Please, put me out of a job here!

  • Article

Hello readers

I am sorry that I haven’t updated my blog for a while. It has been a bit of a busy time. Since there have been press releases and other people have blogged, I suppose that I can talk a bit about what I have been doing.

As I have mentioned, I have been writing lots of training material. Microsoft have been working with Law Enforcement for a while and helping them to understand some of the deeply technical elements of the cybercrime landscape. This training is targeted at LE and, since I wrote a small part of it, I get to go meet a lot of policemen and talk to them… and that is really all that I can or will say about that.

Of course, I still help corporate customers who have malware or who have been hacked or who are in some other way compromised. No names and no pack drill here but there is one thing that I am seeing over and over and over. It has become so common that it is now the first thing that I look for.

Administrators should not browse the web or do their email using a domain admin account. They really, really, really should not do this on the domain controller. They should have a separate account with (at most) ordinary user rights that they use for this sort of activity. Ideally, they should do this from a Vista box as they are hardest to compromise because of the Address Space Layout Randomization (ASLR) means that most compromise types just crash harmlessly.

Of course, you already know this. I am sure that you always use the right account for the right job but not everyone does. Six malware cases in a row and I have found the same thing. It is late at night and the admin is bored. He starts browsing the web from the (P)DC or a file server and looking for something to entertain him. He is looking for a fun game or a video (possibly a “saucy” one) and he has to download an ActiveX or a video codec. He downloads the unsigned component from some website somewhere and he gets owned. Better yet, because he is domain admin, his domain just got owned.

In each of those cases, the malware was a bot that joined the machine to a botnet and the botherder didn’t apparently pay any special attention to the machine but that was sheer luck.

So, I haven’t told you anything that you didn’t already know but if you pass on the word and someone in a branch office or a new hire or the guy covering for the admin while he is off with flu, well, then maybe his life will be a little easier, the black hats life a little harder and maybe, just maybe I will get some more sleep.

Oh, and software vulnerabilities? I haven’t seen one of those exploited this year.

Signing off

 

Mark