Microsoft DNS zero-day

Microsoft has issued a warning today about an unpatched issue with their DNS service. There's a mitigation which is pretty easy to do, I'd suggest you do it ASAP if you run a Windows-based DNS server. Unfortunately, the security guy at the Washington Post doesn't seem to understand the vulnerability, as he's reporting it as a problem with their web server, which is wholly inaccurate.

PayPal/eBay Security Key

My security key arrived last night from PayPal/eBay.  I've activated it, and it seems to work pretty well.  They're in the early stages of deploying this, but for $5, my accounts are a lot more secure.

Their implementation requires you to login with your username and password, the way you do today, but then also requires you to push the button on the front of your keyfob and enter the six-digit code that appears there.  The code changes every 30 seconds, so that even if someone does see your code, they have very little time to do something with it.

If you use PayPal or eBay much, I'd suggest ordering yourself a key as an extra layer of security on your accounts.

Arnold terminates insecure Wi-Fi

The Governator has signed a bill that'll force tech companies to warn consumers about securing their wireless routers.  That's both good news and bad news.  It's good that more people will be securing their personal information, but on the other hand, I've certainly piggy-backed off those clueless users when I've been somewhere and needed to check my e-mail.

Nasty Safari security problem on Mac OS X

SANS links to details of a nasty security problem affecting the Mac OS X browser that will automatically run shell scripts linked to from web pages. If you're reading this via a Macintosh, do the following ASAP:

The best immediate recourse against such an attack is to deactivate the option "Open 'safe' files after downloading" in the "General" section of Safari's preferences. Alternative web browsers such as Camino or Firefox do not support the automatic execution of files. These browsers can be prompted to automatically download a file by using the refresh command in the HTML source code of a web page. However, the file will not be executed. Since the Finder selects the icon for a file based on its extension, users are advised to verify that the OS is using the proper file type. This can be done through the information window or in column view.

UNI Computer system hacked

I got my notification on Saturday that my personal info may have been exposed in this breach of security, though from what I've heard, it wasn't a "virus" per se, but rather a bot that was on the laptop in question:

UNI warns of ID theft after computer security breach

CEDAR FALLS, Iowa (AP) -- The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed a computer system holding confidential information.

The university detected last week that a laptop computer holding W-2 forms was illegally accessed, though officials said the person likely did not realize he could obtain tax information for about 6,000 student employees and faculty.

"A virus was detected during routine monitoring," said Tom Schellhardt, vice president for administration and finance. "We immediately took steps to fix the problem and increase security."

The university sent letters to everyone whose data was on that computer, warning them to protect against identity theft by monitoring their accounts and contacting credit reporting agencies.

Steve Moon, the school's director of network services, said the person who used the laptop computer did so to review the print jobs for the W2 forms.

"There had been problems with printing, and the person wanted to review what the print stream was trying to do," he said.

A. Frank Thompson, a UNI professor of finance, said he didn't think W2 forms should be on the computer because the information must be made into a hard copy anyway for tax purposes. Also, "it simply opens up the possibility of that information being inappropriately accessed," he said.

ISU Computer System Hacked

Wow, now ISU has had a computer break-in that possibly gave up credit card and social security numbers. That makes at least one in each of the three state universities in Iowa this year. Think we need to step up security?

A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of social security numbers and pages of credit card information, university officials said.

Officials were unsure if the hacker broke into the computer system in search of the information but that it was possible the data was accessed and misused. More than 2,300 student and volunteer social security numbers and nearly 2,400 credit card numbers were stored in the system.

Campus officials said they were notifying individuals about the security breach.

Update: The University of Colorado was just hacked too.

Computer Security in Higher Ed.

One of our sister institutions, the University of Iowa, suffered a breach of their book store computer systems last month, potentially exposing the credit card info of 30,000 people. This follows the breach we had at our campus public radio station in March, affecting a smaller group on our own campus. As this article shows, this year, over half a million people have had their credit card numbers, social security numbers, and other personal data potentially stolen from universities with shoddy computer security. Oh, and the year is barely half over.

At this point, you've got to think (and I hope) a Congressional investigation or legislation is coming in the future. Many institutions, including my own, need to change their approach to computer security if they're going to reverse this trend.

One of the problems on many campuses is that the IT staff is distributed, because the IT dollars are distributed. There's usually not a single IT department, there are 50 of them, with varying practices, levels of skill, staffing, and funding. Some campus IT staff don't get near the level of training dollars spent on them that they need to do their jobs properly, due to declining tax revenues in many states. This distributed model also means that an institution's critical information is spread across dozens, if not hundreds, of computers spread throughout the campus network, with greatly varying degrees of security placed upon them. A spreadsheet containing social security numbers or other private information might be on the same computer that a student worker is installing spyware-infested games on to play when they're bored.

A lot of campuses have "open" computer networks, that allow most, if not all types of network traffic to flow to and from their borders, rather than just allowing certain types. This gives students, faculty, and staff the ability to use whatever types of software they like, so it's very flexible, but it also exposes them to a much greater risk.

As the ComputerWorld article says, this philosophy of openness is pervasive:

The most fundamental factor is the openness of the university. The free and open exchange of ideas has long been at the core of the university mission. As a result, the typical campus is physically open to all comers; no identification badge is needed. Its intellectual property is openly aired, and members of the college community interact in public forums online and off-line. Names of professors are public knowledge much more often than their middle-management counterparts in private industry, and rosters of students aren't hard to come by, either. The campus is like this because everyone there, except IT security, wants it that way.

I know it probably seems strange to hope that Congress intervenes in one's own profession, I think it can only improve the situation at this point. While we are working to improve our campus network security, I know it would happen a lot faster if there were tougher laws requiring us to do so...

VectorWorks portscans on port 30999

While testing Symantec Client Security for possible use on our network, I noticed two machines tripping the portscan IDS signature on port 30999. A quick Google search revealed that this was port was primarily used as a back door by the Kuang2 trojan, so we disabled the network ports of the two workstations and sent some techs to check it out. They couldn't find any malware on the machines, but since no one could tell me what was portscanning our subnet on 30999 from them, I told them to wipe them anyhow. As one of the techs was setting the machine back up, it tripped my firewall again, and I immediately called him and asked him what he was doing. He said he's just installed VectorWorks, so I asked him to run it, and sure enough, that's when the machine portscans on 30999.

I searched Google, the manufacturer's web site, and their support forum, and none of them mention that port, so I e-mailed their tech support and got this response:

Dear Nemetschek North America Customer:

Thank you for your inquiry.

VectorWorks does do a network check to see if any serial numbers are duplicated and are used at the same time. It can not be prevented since it is hard coded into the software.

If you have any other questions, comments, or suggestions, please feel free to contact us at (410) 290-5114 (tel) or (410) 290-8050 (fax) or (e-mail).

Respectfully, Technical Support

So, it's legitimate (annoying) behavior. The kicker is SCS will disable all communication with the "attacking" machine for 30 minutes by default. So, you can launch VectorWorks, then find that all the machines on your subnet running Symantec Client Security refuse to talk to you for half an hour. Congratulations, you've DoSed yourself!

Obviously, the best solution here is to run a firewall that filters your outgoing packets, and deny VectorWorks the ability to talk on your network, or better yet, configure your managed switch network to not allow all port 30999 communications. Or, even better yet, stop using VectorWorks until they decide to trust you as a customer.

Patch your boxes

If you even come into passing contact with a Windows box, take a few minutes to visit first Windows Update and then Office Update to install the latest critical patches for your system. There are some truly nasty holes that were patched today, and I'm sure at least one of them will be ripe for a worm soon. The TCP/IP stack, Windows/MSN Messenger, and even Microsoft Word all have "critical" security flaws in them, so get patching!