New solutions to remotely secure a stolen laptop

• Date: December 12th, 2008
• Author: Paul Mah

In the past, a lost laptop automatically meant a compromise of whatever confidential data it contained. This is changing for the better, however. Here are the latest developments on the anti-theft front, featuring remote management or deletion of data for laptops.

————————————————————————————————

I recently wrote about some simple hardware approaches to secure laptops. In the earlier article, I have advocated the use of FDE (full disk encryption) or the use of an encrypted flash volume as means to ensure the security of confidential or private data.

A couple of vendor announcements in the past few weeks show an increased emphasis on data protection. I’ll examine developments on the anti-theft front for the remote management of stolen laptops — once the sole domain of smartphones like the RIM BlackBerry and Microsoft’s Windows Mobile-based devices.

Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian

One proprietary solution that got on my radar a few months ago is the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent. The 3500 is a Linux-based PCMCIA card that emulates a smartcard for authentication. In short, the laptop will cease to work if this PCMCIA card is physically removed. What differentiates the 3500 from a typical smartcard is that it packs an integrated 3G modem, GPS, and its own battery for power.

The wireless link and GPS let the PC be located and have its security policies managed even if the laptop is turned off. The depth of its features, which includes the ability to terminate VPN traffic and store encryption keys, currently represents the holy grail of locking down and managing remote laptops.

Of course, its downside is that it is only available in the PCMCIA form factor - which is fast losing appeal among newer laptops.

Lenovo Constant Secure Remote Disable

Lenovo recently announced a feature called Lenovo Constant Secure Remote Disable. Working together with BIOS maker Phoenix Technologies, Lenovo integrated the ability for a user to remotely disable his laptop on the hardware level. This is done by means of a text message containing a “kill command” that is sent by text message from designated mobile phones.

Once the kill command is sent, the ThinkPad is either disabled immediately or when the laptop is turned back on - as in the case when a system is suspended or hibernated. Once shut down this way, the only way to get the laptop back on is to type in a preconfigured “resurrection code” when the laptop is started. Obviously, an embedded cellular WWAN (wireless wide-area network) card will be necessary to use this feature, as well as a relevant mobile subscription to allow receipt of text messages.

Lenovo Constant Secure Remote Disable will be available as a free BIOS upgrade expected this month or first quarter of 2009. The technology will work with ThinkPad laptops running on the Intel Centrino 2 platform.

Intel Anti-Theft PC Protection

The first laptop based on Intel’s anti-theft technology, ironically, will also be released by Lenovo this month. Lenovo’s new ThinkPad T400 will ship with Intel’s Anti-Theft PC Protection as well as Computrace technology from Absolute’s Software.

The combination of both hardware and software allows for a robust solution. For example, via the Computrace software, it is possible to set timers to disable logins if the computer has not checked to a central server within a set period of time. It can also help in tracing the location of the laptop or remotely lock it via the Internet in the event of theft.

A machine can also be set to brick upon a certain number of password failures, or a signal from a remote server. When bricking, the chipmaker’s vPro technology can halt the laptop at the BIOS boot screen, effectively rendering the entire hardware useless. It can also permanently erase the encryption keys for a FDE disk, ensuring the guaranteed confidentiality of data.

Conclusion

The advantage of the approach taken by the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent is by leveraging on well-understood smartcard technologies. Building a stand-alone data modem and GPS hardware into a PCMCIA form factor can’t be cheap, but does allow for a comprehensive end-to-end solution for laptops containing extremely high-value data.

Lenovo’s approach allows the use of relatively minor BIOS updates to bestow the ability to remotely shutdown compliant ThinkPads. A built-in WWAN card is still necessary, as with a relevant mobile plan subscription. On the bright side, availability of laptops with built-in WWAN cards can only increase and if popular, should be trivial to incorporate by other vendors.

Finally, Intel’s approach represents a solution involving both hardware and software vectors. The vPro technology gives it a robustness of a hardware-based solution, while the use of software like Absolute Software’s Computrace gives it a versatility and control second to none. The downside appears to be slightly higher complexity in terms of management, though.

Compiled by Amresh Anjan

E-mail spam: How to stop it

• Date: December 17th, 2008
• Author: Michael Kassner

What if I said I knew of an approach that would definitely reduce the amount of e-mail spam you received? No way? Well, read on. It’s simple, it works, and I’d like to share it with you.

——————————————————————————————————————-

We all know the infamous e-mail spam three step:

1. A spammer obtains your e-mail address.
2. The spammer begins to inundate you with e-mail spam.
3. You receive the e-mail spam and get rid of it.

It’s common knowledge that the easiest way for spammers to obtain e-mail addresses is to purchase them from Web sites that require e-mail addresses for some reason or another. A typical example would be where an e-mail address is exchanged for desired information being advertised by the Web site. After which the host is free to use the e-mail address per the fine print agreement, which all of us typically don’t read.

Recently I read about a unique method that eliminates the risk of being spammed after providing an e-mail address to a Web site. Before I get into that though, I’d like to look at what’s being currently used.

Somewhat successful anti-spam methods

Spam filtering is the technology of choice to reduce/eliminate (depending on your viewpoint) e-mail spam. The only problem with this approach is that it’s after the fact. It’s also a never-ending battle to keep either a black list or white list up to date. There are heuristic spam filters, but they’re known for erratic results, more often than not capturing an important e-mail that you wanted to get through.

Keeping e-mail addresses a secret is another semi-successful method, but doing so is becoming virtually impossible in today’s Internet world. Besides there’s very little difference between keeping an e-mail address secret and not having an e-mail account.

Still that brings up an interesting point. Why not get several Web-hosted e-mail addresses, they’re free. Start getting too much spam, just close that particular e-mail account.

Sacrificial e-mail accounts seems plausible

Sounds like that might work. Even with all the effort to open the accounts, it’s still worth it to eliminate any amount of e-mail spam. At least that’s what I thought, but there’s a gotcha that I hadn’t considered.

Let’s use me as an example to explain the gotcha. I started getting all sorts of e-mail spam from one of my sacrificial accounts so I decided to close it. Great, I’ll show them. The next day I was surfing and wanted information from some Web sites, which happened to require e-mail addresses in exchange for the information. No problem, I used my new sacrificial e-mail account. All is well in my world.

What I wasn’t prepared for was how soon I started getting e-mail spam again. It didn’t take long before I came to the conclusion that my sacrificial e-mail addresses definitely weren’t the answer. Luckily for me, I came across Kurt Wismer’s article “How to Avoid Email Spam” on the anti-virus rant’s Web site.

Wismer explained the flaw in my theory about sacrificial e-mail accounts:

“A number of people are already familiar with the idea of a throw-away email address and often use hotmail or some other free webmail provider to make one. Unfortunately that leaves you with no way to know who leaked your address to the spammers. So when you need to change addresses (because the current throw-away address has gotten too spammy) you’ll have no way of knowing which organizations to not give the new address to.”

I’d go through all the work to change my e-mail address to a new sacrificial one and get caught again.

One-time e-mail addresses

Wismer goes on to explain that there are applications and Web hosts that allow the use of easily disposable e-mail addresses so a different one can be used for each site that’s visited:

“This is where true disposable email addresses come in. You need to use a different address for each site. You give an address to (whether it’s ebay, amazon, or your bank) so you can identify which one leaked the email address simply by looking at which email address got leaked. So that you only have to turn off that one address when it starts getting spammed rather than changing addresses and updating a potentially long list of sites with your new address.”

There are several services that will allow the use of disposable e-mail addresses. They are divided into two different categories. The first type is the most familiar:

• A throwaway e-mail address is selected.
• Give the address out to Web sites whenever needed.
• Check the service’s home page or RSS feed for any responses.
• If the return e-mail is spam, just delete the e-mail address.

I know of two services that work this way, mailinator.com and dodgeit.com. I prefer the next type, because the service forwards any return e-mail to my actual e-mail account. The steps used by these services are (courtesy of sneakemail.com):

• Instead of typing in your real e-mail address, you select your Sneakemail bookmark, which pops up Sneakemail.com in a small window. You log in and click on Create a New Sneakemail Address.
• Here you find a simple form. You label the Sneakemail address so that you will recognize where that particular e-mail address was used. Click Create, and a new and random e-mail address such as jlsjk02@sneakemail.com is created.
• Paste jlsjk02@sneakemail.com into the form at the Web site. You never give out your real e-mail address.
• Now when mail is sent to jlsjk02@sneakemail.com, it goes to a Sneakemail server where it’s forwarded to your real e-mail address. The e-mail is mostly unaltered, except the From line reads, From: Web sites email address |label you created| jlsjk02@sneakemail.com.
• By looking at this line, you can see that it originally came from the Web site that you visited and was sent to the Sneakemail address you specifically labeled in your account.
• If you begin receiving spam at this particular Web site and you were careful to give this address out only to that Web site, you know exactly where the spammer got this address. Also, you can go to Sneakemail.com and delete the e-mail address, eliminating any further spam.

I’ve tried two services that use this approach, sneakemail.com and mailnull.com, and had equal success with both. Mailnull.com also has an added feature called Web Contact Form, which is great for Web-site hosts that don’t want to advertise an e-mail address to avoid spam e-mail spiders but would like to give visitors the option of contacting them.

Final thoughts

I like these approaches. There’s a certain satisfaction in deleting an e-mail address knowing that any spam aimed at that address will be eliminated. I realize it’s an added step, but I’m willing to take it just to gain back some control.

Compiled by Amresh Anjan

DNS Changer Trojan: Latest variant is certainly unique

• Date: December 29th, 2008
• Author: Michael Kassner

The developers of the DNS Changer trojan have been busy, three generations just in the past year. The newly released version is the one we need to worry about. Learn how to find and combat it.
——————————————————————————————————————-
As the name implies DNS Changer (Trojan.Flush.M) is a malware application that replaces the correct IP addresses used for the primary and secondary DNS servers with those designated by the attacker. Once that happens, any name resolution that’s required will be directed toward the attacker’s DNS servers. Depending on the circumstances, the attacker’s DNS servers could respond with correct or incorrect DNS records.

Why you may ask? It’s all about deception. If the attackers have their DNS servers respond correctly for a majority of name resolution requests, most users aren’t going to suspect anything. Besides what the attackers really want are name resolution requests for legitimate Web sites that they have created malicious copies of.

If such a request is received, the attacker’s DNS server will then send the name record for the malicious Web site instead of the correct name record. Once the user’s Web browser downloads the fake Web site, it’s relatively easy to use one of several exploits to get personal information about the user or download additional malware.

This trojan has some notoriety in that DNS Changer targets Mac OS X as well as Windows operating systems. Some experts even say that DNS Changer influenced Apple to publically advise (but quickly retract) Mac users that anti-virus software might be a good idea.

What’s also interesting about DNS Changer is the fairly intense scrutiny that it’s received throughout its existence. Security analysts by closely watching are learning right along with the malware coders what works and what doesn’t when it comes to malware propagation.

Even with three different versions of DNS Changer, the results are always the same. Compromised computers are configured to use the attacker’s DNS servers. Like the analysts, it’s a good idea for all of us to understand how the trojan works, simply because increased awareness reduces our risk.

Version 1

Security analysts first noticed version 1 in January of 2008. Version 1 tries to take advantage of users that are attempting to download movies from a Web site. It’s the typical scam where the Web site points out that a special file or codec needs to be installed on the user’s computer in order for the movie to play. In reality, the codec is the dropper that starts the installation of the trojan and after asking the user for admin rights will install DNS Changer on the computer.

Version 1 perplexed security analysts as it was almost totally benign. It changes the DNS settings on the computer under attack and reports back to specified command and control servers and that’s it. Still version 1 made trojan history in that it targeted Apple as well as Microsoft operating systems.

Version 2

Version 2 surfaced around July of 2008 using similar drive-by dropper techniques to get installed. After being installed on a computer, version 2 attempts to determine the management username and password of any gateway routers on the network. If DNS Changer successfully determines the admin credentials, it then has access to the gateway router’s Web-based configuration.

The next step is to change the gateway router’s DNS server settings to that of the attacker’s DNS servers. After which all of the computers that receive DHCP leases from the gateway router will get erroneous DNS server IP addresses and as with version 1 any name resolution requests will be sent to the attacker’s DNS server.

This tactic has merit if you think about it. Even if the trojan is removed from the computer name resolution remains compromised. As the gateway router continues to advertise the attacker’s DNS servers. Still, this version is losing its appeal. People are starting to understand the need to change default setting on their network-management devices, which removes version 2’s attack vector.

Version 3

Version 3 was just discovered this month and the malware coders seem to have gotten it right this time. The trojan sets up ndisprot.sys (NDIS protocol driver) as a registered service which in turn creates a working DHCP server on the compromised computer. The rogue DHCP server then tries to intercept DHCPDISCOVER packets from the remaining computers on the network, ultimately supplying the querying computer with DHCP responses containing IP addresses of the attacker’s DNS servers.

The trick here is for the rogue DHCP server to respond faster than the authorized DHCP server. If the DHCP client accepts the DHCP query response from the rogue DHCP server, it’s all over. The rogue DHCP server supplies an internal network IP address with a very long lease time as well as IP addresses for the attacker’s primary and secondary DNS server.

Version 3 has all sorts of implications. For example, what if a computer compromised with version 3 of DNS Changer connected to an open Wi-Fi hot spot? Any new arrivals may get erroneous DNS information from the rogue DHCP server. This variant also has a much better chance of succeeding, because it doesn’t have to try and guess default management credentials.

Thing to watch out for

SANS Internet Storm Center notes that “it’s probably wise to at least monitor traffic to 85.255.112.0 to .255, if not block it.” For now this appears to be the IP address range that’s being used by the malicious DNS servers. On individual computers, the user can easily determine the IP addresses of the primary and secondary DNS servers by using the ipconfig (Windows), ifconfig (Linux), or system preferences (Mac).

As for rogue DHCP servers on the network, there are applications such as DHCP Find that locate and report all pertinent information about any clandestine DHCP servers that are on the same network.

It appears that most anti-virus applications have signatures for all three versions of DNS Changer and that a good thing. So, make sure your AV application is up to date. Even so, please be cautious as DNS redirection can occur even if your computer is clean.

Final thoughts

All variations of DNS Changer are in the wild, but version 3 is the one to watch out for. If possible, I’d suggest setting up the computer’s working network interface to use static IP addresses for the DNS servers. OpenDNS is highly recommended for this and their Web site explains exactly what to do. OpenDNS also eliminates several other potential problems such as Kaminsky’s bug.

If static DNS server IP addresses aren’t an option, typical of larger networks, the monitoring of traffic destined for the 85.255.112.0 to .255 subnet becomes important. Using some sort of rogue DHCP server monitor is also equally important.

Compiled by Amresh Anjan