Security Watch

The Insecurity of Windows Shell and USB Drives

Stuxnet is on the attack. Plus: old-school encryption makes a comeback; sniffing out threats, more.

• By Jabulani Leffall
• 07/19/2010

The Windows Shell flaw is a rather technical one in that it's in cahoots with Stuxnet. The Stuxnet family of malware has the ability propagate and infect new machines by infecting any USB drive connected to an infected OS. As a matter of fact, just browsing an affected OS can create new infections on clean computers coming into contact with corrupt UBS drives.

It's a crucial issue as Windows Shell is the main graphic interface users see when they log on, the part that appears right after the ubiquitous opening music of a Windows session. The Windows task bar and start menus are key components in the Windows explorer process that hosts the shell (explorer.exe).

Thus, Windows IT pros can expect malware variants exploiting this hole to continue to pop up between now and the time Redmond patches the issue, and perhaps even after that they'll attack new vectors.

Dave Forstrom, a spokesman with Microsoft Trustworthy Computing Group, said via e-mail that while Microsoft has seen limited, targeted attacks on this vulnerability, "customers should be aware that signatures in up-to-date versions of Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway and the Windows Live Safety Platform protect customers against the Stuxnet malware."

Security Experts: U.S. Unprepared for Cyberattacks
The recent reappearance of Russian spies and their sophisticated use of technological methods such as embedding computer code via steganography -- concealing data within encrypted data, random data or graphic images via e-mail or Internet browser -- reminds us that the stakes are high as ever for cybersecurity in the U.S.

In a recent blog, I mentioned how terrorism guru Richard Clarke has long been critical of the American government's underpreparedness against cyberattacks. Now cybersecurity specialist James Gosler, a veteran of the Department of Energy, CIA and NSA, is kicking specifics.

Gosler told NPR this week that there are now only 1,000 people in the entire U.S. with the sophisticated skills needed for the most demanding cyberdefense tasks. Gosler seems to think that the computer security needs of U.S. government agencies large, medium and small call for 20,000 to 30,000 people -- at the least -- for a country of more than 300 million people and just as many if not more interconnected computer networks, IP addresses and Web-connected workstations. Now imagine those same thousands of people fending off various offers from private and public sector entities desperate for their expertise.

A new report from the Center for Strategic and International Studies (click here for the PDF) brings the point home.

"We not only have a shortage of the highly technically skilled people required to operate and support systems we have already deployed," the report's authors wrote. "We also face an even more desperate shortage of people who can design secure systems, write safe computer code, and create...tools needed to prevent, detect, mitigate and reconstitute systems after an attack."

'Snort' Sniffs Out Security Threats
This week Open Information Security Foundation (OISF) announced the release of Suricata 1.0, an open source intrusion detection and prevention engine.

Nicknamed "snort," presumably for its ability to sniff out threats, the downloadable program is said to be a great technical complement to any system's firewall.

Among its features: The engine supports most Internet protocol reputation programs by incorporating reputation and signatures into its engine, allowing it to flag traffic from known, nefarious origins. It's not like antivirus software, which is a detection, diagnostic and healing program but more like a sort of lighthouse to see threats to a firewall or network as they develop and that allows administrators to know what to protect against. One security expert touts the automated protocol detection that automatically identifies the protocol used in a network stream and applies the appropriate protection rules, regardless of numerical network port.

"Open source has a long tradition of making available safe, reviewed code that is an alternative to proprietary applications," said Richard Stiennon, chief research analyst, IT-Harvest via e-mail. "With Suricata, the open source community is giving us an alternative to a technology (SNORT) that is getting old and has not kept up with the changing threatscape."

The project is a result of a partnership between the  US Department of Homeland Security and a private consortium comprised of companies collaborating with OISF.