Transcript Document 7214764

New Windows and Mac OSes
USB Thumb Drive Protection
SIRT IT Security Roundtable
Harvard Townsend
Chief Information Security Officer
[email protected]
September 11, 2009
Agenda

Windows 7 and Mac OS X 10.6







Timeline for release
Security features
Application compatibility
Anti-virus solutions
Deployment strategy at K-State
Dealing with malware spread by USB
flash drives
Q&A
2
Windows 7



Now available for purchase from SHI ~ $50
General availability to public Oct. 22, which is
when it will start shipping on new computers
Designed to fix the Vista debacle; sort of a
streamlined Vista under the hood


Faster boot/shutdown times
Some “improvements” to the UI, handling media,
Windows Explorer, IE8, wireless networking (“the
wireless networking interface isn't completely
stupid anymore”), and setting up home networks
3
Windows 7
Security Features






Still has annoying pop-up security nags, but not as
many as Vista because it’s easier to set level of alert
messages in User Account Control, but that also makes
it easier for user to shut off alerts
Same ol’ Windows Firewall and Windows Defender
Security settings all managed through “Action Center”
AutoRun disabled for USB drives (but not CDs/DVDs)
Improved encryption with BitLocker (easier to use,
support for USB drives, but still only in Enterprise and
Ultimate versions); we still recommend using PGP for
encryption for key mgmt/recovery
Better support for biometric devices
4
Windows 7 Compatibility



Designed to run anything that runs in Vista, but don’t believe it
– test everything and ask your software vendors
Hardware requirements virtually the same as Vista
(unprecedented for a new Windows OS!)
Trend Micro OfficeScan





Version 8 NOT compatible
OfficeScan 10 has some issues
OfficeScan 10 sp1 supposed to have full Windows 7 support; in
beta now
Should have no problem being available by October 22
PGP Whole Disk Encryption

August 12 from PGP: “There is no official statement on the
compatibility of Windows 7 right now. There is still several levels
of testing that need to occur before it is fully released. The next
full release of PGP should support Windows 7, but there is no
5
official statement as of yet.”
Windows 7 Strategy





Purchase now from SHI to test with ALL
applications used by your department
Build Trend Micro OfficeScan 10 infrastructure (or
use central TMOS server) and test OfficeScan 10
(are other reasons besides Windows 7 to upgrade
to v10)
No compelling security reason to upgrade from
Vista, but probably are performance, reliability,
usability reasons
Check hardware requirements for upgrade from XP
Beware of version 1 of anything, let alone an OS
6
Mac OS X 10.6
“Snow Leopard”




Released Aug. 28, shipping NOW on all new
MacBooks
Available from K-State Union Computer Store for
$29
Incremental upgrade to 10.5 (“Leopard”), hence
not a new cat name!
Mostly performance/efficiency improvements



Faster startup/shutdown time, more efficient use of
multiple-core Intel processors
UI tweaks, better 64-bit architecture support,
Microsoft Exchange 2007 support
No support for PowerPC processor – it’s Intelonly from this point on
7
Snow Leopard
Security Features

Rudimentary anti-malware feature added (enhanced “File Quarantine”
that was part of OS X 10.4 and 10.5)










Pops up warning if attempt to install known malware
Only detects two categories of Trojans (RSPlug and iServices)
Signatures generated by Apple
Apple distributes the malware signatures through usual update services (which
isn’t very frequent, so not responsive to new malware)
No clean-up services – tells you to drag it to the Trash
Not detected when executed from USB flash drive, DVD, Skype, and some other
programs
See www.securityfocus.com/news/11559?ref=rss
Built-in support for Cisco VPN (not sure how well it will work at K-State)
Same ol’ (adequate) firewall
Shipped with vulnerable version of Adobe Flash – users should get
update from Adobe
(blogs.adobe.com/psirt/2009/09/flash_player_update_and_snow_l.html)
Also said to be fixed in Mac OS X 10.6.1 update released on Sept. 10.
8
Snow Leopard
Compatibility

Lists of incompatible sw:




support.apple.com/kb/HT3258
snowleopard.wikidot.com/
wiki.brown.edu/confluence/pages/viewpage.action?pageId=5367
4011
PGP Whole Disk Encryption also incompatible


www.securityfocus.com/brief/1004?ref=rss
Statement from PGP support blog on August 27:
“While we are working diligently to complete the Snow Leopard
compatible versions of the PGP Desktop products, we do not
recommend you use the currently shipping versions on any
system that has been upgraded to Snow Leopard. Please
note that users wanting to migrate to Snow Leopard immediately
must first decrypt all of their PGP WDE encrypted drives and
uninstall their PGP Desktop application prior to upgrading to
Snow Leopard. Failure to decrypt PGP WDE encrypted drives
prior to installing Snow Leopard could result in data loss or
other system issues.”
9
Snow Leopard
Compatibility

Symantec AV for Mac 10.2 incompatible





Trend Micro Security for Mac 1.5 incompatible


www.symantec.com/connect/forums/mac-osx-snow-leopard-installfailure
Sorta works if already installed on Mac OS X10.5 and install 10.6
over the top; updates work, can do manual scan, but “Auto-Protect”
fails.
Will not install on a clean Mac OS X 10.6 install
Symantec has not offered any date for compatible release
Service pack 1 will support OS X 10.6 “end of October”
ClamXav an interim option?




Based on popular ClamAV open source code
Version 2.0.1 is compatible with OS X 10.6, but is a beta release 
www.clamxav.com/
Needs to be tested, including compatibility with Bradford Campus
Manager
10
Snow Leopard
Strategy




Purchase now for testing, both upgrade from 10.5
and clean install; test all applications used in your
department
Delay departmental deployment until Trend Micro
Security for Macs 1.5 sp1 is available and tested
(late Oct, early Nov)
Any MacBook used PGP WDE must wait until
PGP releases compatible version, which we’ll get
due to our support contract, or decrypt laptop and
uninstall PGP
Residence Halls a different animal – when
Bradford Campus Manager supports 10.6, we’ll
evaluate AV options
11
Malware on USB flash drives




First experience in fall 2007 with
PE_LUDER – wreaked havoc!
Seen it off and on ever since
Hit campus again in August as soon as
students returned, spread rapidly
throughout campus
Aug. 21: IT support reported it on USB
flash drive after helping students in
reshalls; OfficeScan did not detect it.
12
Malware on USB flash drives

Autorun.inf file:
[autorun]
shellexecute=Wscript.exe /e:vbs M.p.jpg





Malware file on the flash drive named M.p.jpg,
which is a VBScript program not a jpeg image
I was admittedly slow in getting this submitted to
Trend for analysis, but they had solution within
2.5 hrs of submittal
Identified as VBS_AUTORUN.MAD
By the end of the day, the production pattern file
was identifying it
92 instances detected/cleaned by OfficeScan
since 8/27
13
Malware on USB flash drives







Next one reported on August 28; very similar with
autorun.inf file that executes VBScript code
This time the malicious file was “(o_o).jpg”
This time it was submitted to Trend right away and
they had a solution within 3 hrs
Identified as VBS_RUNAUTO.AM
155 instances detected/cleaned by OfficeScan
since 8/28
Third round on September 3, more of the same
Since August 1, Trend Micro OfficeScan has
detected/cleaned 275 instances of autorun-style
malware, including 8 instances yesterday
14
What do we do about it?




New variants exploit limits of pattern-based anti-virus
protection
OfficeScan 10 will help by distributing pattern files quicker,
thereby limiting the spread
Submit new samples as soon as you discover them via new
“Malicious Software Reporting Tool”:
SecureIT.k-state.edu/ReportMalware.html
Can be difficult to find original malicious file






Hackers hide the malicious files
Was a student USB flash drive and you’re not sure which one
Often only see the after-effect – a compromised computer
Can put a flash drive into an infected computer and see if new
autorun.inf and malware files are added to it (be careful!)
Be wary of student USB flash drives!
External USB hard drives also vulnerable
15
What do we do about it?




Disable Autorun so files on infected USB drives
are not automatically executed when you plug
the flash drive into your computer
Side effect: In Windows Vista and older versions,
it also disables automatic playing of a DVD movie
or automatic software installation from a CD – it’s
all or none with Autorun
Run Windows 7 since it disables Autorun on nonoptical media by default (everything except
CDs/DVDs, like USB flash drives)
Trend Micro OfficeScan 10 allows sysadmin to
specify different actions for different
media/devices
16
Autorun vs. Autoplay



Autorun enables media and devices to launch
programs by use of commands listed in a file called
autorun.inf, stored in the root directory of the
medium.
Autoplay examines removable
media and devices (like USB
flash drives) and, based on
content such as pictures, music
or video files, launches an
appropriate application to play
or display the content.
Autorun is the bigger risk of the two,
but they are interrelated enough to
be confusing, and both have the
same end result – automatic execution
of a program when you insert removable media.
17
Disabling Autorun







Method depends on version of Windows – either use group
policy or edit the registry; can be complicated and is always
risky to edit the registry manually.
Check with your IT support person!!
Are security patches required for most versions of Windows to
properly handle Autorun registry keys
Detailed instructions at
support.microsoft.com/kb/967715/
Wikipedia entry is informative - en.wikipedia.org/wiki/Autorun
TweakUI sets it on a per-user basis rather than for entire
computer (HKEY_CURRENT_USER registry keys rather than
HKEY_LOCAL_MACHINE) and the local_machine setting
trumps the per-user setting.
Use Windows Group Policy


Centrally managed with ADS, done by your sysadmin
Individually with Group Policy Editor
18
Group Policy Editor
Windows XP Pro, Windows 2000, Windows Server 2003 only:
1.
Click Start, click Run, type Gpedit.msc in the Open box,
and then click OK.
2.
Under Computer Configuration, expand Administrative
Templates, and then click System.
3.
In the Settings pane, right-click Turn off Autoplay, and
then click Properties.
Note In Windows 2000, the policy setting is named
Disable Autoplay.
4.
Click Enabled, and then select All drives in the Turn off
Autoplay box to disable Autorun on all drives.
5.
Click OK to close the Turn off Autoplay Properties
dialog box.
6.
Restart the computer.
19
Group Policy Editor
Windows Vista and Server 2008:
1.
Click Start, type Gpedit.msc in the Start Search box, and then
press ENTER.
If you are prompted for an administrator password or for
confirmation, type the password, or click Allow.
2.
Under Computer Configuration, expand Administrative
Templates, expand Windows Components, and then click
Autoplay Policies.
3.
In the Details pane, double-click Turn off Autoplay.
4.
Click Enabled, and then select All drives in the Turn off
Autoplay box to disable Autorun on all drives.
5.
Restart the computer.
Have more granularity for defining actions with two additional registry
keys:


Default behavior for AutoRun
Don't set the “Always do this…” checkbox
20
Registry Edit
For operating systems that do not include gpedit.msc:

Click Start, click Run, type regedit in the Open box, and
then click OK.

Locate and then click the following entry in the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Window
s\CurrentVersion\policies\Explorer\NoDriveTypeAutorun

Right-click NoDriveTypeAutoRun, and then click Modify.

In the Value data box, type 0xFF to disable all types of
drives. Or, to selectively disable specific drives, use a
different value as described in the "How to selectively
disable specific Autorun features" section.

Click OK, and then exit Registry Editor.

Restart the computer.
21
Easier Way to Edit the Registry

Open Notepad and copy/paste the following into a text file:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist“




Save the file as something.reg. (You have to be sure to change the "Save
File as Type" to "All Files" before saving, or Windows will try to save it as
a .txt even if you typed in .reg).
Locate the file you just saved and double-click the file to run it. You will
receive a prompt asking if you want to add the data to the registry. Click
yes to allow the modification.
Restart the computer
The above method nulls any request for autorun.inf and works on XP
Home or Pro, as well as Windows Vista.
This is from antivirus.about.com/od/securitytips/ht/autorun.htm
22
What’s on your mind?
23