While speaking with a friend over Christmas about the pros and cons of quarantining infected PCs from the internet (not a new idea by any means as it was brought up by Microsoft several years ago) and the analogy with diseased humans, one point was that computer viruses haven't killed anyone (yet?).
But might a virus let a killer go free?
It's the 90s all over again as a 'death worm' (Morto Worm) is squirming through the internet knocking on RDP ports (3389/TCP). In this day and age an attack as simplistic as this one, it replies on brute forcing admin accounts from a predefined username password list, shouldn't be able to infect any corporate machine....right?
Microsoft have some more info on this retro attack, including listing the usernames it attacks:
1
actuser
adm
admin
admin2
administrator
aspnet
backup
computer
console
david
guest
john
owner
root
server
sql
support
support_388945a0
sys
test2
test3
user
user1
user5
...and the passwords:
*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user
If you are using any of those passwords (especially on Windows boxes), change them immediately and go sit in the naughty corner for half an hour.
The ACMA are warning us that 30,000 Australian PCs infected every day. I wonder, are they unique infections? If so then if 78% of households have a computer and there are 7,600,000 households (roughly - 2006 figure) then every household should have one infected PC by 5th August 2011! (oops forgot to minus the 80,000 pre-infected machines, so that would actually be 2nd August 2011).
Are we really all that doomed?
I've been meaning to post this for a little while, ever since I read about the data breach that occurred 'across the ditch' at the popular 'Hell Pizza'.
The cause of the breach was some spectacularly bad development work that had the flash font-end making effectively unrestricted SQL calls to the back-end database. The database contained customer name and address details, their order history and their unencrypted password for the site.
But it's only a pizza website? Who cares!
The problem is that many people use the same password (or a variation thereof) or a wide variety of websites, pizza websites included. When the pizza website gets hacked for usernames, email addresses and passwords, you can bet that someone will try to use those same credentials (or a variation) against other sites, such as webmail, social networking and internet banking. That 'lowly' pizza website and it's abysmal security may have just trumped your higher security internet banking or webmail site.
It's the same old problem we always have with passwords, that people simply have to remember too many passwords. A Microsoft study [pdf] from back in 2007 found that: "the average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day".
From informal discussions I've had with friends and family, I'm surprised the number is 6.5 passwords as the feedback I've received is that the number is closer to 3-4 different passwords.
Unfortunately password-based authentication isn't going anywhere anytime soon, so the advice I give to non-IT people (on top of using complex, non-dictionary, unrelated passwords) is to set themselves with some different 'levels' of passwords.
The bottom level is a 'throwaway' password that you can use for anything that really doesn't matter - your pizza website, one-off registrations to download documents or software or other sites you rarely ever frequent or suspect of low security standards (like internet forums).
The next level of password is for your more frequently used sites with generally better security, like social networking or webmail sites. (While I'd advise to keep social networking and webmail passwords separate, I'm working on the 3-4 password theory...).
The next level of password is your 'online shopping' passwords, such as Amazon or eBay. This is for the types of sites where a password breach could run up a serious bill on your credit cards.
Finally the last password level is your 'high security' password, solely used for internet banking. The important part about the high security password is not only that it is strong, but it is not used anywhere else.
While i admit the above is far from perfect, neither are passwords or people! At least following that advice your average internet user might be somewhat better protected that using the same password everywhere.....
Onto another tasty subject, octopus! (in fact octopi! Or is it octopuses?)
Octopus #1: A hacker in Japan has been arrested for releasing a virus that overwrites files on your PC with manga pictures of Octopuses and Squid. The funny part? It's the second time he's been arrested for this. Two years ago he was arrested for the same thing and charged with copyright infringement as he used copyrighted manga images. To show that Mrs Nakatsuji raised no fool, this time he used images he drew himself so he couldn't be charged with copyright infringement again! While I hope Japan has revised their computer crime laws since his first arrest, you have to admire his logic!
Octopus #2: The Octopus card is a common smart payment card in use in Hong Kong that is used in the MTR subway, convenience stores and fast food restaurants like McDonalds. Everyone I know in Hong Kong has one, and as a frequent visitor over there I have one in my wallet right now. Well it seems that the card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years, the exposure of which has led to the resignation of their Chief Executive. For all the good work we security people may do in protecting our corporate data from the 'bad guys', it is all for nought if the bad guys are in the boardroom....
Now all this talk of Octopus and pizza has made me hungry! I wonder if Hell Pizza deliver to Australia?
So maybe I was a little harsh on singling out the Waikato District Health in an earlier post about a conficker outbreak, as it seems a couple of hospitals of the NHS (National Health System) in the UK have since suffered the same problem as have Manchester Police.
As much as Security pros may preach the message to end users about opening attachments from unknown senders or downloading software from dodgey sites can it be that we haven't been focusing enough on ensuring the IT Admins have heard the security message? There may be other circumstances, such as the usual under-resourcing (do more with less!) or management negligence, but surely patching and AV are the very basics that every admin understands?
Even if the worm was introduced via USB, which seems to be the case, other simple precautions such as disabling autorun can greatly limit your exposure. Going further, limiting the use of USB storage (both who has access and what type of drives can be used) provides further protection.
If businesses (and government bodies) haven't taken the basic steps to protect themselves from the most highly publicized virus/worm of recent years, it doesn't bode well for protecting against threats that aren't as highly visible in the mainstream media.
I came across an article recently that had me doing a double-take when I saw the date it was published. It seems the jokes we aussies like to tell about our neighbours 'over the ditch' being behind the times may be true, as in December the Waikato District Health Board over in Aotearoa was ground to a halt by.....conficker!
You read that right, December 2009. To refresh your memory, Conficker exploited a vulnerability that Microsoft released the MS08-067 patch for back in October 2008.
To put that in perspective, some other events from October 2008 were:
It's been widely reported that an Australian man has developed the new iphone virus that 'rickrolls' owners of jailbroken iphones.
The virus spreads via ssh using the iphone's default password of 'alpine'. Normally ssh access is not available on a standard iphone, but enabling access is a requirement of jailbreaking the iphone to get around restrictions placed on the device by Apple.
This comes hot on the heels of a ransonware scam with a dutch hacker holding jailbroken iphones 'hostage' for €5 which uses the same method to gain access to jailbroken phones. (The dutch hacker has since apparently stopped asking for money and has now provided instructions on how to undo his changes).
Does this represent a big security hole for Apple? Not really, as both attacks only affect jailbroken iphones. If you are jailbreaking an iphone, or modifying any device against the manufacturer's instructions, then the onus of providing a secure device has passed from the manufacturer to the end user - something which most end users probably don't think about.
While both 'hackers' have claimed the release of their viruses was a educational 'wake up call' for users with jailbroken iphones to ensure they change their default passwords, the simplicity of the attacks could mean something more sinister is on the horizon.
The pair of them may be in hot water as even a relatively harmless change like rickrolling can have unintended legal consequences (the attempted extortion from the dutchman aside).
If you have a jailbroken iphone, change the default password asap!
*edit* I just came acoss this post from Sophos which has a screenshot of some of the virus source code:
5:41 PM
Justin
, Posted in
