Thursday, October 2, 2014

A Brief Foray Into the Horrible

I try to stay out of the consumer side of security, for several reasons. Leading that parade is that consumer security is so truly FUBAR that it is difficult to know where to begin.  One possible starting point was when a friend talked me into trying to help her friend, who was having continual problems with having a business PC hacked. It turned out that the source of this person's problems was running Kazaa peer-to-peer file sharing software (itself laden with adware) on a Windows machine, pirating every virus-ridden thing in sight, and not being interesting in Not Doing Silly Things.

At a certain point, you have to think in terms of triage.

  1. some are in no immediate danger
  2. some can be saved if you act immediately
  3. some are doomed no matter what you do

This person was an obvious three.

I know of other people who simply buy a new PC when their current machine grinds to a halt as various bits of botnet malware fight for supremacy. In the meantime they are of course a menace to everyone else on the Internet. These people are also, collectively, threes.

Unfortunately, There is Some Bleed-Over

I once heard a guy (with PCI-DSS in his job title) mention to another person (also working the PCI-DSS the issue) who now had an Internet Explorer start screen inexplicably pointing to some outlandish search site. Apparently neither of these people were able to recognize that browser start page hijacking was a classic indication that your machine wasn't yours any more.

That was a casual conversation taking place by a couple of people walking past my cube. But it sort of jerked my head out of whatever I was doing, and I found the guy they were talking about connected to a client network, as he chatted with them about some problem they were having. Nor would he disconnect, despite my desperate hand-waving and other futile attempts to silently communicate that his machine was infested, and he should not be connected to a client LAN. Though it was likely that any damage was likely done, at that point.

The site Security Officer (I was a mere consultant) had an office a very few steps away, so bursting into a meeting was enough to get the problem handled. Except that it turned out that there was no local experience with credential-stealing, etc. I don't know how it all worked out in the end. I suspect that nobody wanted to know.

This is Very Bad News

Four people were involved in this. The two having the conversation, the guy with infected machine, and me. Only one had a clue, but all were systems administrators, or specifically had 'security' or 'compliance' in their titles.

It has always been hard to find security people. It's hard to even define the term, given the breadth of the field. Reasonable people can argue either side of the question of whether or not PCI-DSS has been a failure, and that is, after all, a very narrow corner of the field. However, a certain amount of consumer-level security awareness is clearly lacking, even amongst those with security in their job description. So, at some point, I have to go there.

So, Changes

I'm hoping (probably with no prospect of success) to cheat a bit by doing a bit of rearranging of fubarnorthwest. It was always a bit strange for me to link to physics blogs instead of security blogs. There was a reason for doing that, but I never wrote the explanatory post(s), and without those it seems, well, insane. As a blogger, I suck. But my goal is to suck less, so those are going away.

In their place, I'm adding the first consumer-oriented security blog. That would be Krebs on Security. Unlike me, Brian Krebs is a blogger who does not suck. I have mentioned him before in Java Security Revisited--Part 1 and You Can Order Pre-order Kreb's Spam Nation Now.

There will be other changes.

About that Credential-Stealing Thing

Pony, to take a common malware example, is a piece of malware that is still called a downloader--something used to fetch malicious payloads onto a compromised machine. It is also a product, albeit one produced by the Bad Guys. As such, features were added, and by 2012 it was also quite the accomplished credential-stealer for Windows. It has become far more powerful since, adding crypto-currency capabilities, and much else. Looking back into my notes, I would like to present a list of the Windows software that Pony could steal credentials from, as of 2012. There were likely to be others even then, there are certain to be more now, and of course this is only one piece of malware, amongst many.

32bit FTP
3D-FTP
AceFTP
ALFTP
BitKinex
BlazeFTP
Bromium (Yandex Chrome)
BulletProof FTP
ChromePlus
Chromium / SRWare Iron
ClassicFTP
CoffeeCup FTP / Sitemapper
CoffeeCup Visual Site Designer
Comodo Dragon
CoolNovo
CoreFTP
CuteFTP
Cyberduck
DeluxeFTP
Directory Opus
Dreamweaver
Easy FTP
Epic
ExpanDrive
FAR Manager
FastStone Browser
FFFTP
FileZilla
Firefox
FireFTP
FlashFXP
Fling
Flock
FreeFTP / DirectFTP
FreshFTP
Frigate3 FTP
FTP Commander
FTP Control
FTP Explorer
FTPGetter
FTPInfo
FTP Now
FTPRush
FTPShell
FTP Surfer
FTP Voyager
Global Downloader
GoFTP
Google Chrome
Internet Explorer
K-Meleon
LeapFTP
LeechFTP
LinasFTP
Mozilla
NetDrive
NETFile
NexusFile
Nichrome
Notepad + +
Odin Secure FTP Expert
Opera
Putty
Robo-FTP
RockMelt
SeaMonkey
SecureFX
SmartFTP
SoftX
Staff-FTP
System Info
Total Commander
TurboFTP
UltraFXP
WebDrive
WebSitePublisher
WinFTP
WinSCP
WiseFTP
WS_FTP
Xftp

Managing high-surety systems from lower-surety systems is an idea assembled from 100% FAIL. But if you must do this, being able to spot at least the most blindingly obvious indicators of compromise is a skill you need to have.

No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.