other person, it’s more of a challenge to see how hard it is.

The Go to Place For Small and Midsize Business IT Management

Being acquired by VMware has brought many exciting changes to Shavlik. With the integration in full swing, we are busy incorporating the Shavlik products into VMware and changing our branding. Continuing our strategy of offering SMBs simplified IT management, the current Shavlik product line is being enhanced and expanded upon, leveraging the sophisticated technology offered by VMware and at the same time extending VMware’s offering to the SMB market.

As a first step, we announced a new release of VMware Go and VMware Go Pro on October 18th, taking cloud-based IT management to the next level by adding additional functionality and integrating the popular features of IT.Shavlik. VMware Go provides a free IT management service to SMBs enabling them to run a comprehensive assessment of their physical and virtual IT infrastructure providing the user with recommendations to reduce costs, increase security and optimize their IT infrastructure. With VMware Go, you can run unlimited patch and asset scans on your physical and virtual network, tracking missing security patches and get a clear understanding of the assets deployed on your network including hardware and software whether physical or virtual. To streamline trouble ticket management, an easy Help Desk is assessable anywhere, anytime. For those of you wanting to virtualize, this product makes it easy for you by providing an intuitive wizard to guide you through the installation and set-up of a virtual environment.

VMware Go Pro provides all these benefits but in addition gives you the tried and tested Shavlik patch management technology including scheduled deployment of patches – freeing up valuable time and resources. In addition, you get hardware asset management so you can not only track assets but can organize hardware groups to maximize resources throughout their lifecycle. Control software licenses by tracking installed software titles to maintain compliance as well as further simplify trouble ticket management, with a secure user portal for end users to submit their tickets.

It is an exciting time for SMB IT management with affordable and powerful options available in Go as a web-based service. IT.Shavlik will be available to current customers until January 31, 2012. I encourage you to check out VMware Go – it’s free and can immediately simplify your IT management. Upgrade to a free 30 trial of VMware Go Pro where you can manage your physical and virtual environment – all in one place from anywhere and at anytime.  For more information go to https://go.vmware.com/.

– Mike Bleakmore

SimplexITy Promotion Extended

Shavlik Technologies, now part of VMware, recently extended our bundle promotion of up to 80 percent off of SimplexITy.  Customers around the world have been taking advantage of this value-packed offer that includes Shavlik’s market-leading patch management, configuration management, antivirus protection, and power management technologies.

By bringing together this comprehensive solution, Shavlik is helping to reduce the costs and complexity of IT administration allowing our customers to spend less time worrying about security and compliance and more time to focus on strategic value to their business and their customers.

The SimplexITy bundle delivers the following solutions at a fraction of the cost (up to 80 percent):

  • Patch – for agentless patch management
  • Configuration – for configuration and compliance management
  • Antivirus – enterprise Antivirus + Antispyware + Antimalware engine
  • Power Management – centralized control to power machines off in the evenings and on weekends AND wake machines up to deploy critical security patches.  This helps companies save both energy and money.

Click here for more information.

– Mike Bleakmore

Access Intimidation

Don’t be intimidated out of making changes to your computer that improve your security and reduce the risk to vulnerabilities. An interesting phenomenon of antivirus software is the real time scanning it provides. Recently my laptop hardware was upgraded and it required me to install a new video driver to support the enhanced graphics built into the onboard chipset. I was faithfully scanning my laptop for the latest patches and service pack support as well as checking that the drivers were current for the hardware. The video driver vendor insisted there was an available upgrade and I immediately tried to install it from the Internet per the online support. The driver was unsuccessful in loading so I decided to download it to my local hard drive and retry the install. It downloaded successfully and when I double clicked the file it presented the installer and uncompressed the files, but when the progress bar was presented it halted with no error message displayed. Once again, when it rebooted I was informed that video driver update was available. I examined my antivirus/malware quarantine folder and discovered the video driver software had been added. It was a simple task to add the name of the file to my “white list” of acceptable applications and when I attempted the install again it was successful.

While frustrating to install, I am glad my computer is well protected and that driver level modifications are not taken for granted. I wanted to pass this on to users that might think that they are unable to make modifications or updates to their computers because of insufficient access rights or equipment malfunction when in reality they were simply protecting themselves from themselves. Remember that a lot of solutions to computer problems are resolved with understanding PEBCAK (Problem Exists between Chair and Keyboard).

In reviewing the new known malware on the Internet in June 2011, following are two new vulnerabilities that could affect your security:

Adobe Flash Player CVE-2011-2107 Cross-Site Scripting Vulnerability Alert
The vulnerability, CVE-2011-2107, is a cross-site scripting vulnerability that can allow an attacker to make HTTP requests while masquerading as the affected user. This vulnerability is being exploited in the wild in targeted attacks.

Microsoft Internet Explorer CVE-2011-1255 Time Element Remote Code Execution Vulnerability
The vulnerability affects Microsoft Internet Explorer versions 6, 7, and 8. The issue is related to the time element handling and occurs due to memory corruption, allowing an attacker to execute arbitrary code in the context of the application. Failed attacks may result in denial-of-service conditions.

– Kim Fors

Don't let your antivirus misbehave

One of the best front lines of defense for the computers on corporate network (or computers for home users) is antivirus software. However, not all antivirus solutions are created equally, and antivirus vendors are challenged with trying to keep the operating footprint small and still catch the viruses, threats and malware.

Some other key things to look for in an antivirus solution is the ability to detect on behavior analytics. This can be referred to as “heuristics” but it allows for additional detection beyond signature recognition. Signature recognition provides a very solid methodology in detection but, if an exact match is required, literally thousands of signatures need to be constantly updated to accommodate the onslaught of new malware being propagated on the Internet.

The safe testing of AV software is important and you can download the EICAR file to accomplish this. There is no malicious payload with the file but it should trigger the AV software to remediate it when the file is executed or scanned.

By detecting “behaviors” the malware patterns can be identified and remediated efficiently. This method will still require updating but provides a more generic approach to detection.

Top five detected malware on the Internet in May 2011:

The HTTPS Tidserv Request event is in first place this week. This event and the HTTP Tidserv Request 2 event (third place) signal attempts of the Backdoor.Tidserv malware to communicate with its control servers.

The Possible Conficker Infection event is in second place this week. The event corresponds to the ongoing use of the MS08-067 vulnerability as a propagation vector by various worms.

Multiple Adobe Products Remote Code Execution Vulnerability event is in fourth place this week. The event is related to attacks against multiple Adobe Products.

The fifth most common attack this week is the Windows RPC Denial of Service event. The event is related to attacks through the RPC protocol by exploiting vulnerabilities in Windows RPC services.

– Kim Fors

Shavlik's Antivirus Surpasses Competitors in Detecting Nasty Malware

Shavlik’s VIPRE antivirus engine has surpassed competitors in recent tests with Antivirus.org and the Malware Research Group. Today we add another to the list. Virustotal is a service that measures the detection of viruses, worms, trojan and other malware and reports how well antivirus engines perform. Virustotal reported today that VIPRE was one of only three engines (out of 41 measured) that caught “VideoPlugin_v43.exe,” a new piece of nasty malware making its way around the Internet.

Click here to learn more about Shavlik’s VIPRE engine. Also, read our latest white paper on layered security “Patch and AV: Better Together.”

– Mike Bleakmore
Product Marketing Director
Shavlik Technologies

Don’t let your antivirus solution stink up your network

If you think about your computer’s password like a toothbrush — you must use it every day but don’t share it with anybody else. Then compare your antivirus software to deodorant. Everybody should use it. Period.

The Internet continues to be infiltrated daily with newly introduced and existing spyware, malware, bots, rootkits and worms that are not being cleaned up. Today’s top threats continue to prove this point. Stats report that the top threats being exploited this month are:

Backdoor.Tidserv
This was initially detected in 2008 as a Trojan that uses an advanced rootkit to hide itself. The current variant is infecting 64-bit machines (as well as 32-bit); it also is infecting the MBR (Master Boot Record) gaining control before the operating system is loaded.

Conficker
Conficker (aka Downadup, Kido) blocks access to more than 100 anti-virus and security websites. It can be detected as malware and prevented by (after removal) applying patch MS08-067. The Conficker eye chart assists in detection of the worm.  I encourage you to run this eye chart to see if your network environment is infected: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Multiple Adobe Products Remote Code Execution Vulnerability
Adobe has released special out-of-cycle security updates to patch critical vulnerabilities in Adobe Reader and Acrobat X (10.0.2), including earlier 10.x and 9.x versions for Windows and Mac. The announcement was Adobe’s second in four weeks concerning a zero-day vulnerability.  Adobe says there are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an e-mail attachment.

Windows RPC Denial of Service
This threat has been detected and updated since Windows NT 4.0 Service Pack 6a. Recently it fixed a vulnerability that could allow remote code execution in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights (CVE 2011-0034).

The weakest link in your network is the unprotected computer that may be connected to but not necessarily logged into the “domain.” Utilizing a “layered” security approach is the best methodology but, after you get past the multiple firewalls, SMTP Gateways, Network Intrusion Detection Systems, Network Intrusion Prevention Systems, Host Intrusion Detection Systems, and Personal Firewalls, the antivirus software is still a line of defense that must stay in place and updated, guarding the local Operating System.

As threats grow smarter and stronger, the antivirus solution needs to be faster and able to detect malicious behavior. To remediate the suspected intruding code, either quarantine or delete it quickly and efficiently, and then notify the user of the potential infection.

The antivirus detection methodology needs to know the “family” association of the threat and understand its behavior by nature and during its execution. The antivirus solution needs to know the patterns and the characteristics of the threat as well as the packages it disguises itself in. If a generic signature can match the pattern of the threat, it can be unmistakably identified and dealt with.

In addition to the above requirements for an effective antivirus solution, all of this needs to be done with minimum impact on system performance. This allows the operator to continue working, unaffected by the security defending their data. The necessary function of antivirus can be effective and efficient.

In conclusion, the necessity of an antivirus solution is obvious to the most basic computer security implementation and all of the points made in this discussion should help establish the criteria when including an antivirus product as part of your layered approach to security. Do this and you won’t be left holding your nose.

– Kim Fors
Shavlik Technologies

Hot Dish on Endpoint Security

For a while now, Shavlik has been the trusted partner for patch management for organizations worldwide.  Through the years, our customers have pushed our organization to extend our offering to cover a broader spectrum of their IT needs.  Time and time again, we’ve rose to the occasion starting with the addition of asset management to our solution and over the years have grown to the leaders of integrated patch, asset, power, antivirus, and now virtualization management solutions.

Last week, I had the pleasure of hosting a webinar with Randy Franklin Smith from Ultimate Windows Security discussing the challenges facing our IT Industry.  During the event, Randy brought up some great points about the challenges that we’ve faced and how much things have changed in recent years.  Randy’s key point mirrored what we at Shavlik have heard from our customers:  having a multifaceted approach to security is what matters.  And matters it does.  Year ago, the threats facing our machines could be summed up by viruses and holes in network layers.  Today, malware appears faster than it disappears, security holes are more prevelant, and there is a larger base of hackers trying to exploit them.  We’re here today to give you the recipe for endpoint security management… in true Mid-western style, we serve it up in the style of a hot dish (for the rest of the nation, it’s called a casserole):

ENDPOINT SECURITY HOT DISH

  • 1 Cup of the best Patch Management solution on the market:  Shavlik’s roots in patch date back to 1993 and as creators of the MBSA (Microsoft Baseline Security Analyzer) product, we continue to deliver agent and agentless scanning/remediation for your network.  No more agents to manage.
  • 1 Cup of the only integrated Virtual Machine Management: With our in-depth integration with VMware’s product, we’re able to query ESX hosts and patch/manage virtual machines regardless of whether or not they are on (for those that are off, we patch them in a network isolated state).  On top of that, we actually manage the VM Templates as well, ensuring your images are ready for virtualization when you are ready to use them.
  • 1 Cup of the fastest integrated Antivirus protection: Antivirus software is supposed to slow your machines down.  Ours utilizes the best in class agent from Sunbelt Software.  Using this technology and best practices for antivirus and malware, we provide a threat management solution that exceeds the market standards, but integrates into a single-pane of glass console for management.
  • 1 Cup of end-to-end Asset Management: If you want to secure the assets on your network, it starts with seeing them.  Using our agentless scanning technology, we can find machines on your network/IP/Domain and make invisible assets visible, while giving you the ability to create a template to rule them all.
  • 1 Cup of advanced Power Management: A system that is on can present a security threat.  A system that is off, can’t be managed.  Where’s the middle ground?  Ensure the machines you have off can be turned on to patch and manage using our Wake-On-LAN features, but ensure you can turn it off to remove the attack vector when it is unused.
  • 1 Cup of the easy-to-use design and creativity brought to you by Shavlik: We’re committed to getting you up and running in a matter of mere minutes.  With our default policies and templates, we’re ready to be “out-of-the-box” for your environment regardless of size.  The same high-quality ease of use you’ve come to expect from us is what we used to knit these ingredients together.
  • All your endpoints.

DIRECTIONS:

Mix ingredients all found in the new SimplexITy bundle offered by Shavlik and add your endpoints to our management templates.  Now that you have all of the above great technologies managed from one central place, relax.  Follow our best practices, and never worry about security threats being exploited again.

For more information on how these technologies come together, I invite you to view the webinar playback of Randy and myself discussing the challenges facing the IT industry.  (Disclaimer – it is hosted by Windows ITPro, and registration is required to view the webinar.) View the webinar here.

– Rob Juncker