Computer Security Awareness Symposium

1
Computer Security Awareness Symposium

• Software Updating Tools
• Benjamin Kirchmeier, ITS
• benk_at_uidaho.edu

2
Reasons to Update

• Client-side vulnerabilities increasing
  substantially
• Web Browsers
• Productivity Software (MS Office specifically)
• E-mail Clients
• Attacks against web browser trusted plug-ins
• Trusted sites found hosting malware
• These attacks target unpatched systems.

3
Web Browser Vulnerabilities

• IE Versions 5.x through 7 running on all
  versions of Windows
• Firefox Any version running on any supported
  platform
• Many vulnerabilities rely on plug-ins or Active
  Scripting / ActiveX (IE)
• Disabling Scripting functionality or added
  plug-ins helps secure the browser with caveats

4
Usability vs. Security - ActiveX

• Exchanges Outlook Web Access (IE)
• OWA Premium Requires ActiveX

5
Usability vs. Security - ActiveX

• Disabling ActiveX results in errors in OWA Premium

6
Usability vs. Security ActiveX

• OWA will not load the contents of the folder or
  message contents
• OWA Basic is required if ActiveX is disabled

7
Usability vs. Security - ActiveX
8
Usability vs. Security - JavaScript

• http//courses.wcupa.edu/frichmon/usetech/musicalf
  lashcards/majorkeys.html

9
Usability vs. Security - JavaScript

• With JavaScript turned off we get this page

10
Usability vs. Security - Java

• Banner 7.0 access requires Sun Java 6 update 2

11
Productivity Vulnerabilities

• Specially crafted office documents
• Acquired via e-mail
• Downloaded from a web page
• IE can open downloaded MS Office documents
  without confirmation (Always ask before opening
  this type of file checkbox)
• Rogue RSS feeds can send malicious documents to
  clients

12
Downloaded Office Files Demo
13
Downloaded Office Files Demo

• Ensure that Confirm open after download is
  checked

14
Productivity Vulnerabilities

• MS Office is most widely used.
• Office vulnerabilities addressed by Microsoft
• All versions of MS Office across all platforms
  are vulnerable.

15
Email Vulnerabilities

• Distribution of malware
• Phishing More sophisticated spear phishing is
  prevalent today
• Spam
• Social Engineering the ITS Help Desk handles
  many attempts each year
• High volume of messages sent to a specific server
  or user in a short period of time

16
E-mail Vulnerabilities

• Many e-mail risks require user education in
  addition to regular updates
• Popular e-mail clients
• Microsoft Outlook
• Mozilla Thunderbird
• Mail.app (OS X only)
• All mail clients and their respective supported
  platforms are vulnerable

17
Top Security Menace (SANS, 2008)

• Attacks against web browsers trusted plug-ins
• Adobe Acrobat Reader
• Adobe Flash
• Apple QuickTime
• Sun Java

18
Adobe Acrobat

• Your Bill e-mail
• September 2007
• Attachment of spear phish includes a rogue PDF
• Installs UrSnif rootkit
• Affected Adobe Acrobat 8.1 and earlier
• Patch released October 2007

19
Adobe Flash

• March 2008
• Adobe Flash plug-in (v. 8 9) aided in DNS
  hijacking
• Allowed remote code execution
• Hackers could exploit Flash to take over a users
  computer
• Adobe updated Flash April 2008

20
Apple QuickTime

• December 2007 March 2008
• Second Life uses QuickTime to display multimedia
• Multimedia links are not stored on SL servers
• Malicious code can be accessed by using
  multimedia
• Code can be written to steal the victims Linden
  dollars (1 USD 275 LD)

21
Sun Java

• October 2006 Google notified Sun of
  vulnerabilities in Java SE 5 6 Update 1
• July 2007 Sun finally released SE 6 Update 2
• 10 months after initial vulnerabilities were
  disclosed to the company
• No automatic update until July 2007
• Affected any device running Java

22
Trusted Web Sites Host Malware

• Exploit code is showing up on trusted sites
• Sydney Opera House
• Bank of India
• Facebook (Banner Ads)
• Rate of Infection on Trusted Sites
• 5,000 malware-infected sites per day (Dec. 2006)
• 30,000 (August 2007)

23
What about Operating Systems?

• The Four-Minute Myth
• Windows 95/98/Me/NT/2000/XP
• Service Pack 2 for XP released August 2004
• Unpatched XP -
• However, most OS default installations are still
  not very secure

24
What can you do?

• Windows (Microsoft) Update
• Internet Explorer and Office Updates
• Apple Software Update
• Firefox and Thunderbird Automatic Updates
• Other client-side version checkers
• Microsoft Baseline Security Advisor
• PSTools psexec.exe to push updates on remote
  computers

25
Automatic Updates for Windows

• Enable Automatic Updates (XP)
• Control Panel System Automatic Updates
• Select the Automatic Radio Button
• Select Every Day from the Pull-down Menu
• Select an appropriate time for Windows to
  download updates
• Windows Update (Vista) is enabled by default

26
Apple Software Update (OS X/Vista)

• Checks for Apple Inc. software updates including
• OS X (Client and Server)
• iLife
• Pro Apps Final Cut Pro Studio and Aperture
• Other Apple Inc. software
• Sun Java (current version Java SE 6 update 5)
• XP/Vista iTunes, QuickTime, and Safari

27
Apple Software Update (OS X/Vista)

• Software Update can check daily, weekly, or
  monthly
• Updates can be downloaded automatically

28
Security Update Ratings
29
Firefox and Thunderbird Updates

• Built-in update manager in both applications

30
Firefox and Thunderbird Updates

• Firefox checks for
• Firefox updates
• Installed Add-ons
• Search Engines

31
Online Tools

• Many plug-ins have online version checkers
• Sun Java (except OS X)
• http//java.com/en/download/installed.jsp
• Adobe Flash
• http//kb.adobe.com/selfservice/viewContent.do?ext
  ernalIdtn_15507

32
Operating System Updates Excuses

• Its not broken, why should I fix it?
• Previous updates have caused my computer to act
  erratically.
• I dont want personal information about me sent
  to Microsoft, Apple, etc.

33
Microsoft Baseline Security Analyzer

• Free!
• Detects missing MS patches
• Reports weak points on the computer
• Run periodically to review security threats
• Download
• http//www.microsoft.com/technet/security/tools/mb
  sahome.aspx

34
Microsoft Baseline Security Analyzer

• Leave all options checked
• Click Start Scan to generate a report

35
Microsoft Baseline Security Analyzer Report
36
PsTools

• Derived from Windows NT/2000 Resource Kits
• No GUI Command Line only
• With great power comes great responsibility
• Compatible with Windows NT/2000/XP/Vista and
  Server 2003 (Server 2008?)

37
PsTools Suite

• PsExec
• PsFile
• PsGetSid
• PsInfo
• PsKill
• PsList
• PsLoggedOn
• PsLogList
• PsPasswd
• PsService
• PsShutdown
• PsSuspend

38
PsExec.exe

• Light-weight telnet replacement
• Allows remote execution of scripts and CLI
  programs
• Physical Security and PsExec
• Updates using PsExec
• Time consuming for one machine
• Time saving for multiple machines
• AntiVirus clients flag PsTools as a remote
  admin virus

39
Simple Scripting with PsExec

• psexec \\demo cmd
• Launches an interactive command prompt
• psexec \\demo ipconfig /all
• Runs ipconfig on \\demo and displays results
  locally
• psexec \\demo -c test.exe
• Copies test.exe to \\demo and executes it

40
PsExec Syntax Breakdown

• psexec \\demo -c test.exe
• psexec is the command
• \\demo is the target machine
• Text files with lists of machine names can be
  used (e.g. psexec _at_computers.txt c test.exe)
• -c test.exe is copy

41
PsExec Intermediate Commands

• Install an update using authentication
• psexec _at_computers.txt -u admin -p s0vryS3crt!!
  -c update.exe /s
• _at_computers.txt a list of computers
• -u specifies a user in this case admin
• -p specifies a password if not declared psexec
  will prompt
• /s tells psexec to run silently
• Other thoughts
• More technical background is required
• Good for multiple one off computers

42
Conclusion The Bad

• More software is becoming vulnerable
• OSes are not the only targets
• Trusted sites are hosting malware and viruses
  with increasing regularity
• Phishing attacks are more sophisticated
• E-mail security still requires user education

43
Conclusion The Good

• Software Updating is becoming more automatic for
  operating systems and other client programs
• Users can turn off functionality of many client
  programs to increase security
• IT staff have tools to help keep client machines
  up-to-date

44
Trusted Resources

• US-CERT Securing Web Browser Information
• http//www.us-cert.gov/reading_room/securing_brows
  er/browser_security.html
• Mozilla Security Center
• http//www.mozilla.org/security/
• Securing Microsoft Office
• http//www.microsoft.com/technet/security/guidance
  /clientsecurity /2007office/default.mspx
• Digital Signatures and Encryption (Outlook 2007)
• http//office.microsoft.com/en-us/outlook/CH100622
  261033.aspx
• Thunderbird Security Policies
• http//kb.mozillazine.org/Security_Policies

45
Trusted Resources

• National Vulnerability Database
• http//web.nvd.nist.gov/
• SANS Institute Top 20 Threats of 2007
• http//www.sans.org/top20
• SANS Institute Top Menaces of 2008
• http//www.sans.org/info/22218
• Microsoft Security Baseline Analyzer
• http//technet.microsoft.com/en-us/security/cc1849
  24.aspx
• PsTools
• http//technet.microsoft.com/en-us/sysinternals/bb
  896649.aspx

46
Thank You

• Questions?