Wednesday, July 11, 2012

"The Internet is Falling" redux

Been a bit quiet the last few weeks around here....

So. The deadline has passed and the temporary DNS servers we mentioned here have been shut down. What was the impact?

As Jerry Doyle mentioned during his talk show, the test Monday was simple - Can you get to a web page? If not - Hey - you were hit! And Why didn't you take steps to fix it months ago? It's not like there wasn't ample warning, the dudes that caused this were arrested back in November of '11. But there were still numerous people who found themselves de-cybered Monday.

A contact of mine, who will remain anonymous, works as a front-line tech for a major ISP in the US and confided a few details as to the impact of DNSChanger on users in the US. From what they saw, Call volumes spiked over 50% of the "normal" volume of requests for service. I'd think that would be pretty typical for other ISP's. Out of the average 100 calls, roughly 30% were actual issues that required intervention. Also fairly typical for a Tech Support call to a service provider. Those working for a Product Support venue (OS support or direct software, for example) normally see a higher percentage.

Surprisingly, they mentioned that most of the people affected were caught completely unaware of the issue or that they needed to do "something" to fix it themselves. With the volume of the pre-deadline publicity that accompanied DNSChanger, I can only assume:
        1. That a decent percentage of Internet users only send email, look at funny cat pictures, or download Pr0n. (any surprise there?)
        2. Far too many people have forgotten the Second Cardinal Rule of PC Ownership- "Thou shalt use an Anti-Virus program and keep it Wholly". If folks had updated AV software, this would have kept a major portion of these boxes on the 'net. Period.

Even more telling, my source mentioned that the callers "felt it should have been the responsibility of the internet access provider to make sure it was taken care of for them."  Hello? Whatever happened to personal responsibility? Is it the car dealer's responsibility to make sure your gas tank is full and you change your oil regularly? Is it your Doctors responsibility to make sure you don't catch a cold?

OK enough soapboxing.

Tuesday, May 22, 2012

Are we in a Cyber "Cold War"?

A Cyber "Cold War"? Well according to Gen. James E. Cartwright (USMC, ret.), former commander of USSTRATCOM as well as Vice Chair of the Joint Chiefs, we may very well be there, and should start handling the looming cyberthreat as if it were an armed conflict.
From the article found on NextGov:
“At some point, we have to demonstrate the willingness to use it in national security. It doesn’t mean we attack somebody,” Cartwright said. “If we are attacked, we have to be able to say to somebody ‘I know who you are. I can figure it out. Even if I don’t know who you are --I will find you eventually, and if I do, then I will remain proportional in my response and timely, but I will respond.”
 Even such people as Leon Panetta, the current Secretary of Defense and former CIA Director, frequently warn that "the next Pearl Harbor" is likely to be a cyberstrike on our infrastructure systems (Gas, power, water, etc). How likely? Some say it's already happened more than once.

Thursday, April 26, 2012

"The Internet is Falling, The Internet Is Falling" - C. Little

There's been a veritable fountain of viral emails, Facebook postings, et cetera about how the Internet is being "shut off by hackers" on the 9th of July, 2012. This isn't entirely correct - Yes those who are infected with the DNSChanger trojan may not be able to reach the Internet, but it's because temporary "clean" Domain Name Service (DNS) servers are going to be shut down, and if you haven't cleaned out the Trojan, then No Internet For You!!

What I find amusing is this has been known for months - the Feds arrested the guys responsible back in November 2011...

However, the threat still remains.

Now, it's pretty easy to see if you are at risk for losing Teh Interwebz. U.S. users can go to and automatically check your DNS settings. For the geekier of us we can use the IPCONFIG command at a DOS prompt and see our DNS settings. (instructions are found here {PDF document - make sure you have Adobe Reader installed}).

OK - now you see all your DNS Settings - what does this mean?  The following table has the Bad Servers listed: through through through through through through

To make the comparison between the computer’s DNS servers and this table easier, start by comparing the first number before the first dot. For example, if your DNS servers do not start with 85, 67, 93, 77, 213, or 64, you can move on to the next step. If your servers start with any of those numbers, continue the comparison.
(text courtesy of the US Federal Bureau of Investigation)

Of course If your local IP address is a non-routable (192.168.x.x) address, you'll need to check your router. Check your documentation on how to do this.

Oh Happy Day - you're infected! Congratulations! Now what? The following is a list of sites and/or tools to kill this bad boy.

Hitman Pro (32bit and 64bit versions)
Kaspersky Labs TDSSKiller
McAfee Stinger
Microsoft Windows Defender Offline
Microsoft Safety Scanner
Norton Power Eraser
Trend Micro Housecall
Avira’s DNS Repair-Tool

Friday, April 20, 2012

Where is your greatest threat?

As IT Security professionals, we spend a great deal of our time and effort (not to mention our budgets) looking for threats and performing actions to mitigate the damage that occurs. To quote The Sphinx from Mystery Men (1999), "Those who fail to plan, plan to fail." - Corny but true. Damage will occur; if you can access a network, someone can as well. My time honored analogy of the "only secure computer is an unplugged machine, encased in a solid block of Lucite, without any connection to the world - anything less than that is a compromise" still rings true.

Our focus tends to be the outside threat - Probes, Viruses, port scanning,  hacking attempts, and the like. And reasonably so; these seem to get the most "bad press". But enough of us forget the real threat comes from an uneducated pool of users on the other side of our firewalls. The last two weeks of NSI's Security NewsWatch had dealt extensively with internal treat assessments and re-educating the userbase.  There is a short but good article at Computer Business Review's site on this. The article points out that over a quarter of all serious security incidents come from Senior Management, but shockingly 19% come from ourselves.

Sophos has also started an free education program to assist us in educating not only our users but as a good refresher course for ourselves.  A toolkit with videos, posters, emails, etc. can be found here

Thursday, April 12, 2012

AZ Senate amends HR 2461 to criminalize Online Impersonation

   Woe to the Internet Stalkers that feel the need to impersonate someone else. As of March 8, 2012 The Arizona Senate has amended HB 2461 (Prior Felony Conviction; definition) with a Strike Everything amendment and replaced it with this text entitled 13-2012 Online Impersonation; defenses;classification; definitions.

   Essentially, this "new" bill defines the act of Cyber Impersonation as a crime as long as the basic Rule of Law is applied as to the intent of the impersonation - attempting to defraud, threaten, coerce, harm, etc.

   At first read, and only holding to my (very) basic knowledge of the law, what this bills intent is to include Online activities into the already established methods of communication. Remember that the Law MUST be specific as to prevent the willy-nilly interpretation by the Courts, yet must be flexible enough to respond to the changes due to passage of time and society's advancement thereof. 

   Now, there are some who will decry the over regulation by "Big Brother" and will wail abut the violation of their First Amendment rights and the supression of Free Speech. Au Contrair, mon ami! The Test of Law has always stated that any speech that was intended to Harm, Deceive, or Commit Crimes, is NOT "protected speech" (yelling "fire!" in a crowded theater jumps to mind, but can we start applying that rule to Campaign speeches? Please?).

Wednesday, April 11, 2012

OSX.Flashback botnet on the rise thanks to Java vunerability

Just another reason to keep all your stuff updated...

Symantec is reporting here that the OSX.Flashback botnet has increased in size to over 600k infected machines, primarily to the vunerability in the Oracle Java SE Remote Java Runtime Environment.  Now, Oracle patched this back in February of this year, so why is this still a problem you ask? Because most users cannot be bothered to run the patches as they come out.

Tuesday, April 10, 2012


Greetings, all!

Welcome to Tech in Arizona, an examination of the state of computing and IT Security in the Grand Canyon State and elsewhere.

Your host is Bruce Wiley, an IT professional with over 30 years experience in the field.

Of course, you may ask yourself (go ahead - I'll wait...) why I'm doing this. The answer is simple. CompTIA, in their infinite wisdom, is trying to maintain ISO9000 and Higher certification for their organization, and therefore cannot allow their certifications to "not expire". Except that when most of us gained their various certs (I have three...) the contract we agreed to was a "Certification for life" and was the subject of the start of a Class-Action lawsuit against them ( Being smarter than a stump, they acquiesced and added "Continuing Education" as a requirement to keep your certification refreshed. And of course, one of the ways to earn credit for the CE is to, well, Blog....

I'm sure you get the picture.

So enjoy, sit back and Lets Talk Tech.