Basic best practices for Windows security

Posted on May 19, 2012 by A-KO

This blog post is intended for those whom are basic to moderately advanced (A+) users of Windows.

I know some of you will sit here and say, “Windows!? How can you secure that!? Microsoft doesn’t know how to secure anything!” The reality of the situation is that since 2002, Microsoft has been at the forefront of security research, disclosure, and even on the offense against major spam players and bot nets. The company has been a major contributor to the overall positive health of the internet and long gone are the days of the Blaster Worm completely ravaging internet connected systems.

That said, the threat landscape has changed over the years and below are some techniques you can use to ensure that your system stays malware-free.

  1. UPDATE: You should be keeping all of your software up-to-date on your PC. Windows has had an automatic update procedure since 2000 SP4 and there have been continuous enhancements to make the process as painless as possible. If you don’t want to be bothered, simply set your computer to automatically download and install updates.The top attack vector for the past couple of years has been outdated and insecure versions of Java, Flash, and Reader. Adobe has made major strides to try and improve the security profile of their software but they still have a while to go. One of the more recent steps was finally the inclusion of an automatic, behind-the-scenes update mechanism for Flash (introduced in 11.2) which keeps your IE and Firefox-based plugins updated. Luckily, if you’re a Chrome user, your Flash is kept up-to-date through internal mechanisms implemented by Google.Java, however, is a different story. One improvement that was made to Java was around 1.6u10 they no longer by default kept old versions of Java around on the system. New versions now simply replace the older, less secure variants. For some developers this can cause issues. Efforts should be made by the development community to ensure that they don’t require end users to maintain insecure versions of Java on their systems.

    That said, Java has a built-in update mechanism that nags you with a notification bar update. When this comes up, please run it! Not every release they push out is a security fix, as an example, 1.6u32 does not fix any security vulnerabilities over 1.6u31. But it’s better to be on the safe side.

    Staying updated is imperative to improving your system’s security. While there are exploits out there known as 0-days, you are very unlikely to encounter them during regular internet browsing. At the very least, if 0-day exploits are all you have to worry about you are in great shape.

  2. UPGRADE: I know many people whom still consider Windows XP to be the top OS. “Windows 7 is bloated!”, they say.

    Starting with Windows Vista and continually improved through Windows 7 and the upcoming Windows 8 operating system, Microsoft has added drastic changes in security measures that all contribute to a direct reduction in client-side malware infections internet-wide.

    Through User Account Control (UAC), Microsoft now enforces that every user is actually a “standard user” by default, even if they are a member of the Administrators group on their PC. While it has some quirks to its behavior, it allows you to make Administrative changes to the PC while helping to prevent drive-by malware infections that have complete, autonomous access to your system. In fact, it’s so effective that one of the growing trends I’ve seen in recent years is trojans are now merely installing to a user’s profile directory while making changes only to the user’s registry. A large amount of malware is easily cleaned by merely logging in through another user and doing a clean. (Note: A whole lot of security software out there does not mount other users’ registry files in order to clean them)Regardless, you should consider upgrading to Windows 7 or Windows 8 when it becomes available. Mechanisms provided by User Account Control, such as the ability to lower a process’ privilege level make infecting a PC just that much more difficult for malware authors.

  3. Anti-virus: While many argue that most antivirus software is useless, signature-based, blah-blah-blah; the reality of the situation is that most malware that users will encounter is either a known item or a variant of a known item, where heuristics techniques by the software vendor can be used to detect even if it has no direct signature. This is not always true, as I often times see malware at work on a user’s system that I regularly submit to my company’s AV provider, but nonetheless why put yourself in the situation to be taken advantage of by something so trivial and stupid such as a known object? Seriously, get something, ANYTHING. I highly recommend the Microsoft Security Essentials product–it’s free, lightweight, and a very good detection solution when you don’t want to fork out the cash for a major vendor’s product. I’ve also been extremely partial to Norton Antivirus 2012, which I run on my laptop, which has caught things that I have not seen Security Essentials catch until much later (sometimes by months).
  4. DON’T ASSUME NOSCRIPT/ADBLOCK/SAFE-BROWSING WILL SAVE YOU: One of the most common misconceptions about keeping one’s PC security is simply this: “I don’t need AV, I don’t need Windows 7, I don’t need UAC, I don’t need all of that other junk because I don’t browse malicious sites and I run Firefox with noscript! I’m super protected!”The reality is you will inevitably allow some websites more permissions than others. Websites you trust, websites you assume to be secure. At the end of the day, the technologies you are turning off are integral to the dynamic functionality of the modern web. And as these technologies become more dynamic it opens them up ripe for abuse. A malicious iframe may be embedded in a site that you regularly visit and have disabled noscript because “Well, it’s a legit site!”–and then it’s over from there. This has happened on numerous occasions and different site operators are responsive in a variety of manners. Some will remove it instantly, others won’t know for quite a while due to a lack of critical monitoring systems, and others will flat out just not care. Why let yourself be a victim to their lack of due diligence? Follow some of the methods above to keep yourself secure even in these situations.

There are more advanced topics I can discuss in the future, but following these simple procedures should help you raise the bar on your system for malware authors to try and beat. And while no doubt goal posts on either side of the fence continuously move, that doesn’t mean you should give up because “you’ll never win”. The malware authors will continue to find ways in, and the defensive community will have to continue to adapt. In 5 years, I could be telling you completely different solutions.

Posted in A-KO's Blog, Blogs | Tagged , | Leave a comment

Minecraft

Posted on May 2, 2012 by A-KO

We now have a public minecraft server up!

URL: minecraft.unallocatedspace.org

Please do not grief or abuse the server, thanks!

Posted in Workshop | Leave a comment

Network Upgrades!

Posted on April 9, 2012 by A-KO

Greetings all!

If you haven’t been to the space in a while you may not have noticed the major upgrades going on at the space. We’ve been hard at work making some core upgrades to the network that will make us more capable of handling network pen testing, hosting files for talks, and hosting services on the Internet.

  • VLANs! No professional network is complete without VLAN capability, and we’re delivering. This will enable us to segment portions of the network to allow people to openly pen test without reaching other network subnets and disrupting people working on other projects.
  • IPv6! We are now fully dual stack IPv4/IPv6 across all networks in the space. You shouldn’t notice any difference other than some sites coming over IPv6. Feel free to come and ask questions.
  • DMZ! We will now be able to host long awaited game servers on the external internet. First up? MINECRAFT! We will be hosting our own Minecraft server by the end of the week. Stay-tuned.

Future expansions include:

  • Upgraded PBX system via SIP and Google Voice. Major PBX plans coming soon.
  • SVN/GIT Support. We’ll be migrating all of our space coding projects to a GIT or SVN system.
  • File Server! We’ll very soon have an internal file server for space storage.
  • SpaceNet support - http://spacefed.net/wiki/index.php/Spacenet
  • “The Labs” – VMWare-based lab servers for pen testing, exploit testing, and general experimentation.

Stay tuned for more info on each of these. If you would like to get involved, feel free to drop by during our Open House nights.

Posted in Workshop | Leave a comment

Open House Night

Posted on March 28, 2012 by A-KO

Join UAS for tonight’s open house night!

Posted in Workshop | Leave a comment

Test out your talks at the next UAS Soiree

Posted on March 20, 2012 by DaveMarcus

Submitting CFPs to conferences can be frustrating, especially with new talks.  Do you want to see if the talk works or just practice it? Trying to give a talk for the first time? At the UAS Soiree AKA Textile’s Sewer, you can give any talk from 15 minutes to an hour in length.

Carrying on with the idea that Textile started, this is an open event forum
for anyone that wants to give a talk. What we hope is that regular attendees of this monthly event give ongoing talks at Soiree. Yes: its Fight Club for Hackers!

This current sessions speakers and topics are:

Digital Arcanist – 5 most important things in Infosec
Cryptos – Android
Cryptos – Hadoop Password Cracker
Matt – What Sound is good?
Lewis/Walt – Theramin
Outrayjus – Brewing
Open Discussion – Do’s and Dont’s of new hackerspaces
Infosec book club

Please register for this event: http://www.eventbrite.com/event/3142239523

If you know anyone that would be interested in giving a talk in future
sessions, please have them contact Forgotten.

Posted in Conferences, Events, The UAS Soiree | Leave a comment

Open House Night!

Posted on March 10, 2012 by A-KO

Unallocated Space now has an official weekly Open House night for people to come and check out the space. We will do our best to have the space open on this night so feel free to drop by and get to know everyone.

Open House: 7:00PM on Wednesdays

Posted in Workshop | Leave a comment

The Hacker Carnival at Annapolis Junction

Posted on February 23, 2012 by DaveMarcus

Tomorrow from 300PM until 800PM Raytheon will be putting on a recruiting event dubbed Hacker Carnival! It will feature a mini-CTF and other fun hackery types of events including lockpicking! Make sure you stop on by and test your skills.

Posted in Events, Hardware Hacking, Lockpicking, Workshop | Leave a comment

Code Hero goodness here at Unallocated Space

Posted on February 22, 2012 by DaveMarcus

I ran across a great project on Kickstarter yesterday called Code Hero. From the page:

Code Hero is a game that teaches you how to make games so you can learn to code while you play with a Code Gun that shoots Javascript in Unity 3D!

Created by Alex Peake and his lads at Primer Labs, Code Hero is basically a game that can turn you into a game programmer! Becoming a backer for as little as 1 dollar (yes you read that right) gets you access to the beta. Download, login and away you go grok!

One thing that really jumps out at me about this project is the hacker ethic that drives it. It is a project that is created by hackers, promotes hackerspaces and, in essence is really all about creating more hackers. The world needs that: More hackers.

I commend Alex Peake and the whole Primer Labs crew on a great project with a truly inspiring goal: create more hackers. Make sure you visit the Kickstarter page and become a backer. Now.

Hack The Planet

 

Posted in Hackerspaces, Hacking, Projects, Workshop | Leave a comment

World IPv6 Launch Day and UAS’ IPv6 Transition

Posted on February 16, 2012 by A-KO

Hey everyone!

In preparation for World IP Launch Day (http://www.worldipv6launch.org/), Unallocated Space has begun its migration of core network services to a dual stack infrastructure. What this means is that we will have simultaneous access to both the IPv4 and IPv6 internet.

This transition will not just be about moving the network over. Our core services will be available over both protocols. This is obviously going to take some time as it involves script and coding updates where necessary.

I encourage everyone to come down to the space sometime in the coming months to see how the transition is coming along. Hopefully sometime by the end of the next month we will have our network infrastructure migrated.

The transition is documented on our wiki, here: http://www.unallocatedspace.org/wiki/IPv6_Transition

Posted in Projects, Workshop | Leave a comment

David Quigley gives an SELinux Class at Unallocated Space!

Posted on January 30, 2012 by A-KO

Hey Everyone,

Ever wanted to learn more about SELinux? Run into problems with it and decided not to use it again? Want to learn more about how to configure mandatory access control on your Linux boxes so they aren’t easily rooted?

Join Unallocated Space as we host David Quigley on Saturday, February 25th, 2012 @ 5:00PM where he will give us a course in all things SELinux.

Event table space is limited, so please use http://www.eventbrite.com/event/2845199067 to reserve your spot today.

Abstract

Over a decade ago, researchers at the National Information Assurance Research Lab at the National Security Agency (NSA) identified a need for flexible mandatory access controls to help provide a solid foundation for secure systems.  This resulted in the development of the FLASK architecture. FLASK has been implemented in a number of operating systems, the most prominent of which is Linux under the name SELinux. Since the early days of SELinux adoption, much work as been done by the community to improve the utility and usability of SELinux. These enhancement have turned SELinux from a prototype research implementation into a robust access control mechanism that is used by a variety of customers world wide.

This tutorial is suitable for students with a broad range of experience in SELinux. The tutorial starts with the foundation concepts of SELinux allowing students to understand the new access control concepts that are provided. The tutorial then covers basic SELinux usage including: evaluating the state of an SELinux-enabled system, identifying SELinux information on system resources, and troubleshooting of basic SELinux errors.

Next, the tutorial covers troubleshooting errors with SELinux that result from non standard configurations of system services. For example, it is common to change the location that a web server serves pages from. SELinux needs to be informed of these changes to ensure that system resources are consistent with what SELinux expects. This section will also cover examples of other services which typically have non-standard configurations. Students will work through examples that address not only the issue at hand, but also expose the underlying cause. This increases the student’s understanding and allows each student to identify and resolve similar problems

Finally, the tutorial covers SELinux policy analysis and writing. As system administrators are constantly faced with deploying software created by their enterprise, understanding the SELinux security policy and how to extend it to cover in-house applications is very important. It covers basic policy development within the scope of the SELinux reference policy and how to iteratively develop an application policy while having minimal impact on
production systems.

About David

David Quigley started his career as a Computer Systems Researcher for the National Information Assurance Research Lab at the NSA where he worked as a member of the SELinux team but has since left that position. David leads the design and implementation efforts to provide Labeled-NFS support for SELinux. David has previously contributed to the open source community through maintaining the Unionfs 1.0 code base and through code contributions to various other projects. David has presented at conferences such as the Ottawa Linux Symposium, the StorageSS workshop, LinuxCon and several local Linux User Group meetings where presentation topics have included storage, file systems, and security.

David currently works as a Computer Science Professional for the Advanced Engineering and Development division at Keyw Corporation.

Posted in Workshop | Leave a comment