Order of the Bath

BlogSecurity has published a white paper about how to secure your WordPress installation. A lot of the stuff in there is security by obscurity e.g. changing your database prefix and renaming your admin account which may slow down intruders but there is some good stuff in there as well. They also advertise a WordPress Security Scanner which should be worth a test.

Thanks to LiquidMatrix for the nudge.

I don’t know if there is any kind of privacy or security problem here but I have discovered that many tyre retailer web sites have a system of identifying your car (make, model and colour) from its registration number. For example Kwik Fit or Tyre Shopper tell me that mine is a red Renault Laguna X74 5-door hatchback. I am sure that there must be a use for this.

Update:
I took a look at the DVLA website which gave a link to Release of information from DVLA records and this doesn’t mention this usage of data supplied but seems to be only datasets where the owner/keeper information is included. Following links further I found the DVLA Vehicle Online Services which gives a Vehicle Enquiry service. This requires the registration number and the manufacturer (I can’t see why) but gives quite a lot more information—date of liability (when the tax disk expires I think), first registration, year of manufacture, engine capacity, CO2 emisions, fuel and a few other bits and pieces.

Update 2:
The Motor Insurance Database ASKMID is another route. It tells you the make and model and also, usefully, if it is insured. You are only supposed to use it if you own the vehicle but that is unenforceable except, perhaps, in the extreme case of bulk enquiries.

This idea being promoted by MAAWG looks like it could be an effective way of limiting spam at source, and, as the members are high powered, it could actually get implemented.

The problem is that a large proportion of spam and associated phishing, viruses and other attacks are sent, not from huge malicious systems in a far off place, but many thousands of small home systems each adding their little bit to the flood and under common malicious control. They were infected by a previous attack and then join in themselves—these are called zombie systems and are collectively known as a bot-net.

The principle of this proposal is for ISP’s to identify customers on their own networks who are infected. Nothing new there except that they currently don’t do it because of the administrative overhead it would trigger. The difference is that once identified, the customer would have all their internet traffic automatically routed to a sanitised area called the Walled Garden within the local domain and that all browser requests result in a link to an internal site which provides education and disinfection tools. Until the customer systems are cleaned no traffic is permitted out onto the wider internet. Think of it as a quarantine with a pharmacy on hand for self treatment. The reasoning is that the majority of customers with infected systems are unaware of it and wouldn’t know what to do if they were told. This way they don’t have a choice.

There will still be some admin overhead—in calls to the help desk—and it would need to start easy to minimise false positive alarms, but it is probably the only way to force these infected zombie systems off the network.

As I said, there are some heavyweight people on this working group, AOL, AT&T, France Telecom (Orange) but not my ISP. But when(if?) the momentum gets under way, no ISP is going to be able to ignore it and stay in business.

Here is a suggestion to reduce the risk of credit card fraud.

On the back of your card is a three digit number which is not in the electronic information, either the mag. stripe or the chip. It is only used in online and telephone transactions.

Make a note of this number elsewhere and then erase it from the card—I have scratched mine with a pen-knife and then blacked it over with a pen. It is not easy to completely erase it as it is often indented into the plastic but that doesn’t matter. The aim is to make it difficult to read by cashiers and waiters when they handle the card. A favourite trick is to memorise this number together with the main number easily obtainable from the till and use it in online transactions before you get home.

Keeping up to date with software fixes these days can be very difficult; at best it is time consuming. Many applications come with automatic notifiers but often we are not comfortable enabling them and, anyway, they vary in efficiency. Some, for instance, only work from admin accounts; others ought to but instead try to update from limited accounts and fail. Microsoft pioneered this with Windows Update with Automatic Updates and have had a period of mixed success and errors which we hope is now over [update: spoke too soon on this. Reports of problems with this week's .net patch]. The Anti-Virus people have got it best in hand but even they hiccup when it comes to vulnerabilities internal to their own software.

Today I discovered a very useful facility which does for your whole machine what Microsoft Update does for their products. Secunia Software Inspector is a free service which uses a Java applet to go through your machine looking at the revision levels of software all types and notifies you if there are security updates that you should be installing. I ran it today against a machine that is pretty well maintained (but not by me) and it noticed that Adobe Flash Player and Sun Java JRE were both down level. It even told me about the update to Apple Quicktime which was only announced this week. A company like Secunia is going to be on the ball because it is they who tell the rest of the world what is up, and I trust them more than some because they don’t have a marketing team leaning on them, at least not in the retail business.

There is currently a problem that Enigmail, the OpenPGP extension for Thunderbird doesn’t work with Gpg4Win. The latter is the GUI version of GnuPG for Windows. The versions tested were Enigmail 0.95.1 and Gpg4Win 1.1.0 but I understand other versions are affected.

There seems to be some dispute as to which program is at fault and the most seen recommendation is to un-install Gpg4Win and install the plain command line version of GnuPG. Although there is some overlap, both provide a key management GUI for instance, this would lose some of the useful disk management functions of Gpg4Win.

I have discovered that there is a much easier fix. In Thunderbird, go to the OpenPGP ==> Preferences menu item and in the “Files and Directories” window, tick Override and enter C:\Program Files\GNU\GnuPG\gpg.exe. Now stop and restart Thunderbird and every thing works just fine.

Gerv Markham reports that they used MS Excel to count the votes in the “Highlands and Islands” constituency and due to a coding error forgot to count any votes for the SNP. Had a alert agent not spotted this the SNP would have been two seats down rather that one up overall in the Scottish Parliament. See the full report for the details.

I had a bit of a fright this morning; AVG (free) kept saying that it had found an infected object but it wouldn’t put it in the Virus Vault where it should go. I was bothered because I don’t do viruses, I consider myself too smart for that (lookout, the sky is falling in). I see a few go past in email and I used to have trouble when my anti-spam system kept a copy of recent emails in plain text (it now keeps them in a database, so that is resolved). I have just installed a trial of Prevx so wondered if that may have triggered something but I don’t think so.

Some analysis and a few blunders later I discovered.

• The infected file was in C:\System Volume Information\_restore{DF9 …a lot of hex… F08}\RP108\A0024948.exe. If I remember rightly this is the System Restore area. I don’t recognise the file name, perhaps System Restore mangles them?
• This accounts for why my working (LUA) account could not vault it, because I don’t have access.
• It is reported as I-Worm/Stration.DJC. This is normally distributed by ICQ (which I don’t use) but has been seen recently in spam email—I am unlikely to have executed any attachments.

The blunder was that (in a panic) I deleted the system restore area before scanning the system; I seem to drop out of Security Analyst mode when I come home. Anyway I did a full system scan and a run of the Kaspersky Online Scanner for good measure. Nothing else was found.

What I don’t understand is

• How it got there. I thought System Restore was backing up things that changed during an install so that you could back them out later. If that is the case, it should have been live on my system before whatever install replaced it and there should be some other traces left.
• Why AVG should have been looking there in Resident Shield mode anyway. I thought it only checked files that you accessed, and that is not likely to be one of them.

It will, no doubt, remain a mystery.

It is one of the fundamental rules that, if you want a really secure system, you start by switching everything off and then just enable what you need. This goes for firewalls and accounts for why many that come pre-configured in routers are not very good because they have to let so much through to enable all potential customers to operate; and why ZoneAlarm (the basic version only) is so good because it asks you before enabling anything.

Based on this, the principle behind all Antivirus software is flawed from the start. It is trying to detect what is bad by various means and then blocking it. You can never win at this game; you are always trying to catch up with the perpetrators which is why we now have to accept daily updates and I have seen some offering them hourly. It is also why they can justify a subscription pricing model rather than a one off cost.

But you can go some way towards this goal very easily; just don’t run your day-to-day activities from an administrator account. Administrator accounts should be for administration—that is installing software, taking backups and doing system updates. What you need to do is create another account and using the facility provided in Windows XP, mark it as LUA, a “Limited User Account”. 95% of software works perfectly well in this mode. If you use some very old programs that you have to run then you may have some problems but they can usually be circumvented. However I will (and you should) complain like mad if a new program does not work when run in this way; it is just negligent of the author. The big advantage of the limited user account is that when you are browsing and reading mail and something nasty does get in, then it no longer has access to the heart of the machine and the damage it can do is limited. Most bad-ware will try and install itself in system folders and the machine registry and that is just not possible in this mode. Think of it as running a power tool with the guards in place. You do need to lift the guards sometimes, but not with the power on and only to change the blade.

This article by Marcus Ranum (beware, some strong language) takes this concept a stage further. Here he describes how he has fought to get the complete control he wanted so that only the programs he specified would run. First he tried to use Windows Execution Control. I don’t know the facility nor if this is a fair evaluation of the mechanism but it failed miserably for him. Subsequently he tried using a product called PrevX. The main problem here was that they annoyed him with their marketing techniques but it did look doubtful that it was really doing what it said it did. [I could ask here how someone apparently so experienced in security matters could possibly get infected so often but I suppose that, during research, he may be deliberately working on the margins of safety].

Finally (so far) he found a free-ware product called Exe Lockdown from Horizon DataSys. I tried for quite a while to locate the download as it doesn’t seem to be linked anywhere but eventually found it here. If it does what it says on the box then it should work in a very similar way to ZoneAlarm i.e. maintain a table of permitted programs to execute and if you try to run one not in the list, come up with an “Allow or Deny” prompt. It adds one extra detail which may be of use for those controlling systems used, for example, by children; it asks for the Administrator password before permitting the change. Otherwise it all looks very straight forward.

It works because viruses and other bad-ware need to execute to do anything to your system. If they are not known then they will have to ask and there is a reasonable chance that you may notice at this point and deny them. It is not foolproof though; it will not catch macro viruses such as those embedded in documents or script codes such as Java-script in web pages but it will stop many so it is very valuable and the others will be partially controlled by your LUA.

[Update: Well it was a good idea. First the version I found was only a limited function demo. The link to buy the real thing went nowhere and I couldn't get it to work anyway. If anyone knows of a program with a similar function then I would be very glad to hear of it.]

Symantec Security Response Researcher Ron Bowes has written an article which claims that a unix based system that uses sudo can be compromised by manipulating the search path.

When you cut all the waffle about spelling mistakes, “.” in the path and scripts executed in error, what he is saying comes down to (using bourne shell) …

$ echo "echo 'exploited!'; whoami" > /tmp/mount
$ chmod +x /tmp/mount
$ PATH=/tmp:$PATH
$ export PATH
$ sudo mount /dev/cdrom
Password:
exploited!
root
$

However the writers of sudo(8) were not as dumb as all that. If it was that easy it would have been blown years ago and, in fact, would not have been worth creating at all. I don’t know if he actually tested the code that he wrote but if he did, and it worked, then he had a seriously broken sudo implementation.

The “main” protection offered by sudo, to pick up on a point made by Mr. Bowes, is that it checks that the path to the command about to be executed matches the one permitted by the sudoers(4) table. /tmp/mount does not match /sbin/mount so it will not be granted root authority—indeed it will not be executed at all by sudo, the real one will be.