Security News and Best Practices for corporate and home users
-
 While the Storm worm botnet continues to spread using email techniques, SQL injection techniques are starting to be used as an approach to seed malware on vulnerable computers. Folks should be careful with email in avoiding all attachments and website links, and stay up-to-date on security patches and AV protection.
 Storm Worm - New Version uses SQL Injection Techniques
http://blogs.zdnet.com/security/?p=1131
http://ddanchev.blogspot.com/2008/05/all-you-need-is-storm-worms-love.html
QUOTE: What has changed compared to previous campaigns? Storm Worm is back in the SQL injection attack phrase, with a malicious iframe injected at a small number of sites for the time being. Moreover, assessing the storm worm infected hosts can only be done if you spoof your browser UI, otherwise you will get no indication for any kind of malicious activity going on. Furthermore, despite that there are no exploits used at the infected hosts but, a heavily obfuscated HTML was detected in their injected domain which would load automatically upon someone visiting an already injected site.
|
-
 This Information Week article provides an excellent overview of Identity Theft monitoring services. As more than 225 million records have been breached since 2005, this article describes what these firms can and cannot do for their customers. A list of low-cost and free methods of protection are also provided:
ID Theft Monitoring Services: What You Need To Know
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=207501091
QUOTE: Take identity theft monitoring service providers. The pitch? Give us your Social Security number and notification of suspicious identity activity is only an e-mail alert or phone call away. These services, which typically cost $10 to $20 per month, offer to guard your identity by monitoring the three credit-reporting agencies (Experian, Equifax, and TransUnion), cell phone applications, government databases, and public information. Some also provide insurance (subject to underwriting, and not valid in every state) to help defray costs associated with recovering from identity theft cases.
Monitoring helps with identity theft by actively watching for fraud in your name. "The credit monitoring service notifies you at an earlier stage than you might otherwise know about the fraud, because otherwise it could be months before someone potentially finds out about it," says Paul Stephens, director of policy and advocacy at PRC.
Monitoring, however, won't stop identity theft outright. "With credit monitoring, your report is still potentially seen by people who want to commit fraudulent acts against you," he says. "You'll get an early warning, but you haven't actually prevented them from using the report." At this point, it's also too late to freeze your credit, which prohibits anyone but current creditors from seeing a credit report. This means your personal data is already at large, and may have been used to gain a credit card, cell phone, or even mortgage in your name.
Below are some low-cost and free ways to better protection the use of your identity:
Five Mostly Free Alternatives to ID Theft Monitoring Services
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=207501091&pgno=4
SUMMARY OF FREE OR LOW-COST RECOMMENDATIONS
1. Watch your credit reports. Everyone is entitled to see a free credit report annually from each of the three credit-reporting agencies (Experian, Equifax, and TransUnion). To obtain yours, see:
http://www.annualcreditreport.com
2. Use credit freezes. A credit freeze (aka "security freeze") locks credit reports so only you or current creditors can see it. It can also be unlocked on a per-creditor basis, for example if you're going to buy a house, car, or get a new credit card. The cost is $10 per bureau to place a freeze and $10 to lift a freeze
3. Place fraud alerts. Under the Fair Credit Reporting Act, consumers may place a fraud alert on their credit report for 90 days -- renewable indefinitely
4. Avoid debit cards. Attacks which steal card numbers via ID-swiping devices -- often installed at gas stations and grocery stores -- are on the rise.
5. Look to resolution services. Public agencies and non-profit organizations can help you clean up identity theft for free.
|
-
 Daily, I'm receiving numerous copies of "gas spam". These messages typically claim a savings of 70 cents per gallon if you subscribe to the special product or solution.
Folks must avoid selecting any links in spam messages to avoid any potential for spyware or viruses. This includes even opting out of future emails. Spammers rarely honor opt out requests, and it actually validates they have an active clean email address.
The best practice is to line all these messages up in the in-box and delete them without opening them. There are no free lunches on the Internet. Always avoid email messages where claims are made that seem too good to be true.
Gas Spam Emerges - Can you really save 70 cents per gallon?
http://www.avertlabs.com/research/blog/index.php/2008/05/09/gas-spam/
QUOTE: In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam. Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas.
|
-
As recommended, these keys should be regenerated for better protection after applying the latest release. The links below can help explain some of the key issues:
INFOCon yellow: update your Debian generated keys/certs ASAP
http://isc.sans.org/diary.html?storyid=4421
QUOTE: Scripts that allow brute forcing of vulnerable keys (see this as rainbow tables for SSH keys) are in the wild so we would like to remind all of you to regenerate SSH keys ASAP. Please keep in mind that SSL certificates should be regenerated as well. This can be even more problematic if you had your certificates signed since you'll have to go through this process again (and possibly pay money again).
Update 2310 UTC: The new Debian package for SSH (ssh_4.3p2-9etch1) also applies a package called "openssh-blacklist". After this update, your SSH server will refuse keys from the compromised set. The package also installs a new tool called "ssh-vulnkey" that can help in hunting down key files that contain weak keys. Note that in combination with the existing ssh-keyscan, ssh-vulnkey can be used to easily identify servers that use weak host keys, so while these Debian patches help those who patch, they also make attacks easier against those who did not yet patch.
Additional Links
http://www.pcmag.com/article2/0,2817,2305554,00.asp
http://www.avertlabs.com/research/blog/index.php/2008/05/16/code-cleanup-gone-wrong/
H.D. Moore's Analysis
http://metasploit.com/users/hdm/tools/debian-openssl/
QUOTE: But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption.
|
-
A small botnet known as Asprox has been used in password stealing, spam, and phishing attacks. This week Asprox was modified to include a new SQL Injection tool. As recently shared, SQL injection attacks are more reflective of poorly programmed Internet web pages, rather than vendor product vulnerabilities.
This new botnet based attack is innovative. It interfaces with Google's search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website. Later folks who visit the newly seeded web page, may download and install malicious code automatically on their PC and join the Asprox botnot.
It's always important to stay up-to-date on security patches and AV protection, as this could help prevent an infection if folks accidently visit a malicious website.
Asprox Botnet Installs SQL Injection Tool
http://www.secureworks.com/research/threats/danmecasprox/
http://vil.mcafeesecurity.com/vil/content/v_137684.htm
http://www.eweek.com/c/a/Security/Botnet-Installs-SQL-Injection-Tool/
http://www.scmagazineus.com/Asprox-botnet-malware-morphs/article/110169/
http://news.idg.no/cw/art.cfm?id=E9210D49-17A4-0F78-31AA26FE725B1F22
QUOTE: Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is a SQL-injection attack tool.
After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google 's search engine to find potentially-vulnerable pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site.
Visitors are redirected through a series of malware-hosting servers that try one or more exploits to crack the PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.
Stewart has counted 1,000 sites that have been hacked by the SQL-injection attack tool since Monday night. The sites include small business sites, domains for several small colleges and universities and some hosted by law firms. Most are in the U.S.
|
-
While HP is working on a solution for the flawed IntelPPM driver used for certain AMD models, this neat solution will check for the presence of vulnerable PCs and disable the driver so that Windows XP SP3 can successfully load.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9085978
https://msinfluentials.com/blogs/jesper/archive/2008/05/08/does-your-amd-based-computer-boot-after-installing-xp-sp3.aspx
QUOTE: May 15, 2008 (Computerworld) A former Microsoft Corp. security manager has published a tool designed to detect and fix PCs that may be susceptible to "endless reboots" if updated to Windows XP Service Pack 3 (SP3).
Jesper Johansson, once a program manager for security policy at Microsoft and currently an MVP (Microsoft Most Valuable Professional) who works at Amazon.com, posted a link to the tool on his blog yesterday, beating his former employer and Hewlett-Packard Co. to the draw. Neither company has yet come up with a fix or patch for the weeklong snafu.
Johansson's small, 16K VBScript (Visual Basic Scripting Edition) file checks whether the PC is running a processor from Advanced Micro Devices Inc. (AMD), and if so, examines the Windows registry to see if a device driver meant for Intel-based machines is set to load.
"If it is, it will offer you an option to disable it," said Johansson in an update to a blog post where he has been summarizing reports of Windows XP SP3 problems and offering solutions. Users can run the script from the command line to check multiple machines on a network, Johansson added.
|
-
This is EXCELLENT advice, as this process is often neglicated due to the need to start the next project right away.
Article: 10 things you should do near the end of a project
http://blogs.techrepublic.com.com/10things/?p=351
QUOTE: In either case, you probably go through the typical inception, elaboration, and construction phases of a project. But when it comes to the end of a project, many project managers come up just short of the finish line. Failure to handle the final steps can add confusion to an initiative and may lead to customer dissatisfaction, unhappy staff, and a project dragging on longer than necessary.
#1: Finalize testing
#2: Finalize training
#3: Validate deliverables
#4: Get project signoff
#5: Release the team
#6: Analyze actual vs. planned
#7: Archive documentation
#8: Ensure contract closure
#9: Conduct a postmortem meeting
#10: Perform a self assessment
|
-
As noted in the article, there are both advantages and disadvantages to using free security sofware instead of a purchased security suite. Personally, I like using some of the freely available tools as they are efficient and as protective as competing products that require purchase.
Still, folks should do their homework and ensure any free products will meet their needs. They should research free product offerings to understand what they will and will not be able to do functionally with these tools.
ADVANTAGES OF FREE SECURITY PRODUCTS
-- Free product offerings are better than having no protection at all (especially for folks on a tight budget)
-- There are actually many great free firewalls, AV products, and anti-spyware tools available (some free products are often as good or better than competing paid products - but you have to do your homework)
-- Sometimes a simple "no frills" solution is all you need and it might even offer better performance than a full featured product offering lots of "whistles and bells"
-- You can try adding a new layer of protection and if you find there's not a compelling need you can uninstall it and it hasn't cost you any money (e.g., if you rarely get spyware and wanted to test out a free product offering)
DISADVANTAGES OF FREE SECURITY PRODUCTS
-- Security suites may cover more areas of exposure for improved protection (so there are no gaps)
-- Some free products may not be as comprehensive in their scope of protection when compared to paid products (e.g., AV protection may be limited to just files and may not cover exploits, rootkits, or other risks)
-- Some free security products may try to upsell folks with occasional popup messages to the more comprehensive paid versions
-- Very limited user support may be available, where full technical support may be available for
-- Most free products are only available for personal use and these must not be used on a free basis in a corporate environment
Below is an analysis of some of the most recent product offerings. Both AVG and Avast have been well rated as basic AV products. They often provide protection for leading edge threats more quickly than even some of the mainstream solutions.
PC Magazine - Updated list of Free Security Software
http://blogs.pcmag.com/securitywatch/2008/05/free_security_software.php
http://www.pcmag.com/article2/0,1759,2304349,00.asp
QUOTE: Sometimes free security is worth what you pay for it. But if you know what to look for, you can get a an excellent buy when it comes to protecting yourself—without dropping a lot of cash. You may be better off with a full-scale commercial Internet security product, but you're far better off with a free product than with no security product at all. You may be surprised at how much protection you can get at no cost. The latest versions of the popular free antivirus products from avast! and AVG both now include spyware protection as well, and they're quite effective.
SPECIFIC PRODUCTS REVIEWED INCLUDE
==================================
avast! antivirus 4.8 Home Edition
AVG Anti-Virus Free 8.0
Spybot Search & Destroy 1.5
Spyware Terminator 2.0
ThreatFire 3.5
|
-
This is an interesting article as the majority of the thefts were conducted using non-technical approaches. Folks should be careful in storing or discarding sensitive documents as criminals will use any means to steal from others 
US Attorney seeks 5 years for the Bonnie and Clyde of ID theft
http://blogs.pcmag.com/securitywatch/2008/05/us_attorney_seeks_5_year_terms.php
http://www.philly.com/inquirer/home_top_left_story/20080513__Poster_children__for_ID_theft.html
QUOTE: While they used professional Internet tools to facilitate some of these thefts, the bulk of their identity theft was low-tech: "Purse snatching, burglarizing apartments and mailboxes with stolen keys, breaking into gym lockers, soliciting information over the telephone by false pretenses, picking up documents while visiting." With what they obtained they ran down others' credit cards, established new ones in the victims' names and ran those down, created accounts with banks and spent from those. They transferred a lot of money around to cover tracks.
The moral, other than that some people have no morals, is that online identity theft isn't the only way you can get ripped off. It may not even be the most likely way. Keep an eye on other vehicles, like what's in your mailbox or purse.
|
-
 The XP SP3 installation upgrades have worked well for me on three systems and they should for most users. A service pack represents a major upgrade of operating system or product binaries and should be performed in a cautious manner.
Some best practices for a successful installation of XP SP3 (or any major software install) include:
-- Read the Internet Explorer prerequisite information (e.g., IE 6 and IE 8 users are affected -- IE 8 must be uninstalled first and IE 6 users will return to IE 7 if they choose to uninstall XP SP3 later)
-- The "standalone" version for professionals is a huge download (312MB). I had 3 PCs to update and that made it beneficial to use the full version (plus I wanted to archive this as a future backup). For just a single PC, the Windows Update facility provides a more efficient download as it only retrieve only the SP components needed based on the PC configuration.
-- Once you're ready to install, reboot your system for a fresh start
-- Shutdown all possible applications that automatically start-up
-- Disable your Anti-virus software
-- Optional, you may want to temporarily disconnect from the Internet on home PCs to avoid any potential interruptions (only if you're using the standalone version)
-- XP SP3 requires considerable disk space (1GB or more of free space needs to be available). Make certain you have enough free temporary space. If your hard drive is almost full, use the disk clean-up tool and delete all unneeded items.
-- Start the XP SP3 install process and read/accept the various prompts offered
-- Do not use your system for any other activity while it's running
-- Be patient as the update process could require 30 to 60 minutes depending on system speed, free space, and other factors
-- Reboot your system as prompted
-- After the final settings have been made following the reboot, I usually perform an additional reboot to test out the change and to give the PC a fresh start after applying the service pack.
It's important to read and research all prerequisites prior to installing. For example, as I'm currently testing Internet Explorer 8 beta, I discovered it must uninstalled before you can apply the XP SP3 upgrade. After XP SP3 is installed IE 8 was reinstalled.
Internet Explorer Prerequisites - A must read for XP SP3
http://blogs.msdn.com/ie/archive/2008/05/05/ie-and-xpsp3.aspx
Excellent resource for Windows XP SP3 links and information
http://www.wilderssecurity.com/showthread.php?t=208460
Microsoft Forums - XP SP3 issues can be reviewed or reported here:
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=2010&SiteID=17
Other XP SP3 Issues - A few systems have experienced constant reboot issues
http://msinfluentials.com/blogs/jesper/archive/2008/05/08/does-your-amd-based-computer-boot-after-installing-xp-sp3.aspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9084418
May 13, 2008 Update: The following blog entry provides an excellent overview of most current issues:
Shaun Cassells Blog - Some XP SP3 Users Experience Crashes, Mostly Due to OEM Problems
http://myitforum.com/cs2/blogs/scassells/archive/2008/05/12/some-xp-sp3-users-experience-crashes-mostly-due-to-oem-problems.aspx
QUOTE: While Windows XP is receiving some bad press due to the crashes, again, it appears that most of the crashes are due to hardware issues stemming from unsupported configurations, and thus the blame fall largely to the PC manufacturers, and the makers of component drivers. Fortunately, the majority of the problems have easy fixes that do not even requiring uninstalling the Service Pack.
Similar problems occurred with Windows Vista SP1, though in that case the blame ended up resting with a Microsoft pre-install update. It is fairly typical for a Service Pack to take some computers out of commission, particularly one for an OS with as large an operating base and as varied a hardware environment as Windows XP. Nonetheless, such problems are serious concerns for users affected, and those potentially at risk.
|
-
 Spam email started circulating 30 years ago. Below is a good overview from the updated verson of templeton's 25th anniversary post. Spam remains a major problem with email today and folks should always be careful in avoiding taking any actions other than deleting it.
http://www.templetons.com/brad/spam/spam25.html
QUOTE: In fact, the earliest documented junk e-mailing I've uncovered was sent May 3, 1978 -- 25 years ago this month. (It was written May 1 but sent on May 3.) And in a surprising coincidence (*), just a month ago marked the 10th anniversary of March 31, 1993, the first time a USENET posting got named a spam
The DEC marketer, Gary Thuerk, identified only as "THUERK at DEC-MARLBORO" (There were no dots or dot-coms in those days, and the at-sign was often spelled out) decided to send a notice to everybody on the ARPANET on the west coast. In those days there was a printed directory of everybody on the Arpanet which they used as source for the list. The message trumpeted an open house to show off new models of the Dec-20 computer, a foray into larger, almost mainframe-sized systems.
This was a spam, though the term would not be used to refer to it for another 15 years. Thuerk had his technical associate, early DEC employee Carl Gartley, send the message from his account after several edits. Alas, at first he didn't do it right. The Tops-20 mail program would only take 320 addresses, so all the other addresses overflowed into the body of the message. When they found that some customers hadn't got it, they re-sent to the rest.
More on the History and Types of SPAM
http://en.wikipedia.org/wiki/E-mail_spam
|
-
More Posts Next page »
|
|
|