Sunday, January 18, 2009

The Best way to set up Vista

Many months ago, I was asked for recommendation to set up a brand new Vista machine to provide maximum security protection. I subsequently discovered that my recommendation earns the 'Best' rating by Jesper M. Jphansson in his article "The Long-Term Impact of User Account Control".

Here are the ratings for various set up (figure 2):
Protection Level Elevation Method
Worse Turn off UAC.
Bad Automatically elevate administrators.
Good Run in admin-approval mode.
Better Run as standard user and elevate to a separate admin account.
Best Run as standard user and switch user to a separate admin account instead of using UAC to elevate.

The default set up is to rely on AAM (Admin-Approval Mode) and that only earns a 'Good' rating. Jesper explains why this is not as good as using a separate account:
This lessens the risk of a poisoning attack, where a malicious non-elevated application poisons the user environment for an elevated one, but it does not necessarily remove the ability of a non-elevated application to control an elevated one.

Saturday, January 17, 2009

Next time you find a USB drive lying around beware...

This experiment reported here shows that there is no free lunch:
....Steve Stasiukonis of Secure Network Technologies during a penetration test for a customer. He seeded the customer's parking lot with USB flash drives, each of which had a Trojan horse installed on it. When the employees arrived for work in the morning, they were quite excited to find the free gadgets laying around the parking lot. Employees eagerly collected the USB drives and plugged them into the first computers they came across: their own workstations.
Maybe some employees were wise enough to ignore these USB drives, and perhaps some of the USB drives were discarded, but it really only took one user with one drive to infect his own system and provide a gateway into the network. Stasiukonis did this exercise as a test, of course, but this technique has been used by real criminals to infiltrate large corporate networks.

Updates on disabling Autorun

With the report of the spreading of Conficker virus/Trojans and that one of the techniques for spreading this is helped by Microsoft's support in the form of Autorun, if you have not disable this dumb feature you should follow the instructions on this Microsoft support article.

I cannot see one good reason for this feature, which incidentally is enabled by default. Would it be better to disable it by default and right mouse click to launch?

Let's hope Windows 7 has this Trojan assistance taken out.

This is a very good in-depth article on this kind of attack using autorun/autoplay.

The concluding remarks from this article is worth quoting here:
Ignoring the DMA scenario for a moment, the success of the attacks I have discussed, as well as the success of the countermeasures, will depend on the privileges of the user using the computer. If the user is a standard user, the amount of damage the exploit can do is limited. It can still steal that user's data and anything that user has access to. However, the attack will likely not impact the network at large.

However, if the user being exploited is an administrator, the consequences can be a whole lot worse.