Stopping Conficker with OpenDNS

Conficker is quickly becoming a mainstream news story as April 1 approaches, the date that the worm is programmed to “phone home” for further instructions. It has been discussed in various news outlets, even garnering a primetime spot on 60 Minutes this past weekend. The worm has been a great source of concern for IT execs the past couple of months, though the actual severity is yet to be determined. There are several mitigating factors that are supposed to minimize the chance for compromise, and a number of ways to detect and remove the virus. Another potential weapon against Conficker that should be considered is the use of OpenDNS to block the worm from communicating with command and control servers for further instructions.

In analyzing the virus, engineers have found that Conficker uses an algorithm to determine a number of different domains to contact for further instructions beginning on April 1. The algorithm was used to determine the exact list of domains that would be used. OpenDNS recently added a feature which would block access to these domains: We’ve teamed with Kaspersky Lab to identify those domains, and stop resolving them. This means if you’re using OpenDNS, Conficker will do your network no damage. From a management perspective, this is a much less intensive solution than attempting to block the domains on your local DNS servers and dealing with the overhead involved.

While using OpenDNS might not be feasible for larger enterprises, this is a great solution for SMB’s and home users. I’ve used it personally for some time now; the amount of centralized control available and ease of use makes it extremely attractive. A wealth of reporting features are also available, including one to specifically identify requests to known malware sites (like Conficker). Steps still need to be taken to ensure that Conficker is identified and removed from your network, but this is a good way to ensure that if any instances go undiscovered, they won’t be able to cause further harm.

Related Links:

OpenDNS
In depth analysis of Conficker
Subscribe to TechScrawl.com

Personal Password Management

Question: If someone were to obtain your credentials for a “non-critical” web site, could they be used to gain access to accounts on critical sites such as email, online banking, etc? Many people would likely have to answer yes to that question, even security minded IT professionals.

Identity management can easily be a complicated subject. The average Internet user maintains dozens of accounts across an array of sites with varying levels of importance and security. Credentials for those accounts can be obtained a number of ways. Many sites still don’t use SSL login encryption, leaving passwords vulnerable to sniffing. Others store passwords in the clear, leaving them vulnerable to breach (like the recent Monster.com one). The most secure solution might be to maintain a separate password for every site, but that isn’t very user freindly. Maintaining security has always been a trade-off between security and usability. Greater minds than mine are working on this problem, trying to come up with solutions like the OpenID initiative. Until a better solution is universally adopted, here I’m presenting the technique I use for personal password management.

Continue reading

Top Posts of 2008

Because it’s the holiday season, when my creativity and free time are both at their lowest, I’m going to take a method from the television world (the clip show) and do a “best of” post. These are the top TechScrawl posts of 2008 based on visitor count and reader feedback.

1) VMWare ESX / Microsoft Hyper-V Comparison – This is by far my most popular post to date. Written in August (before the release of Hyper-V Server standalone) it gives a good feature summary of these two releases. It also got me quoted in the Sept. edition of Computer Business Review magazine.

2) BackTrack 3 Tips – A fairly short post with 3 networking related tweaks, it nonetheless got a ton of hits, owing to the popularity of this security distro. Look for more BackTrack related posts in the future.

3) Simple SOHO IDS with Snort & a DIY Network TAP – One of my first posts after starting this blog in April, it discussed Snort placement in the network and constructing your own network tap.

4) Analyzing Windows Crash Dumps in 3 Easy Steps – Getting started with crash dump analyzing can be difficult. While it can be much more complex than the description in this post, I simplified it down to 3 steps that will be adequate for most troubleshooters.

5) Top 10 IT Security Tasks To Complete Before You Die – A post from early December, but still very popular, partly due to TechScrawl’s recent inclusion in the Security Bloggers Network.

See you in 2009.

Subscribe to TechScrawl.com RSS Feed

Review: “Schneier on Security”, for IT Professionals

Allow me to get this out of the way first, I’m not a book reviewer, as I’m sure will be evident from reading this post. However I do work in IT, and I do deal with security issues, which makes me one of the potential target audiences for Bruce Schneier’s latest book. If you don’t know who Schneier is, this description from his website sums it up well:

Schneier is an internationally renowned security technologist and author. Described by The Economist as a security guru… best known as a refreshingly candid and lucid security critic“. He is also the Chief Security Technology Officer of the BT Group.

I received a copy of Schneier on Security several weeks ago, and have read with interest since then his opinions on security. The book is a collection of previously published blog posts and print & newsletter articles written by Bruce over the past few years, so if you’ve been a regular reader of his work this may be nothing new for you.

Continue reading

Top 10 IT Security Tasks To Complete Before You Die

top10A popular subject in recent books and articles has been the “top x things to do before you die” topic. In that vein, I’ve put together the “Top 10 IT Security Tasks To Complete Before You Die” (you may not want to wait that long though).

1. Have a Security Program

This can be the most difficult one to implement simply because of the planning required, but it can have the biggest long term payoff. The program should include regular contact with users to educate about current threats, social engineering tactics, etc. It should address security policies and procedures, threat escalation and incident response. The program should also include a DR plan. There are many other considerations that need to be taken into account, but the bottom line is that not having a formal security program is a huge mistake.

Continue reading

Snort IDS & BASE on Server Core 2008

I’ve used the Snort Intrusion Detection System for about two years, and while I’m far from an expert and my experience with other IDS platforms is limited, I believe Snort to be one of the best solutions out there, especially for the price (free). There is definitely a learning curve associated with it, but Snort is highly configurable and its extensibility means it can be suited to fit the needs of almost any environment.

Continue reading

Cyber Security Awareness Month

October is Cyber Security Awareness Month, as designated by the National Cyber Security Alliance of the Department of Homeland Security. The NCSA works with both public & private sectors to raise awareness of the security dangers found online, and to educate on how to protect yourself online.  Most readers of this blog probably already know these basics, but how about your users? Now is a good time for a few security refreshers for your user base, which can help keep your entire environment safer.

Remember, studies show most users are idiots.

Links:

DHS National Cyber Security Awareness Month

StaySafeOnline.info – NCSA

Microsoft Security Awareness Program

Cyber Security Awareness Month Resource Kit