© 2012 Autodesk
Secure Your AutoCAD EnvironmentModule 1: Introduction to Application SecurityKean WalmsleySoftware Architect, AutoCAD Product Line
© 2012 Autodesk
Class Summary
This class looks at how CAD and IT Managers can best secure AutoCAD systems to prevent malware corrupting or stealing valuable intellectual property.
We will start by covering fundamental concepts related to application and system security, before taking an in-depth look at how malware typically attempts to infect AutoCAD installations and what can be done to prevent it.
© 2012 Autodesk
Learning Objectives
At the end of this class, you will be able to: Understand fundamental issues around application security Identify the primary causes of malware infection and propagation Know how to most effectively secure AutoCAD installations Provide guidance to AutoCAD users around how best to avoid
malware infection
© 2012 Autodesk
Module Summary
This module introduces application security.
It looks at fundamental concepts around application and system security, and lays the foundation for looking at how these topics are becoming increasingly important to users of design software.
© 2012 Autodesk
Application Security
Security is an increasingly important topic Whether system- or application-level
Our knowledge-based economy depends on it Intellectual property
Designs need to be protected Intellectual capital
People need to be productive
Malicious software can damage or steal data and impact productivity
Image courtesy of Anonymous Collective
© 2012 Autodesk
Some Fundamental Concepts
Trustworthy Does what the user expects, not something else A system or component that will not fail
Trusted A component whose failure can break the security policy
Sandbox A software execution environment with a limited set of resources Can be used to run untrusted programs
Image courtesy of Randy von Liski
© 2012 Autodesk
Some Fundamental Concepts
Vulnerability A weakness which allows an attacker to compromise a
system’s security
Threat A possible danger that might exploit a vulnerability to
breach security
Attack vector A path by which access can be gained to a system to
deliver a payload or achieve a malicious outcome
Image courtesy of Nick Carter
© 2012 Autodesk
Why is this becoming relevant?
Malware attacks are generally on the rise
A number of viruses specifically target AutoCAD
Thankfully a lot can be done to reduce the risk of infection
© 2012 Autodesk
Next Steps
Modules in this class Module 1: Introduction to Application Security Module 2: What is Malware? Module 3: Malware and AutoCAD Module 4: Securing AutoCAD Module 5: Advice for AutoCAD Users
Recommended next steps Take another module in this class
Image courtesy of Anonymous Collective
© 2012 Autodesk
Autodesk, AutoCAD* [*if/when mentioned in the pertinent material, followed by an alphabetical list of all other trademarks mentioned in the material] are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2012 Autodesk, Inc. All rights reserved.
© 2012 Autodesk
Secure Your AutoCAD EnvironmentModule 2: What is Malware?Kean WalmsleySoftware Architect, AutoCAD Product Line
© 2012 Autodesk
Module Summary
This module drills down into the concept of malware.
It looks at different types of malicious software (malware) and why we are vulnerable to their attacks.
© 2012 Autodesk
Malicious software is an industry-wide problem
And it’s accelerating…
Q2 2012 saw the sharpest rise in new instances of malware in 4 years*
Global annual cost of cybercrime at $1 trillion
* McAfee Threats Report, Second Quarter 2012
New malware samples by quarter
© 2012 Autodesk
Malware Strains
Viruses Replicate themselves and spread from
computer to computer when executed Require user intervention to spread
Worms Similar to viruses but more active
Not associated with an executable Spread automatically
© 2012 Autodesk
Plus… Rootkits disguise infection Backdoors circumvent authentication on compromised systems Spyware collects information without users’ knowledge Ransomware encrypts a user’s data until anonymous payment is confirmed Spam, Phishing, Adware…
Malware Strains
Trojan horses Masquerade as legitimate files or programs Could provide a hacker with unauthorized
system access or confidential data
Image courtesy of Tama Leaver
© 2012 Autodesk
Malware Strains
New technology means new strains of malware…
The web saw the birth of cross-site scripting and botnets
Mobile brings a whole new set of threats, such as drive-by downloads
Image courtesy of Johan Larsson
© 2012 Autodesk
Factors Increasing Vulnerability
Core issues System homogeneity Users having high system privileges Software requiring high privileges Design flaws and bugs
Best practice: separate executable code from user data Executable code should be stored in read-only locations
Image courtesy of Jeremy Burgin
© 2012 Autodesk
Next Steps
Modules in this class Module 1: Introduction to Application Security Module 2: What is Malware? Module 3: Malware and AutoCAD Module 4: Securing AutoCAD Module 5: Advice for AutoCAD Users
Recommended next steps Take another module in this class
Image courtesy of Anonymous Collective
© 2012 Autodesk
Autodesk, AutoCAD* [*if/when mentioned in the pertinent material, followed by an alphabetical list of all other trademarks mentioned in the material] are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2012 Autodesk, Inc. All rights reserved.
© 2012 Autodesk
Secure Your AutoCAD EnvironmentModule 3: Malware and AutoCADKean WalmsleySoftware Architect, AutoCAD Product Line
© 2012 Autodesk
Module Summary
This module looks at the history of malware attacks on AutoCAD users.
It introduces the main types of AutoCAD virus and discusses how they typically infringe upon application security, putting users’ data at risk.
© 2012 Autodesk
A Brief History of AutoCAD Malware
Two categories of malware have typically affected AutoCAD VBA macro viruses AutoLISP autoload viruses
Common vulnerability is tolerance for data combined with code Macros embedded in DWGs AutoLISP modules autoloaded from the current folder
© 2012 Autodesk
VBA Macro Viruses
In 2000 we saw the first AutoCAD-targeting virus, ACAD.Star Probably inspired by the Melissa virus, which also used embedded VBA code
Mitigated by the introduction of the VBA macro warning dialog:
© 2012 Autodesk
AutoLISP Autoload Viruses
The largest & most current category of AutoCAD virus
Take advantage of AutoCAD’s loading of per-project code modules: Primarily acad.lsp, acaddoc.lsp, .fas &.vlx Found in the same folder as a DWG launched from
Windows Explorer
Once loaded, typically make use of OS-level APIs To propagate, increase chances of survival and to
steal/damage data
© 2012 Autodesk
AutoLISP Autoload Viruses – Common Behaviors
Propagation Create copies in other locations containing DWGs
(including ZIPs)
Survival Append instructions to various text files Store copies in various places
Theft/Damage Launch additional code to damage or steal data
External executables or VB scripts Steal DWGs and/or PST email archives
© 2012 Autodesk
AutoLISP Autoload Viruses – Examples
Acad.vlx Uses autoload of acad.vlx file Keeps a copy of itself in logo.gif Writes to acetauto.lisp, ai_utils.lsp and acad.mnl
ACAD/Medre.A Uses autoload of acad.fas file Keeps a copy in various locations
By executing a .VBS it writes from memory Writes to acad20*.lsp Uses .VBS to steal .DWG and .PST files
© 2012 Autodesk
Next Steps
Modules in this class Module 1: Introduction to Application Security Module 2: What is Malware? Module 3: Malware and AutoCAD Module 4: Securing AutoCAD Module 5: Advice for AutoCAD Users
Recommended next steps Take another module in this class
Image courtesy of Anonymous Collective
© 2012 Autodesk
Autodesk, AutoCAD* [*if/when mentioned in the pertinent material, followed by an alphabetical list of all other trademarks mentioned in the material] are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2012 Autodesk, Inc. All rights reserved.
© 2012 Autodesk
Secure Your AutoCAD EnvironmentModule 4: Securing AutoCADKean WalmsleySoftware Architect, AutoCAD Product Line
© 2012 Autodesk
Module Summary
This module looks at how to secure an AutoCAD installation from malware attack.
It presents the steps you can take to prevent malware from infecting an AutoCAD system, as well as what can be done to clean an infected system.
© 2012 Autodesk
Protecting AutoCAD
Enforce the use of a leading anti-virus solution Regular definition updates and real-time protection
Core vulnerability comes from having executable code mixed with data Steps should be taken to avoid this
If using AutoCAD 2013… Deploy SP1 and set up the controls
© 2012 Autodesk
Anti-Virus Solutions
All leading anti-virus solutions catch and remediate AutoCAD virus infections These AV tools can clean ACAD/Medre.A, for instance
Microsoft, Trend Micro, McAfee, Symantec, Avira, and Kaspersky Standalone cleaner from ESET
Update virus definitions on a regular schedule
Enable real-time protection
Image courtesy of J F Cherry
© 2012 Autodesk
Separating Code From Data
Recap of issues increasing vulnerability System homogeneity Users having high system privileges Software requiring high privileges Design flaws and bugs
Software requiring high privileges can force users to have them No longer the case with AutoCAD (since 2000?) Elevated privileges required for installation only
Inevitable, as installer writes executable code to C:\Program Files
Image courtesy of Pablo B D
© 2012 Autodesk
Separating Code From Data
Installation is different from usage Install AutoCAD as administrator Use AutoCAD as a standard user
Limits system privileges No write access to C:\Program Files No write access to the “Local Machine” Registry hive
Users who need admin privileges must be trusted to use UAC User Account Control can save systems
Image courtesy of Pablo B D
© 2012 Autodesk
Separating Code From Data
But doesn’t AutoCAD mix code with data? Yes, it does
e.g. .LSP in user’s roaming support folder Biggest problem is per-project acad.* files
Bundled up in ZIPs and shared AutoCAD autoloads them without question
Controls in AutoCAD 2013 SP1 can help manage this
Expect this division to be further encouraged over time
Image courtesy of Pablo B D
© 2012 Autodesk
Security Controls in AutoCAD 2013 SP1
“Minimize the possibility of loading and running unauthorized or malicious AutoLISP and VBA applications by controlling the folder location from which AutoLISP and VBA applications are automatically loaded.”
Via two new system variables AUTOLOADPATH AUTOLOAD
© 2012 Autodesk
Security Controls in AutoCAD 2013 SP1
AUTOLOADPATH Controls the locations from which AutoCAD autoloads these files
acad.lsp, acad.fas, acad.vlx acaddoc.lsp, acaddoc.fas, acaddoc.vlx acad.dvb
Default value (“”) for legacy behavior
AUTOLOAD 0 – disables all autoloading 1 – autoloads from AUTOLOADPATH
© 2012 Autodesk
Dealing With Infection
Let your anti-virus tool clean your system
Look for instructions on autodesk.com
The /nolisp start-up flag can help Added with AutoCAD 2013 SP1 Loads AutoCAD without AutoLISP Not intended as a way to carry on working
No access to Express Tools, etc.
© 2012 Autodesk
Next Steps
Modules in this class Module 1: Introduction to Application Security Module 2: What is Malware? Module 3: Malware and AutoCAD Module 4: Securing AutoCAD Module 5: Advice for AutoCAD Users
Recommended next steps Take another module in this class
Image courtesy of Anonymous Collective
© 2012 Autodesk
Autodesk, AutoCAD* [*if/when mentioned in the pertinent material, followed by an alphabetical list of all other trademarks mentioned in the material] are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2012 Autodesk, Inc. All rights reserved.
© 2012 Autodesk
Secure Your AutoCAD EnvironmentModule 5: Advice for AutoCAD UsersKean WalmsleySoftware Architect, AutoCAD Product Line
© 2012 Autodesk
Module Summary
This module suggests advice to provide AutoCAD users to reduce the risk of them being infected by malware.
© 2012 Autodesk
Advice for AutoCAD Users
Firstly, take malware seriously It’s on the increase, and does affect users of AutoCAD If allowed to spread, malware can have a serious impact on organizations
Loss of intellectual property Reduced productivity
Living with some restrictions is ultimately safer than losing valuable work
Generally be careful about where you install applications from Use trusted vendors or marketplaces such as Autodesk Exchange
© 2012 Autodesk
Advice for AutoCAD Users – System Setup
Make sure you have a leading anti-virus tool installed Update virus definitions regularly Enable run-time protection
Log in as a standard user or keep UAC enabled
Install SP1 for AutoCAD 2013, if you’re using it Set AUTOLOADPATH to a small number of safe paths Set AUTOLOAD to 1
© 2012 Autodesk
Advice for AutoCAD Users – Trusting Content
Never blindly extract/open the contents of an archive without checking If it contains any file named acad.*, be very careful Removing that file before loading may be enough, but is potentially evidence of
infection
Never run an unknown AutoLISP file or VBA macro without prior inspection
© 2012 Autodesk
If You Get Infected
Don’t Panic!
Let your anti-virus tool clean your system
Look for instructions on autodesk.com
Contact your reseller
The /nolisp start-up flag can help Added with AutoCAD 2013 SP1 Will let you copy or export data without the
risk of malicious LISP code interfering
© 2012 Autodesk
Next Steps
Modules in this class Module 1: Introduction to Application Security Module 2: What is Malware? Module 3: Malware and AutoCAD Module 4: Securing AutoCAD Module 5: Advice for AutoCAD Users
Recommended next steps Follow the advice provided in this class!
Image courtesy of Anonymous Collective
© 2012 Autodesk
Autodesk, AutoCAD* [*if/when mentioned in the pertinent material, followed by an alphabetical list of all other trademarks mentioned in the material] are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2012 Autodesk, Inc. All rights reserved.