|
Security News and Best Practices for corporate and home users
May 2004 - Posts
-
The comments below are from my own experiences in the security field. I agree with most of this in principle though.
California Senate passes e-mail privacy bill
http://zdnet.com.com/2110-1105_2-5220883.html
COMMENTS
I agree that employees should be notified on corporate monitoring activities and know in advance the privacy expectations of Internet, email, and other resources. We did this as a courtesy in our workplace from day one when we implemented our Internet connection in 1997. It made a difference in preventing a lot of unfortunate and unpleasant situations (e.g., having to fire someone for misusing the Internet at work).
When I helped formulate our corporate security policies at work, we had "banner messages" on all systems, telling our professionals that "monitoring was in place for security purposes" and "information resources are primarily for business use only". I even helped back in 1985 with ACF2 implementation on our IBM mainframe and we had this type of banner message present.
Security monitoring was also highlighted in corporate policies that employees signed annually and even emphasized in a letter by our company president and on our Intranet security site containing all corporate policies.
Finally, it's very important to keep logged information secure and private, as it can be misused by uninformed individuals. Only managers working through HR could get information for a specific employee. The security team should work with their corporate legal team in ADVANCE of having to use this, so that all the i's are dotted on the right way to handle violations.
I think this type of notification protects the employers (from legal action, where an employee might say "you didn't tell me" - even though it might be assumed) and employees (so they know they'd better conduct themselves appropriately in the workplace). Still, it's ashamed that a law is needed for something that should be standard operating procedures for any business.
|
-
-
This new mass mailing worm is rated as a "2" at Symantec and it will most likely be contained as many sites block PIF based attachments.  Netsup.A - new mass mailing worm
http://www.symantec.com/avcenter/venc/data/w32.netsup.a@mm.html Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP W32.Netsup.A@mm can arrive as an attachment to an email with the following properties: From: NetworkSupport@<RECIPIENT DOMAIN> or spoofed address from an infected Microsoft Outlook address book. Subjects: May contain one of the following: Tragedy
Protecting your PC
This pic of you is funny
W32.Netsky and W32.Beagle protection
Finances for the week
Mail Delivery Subsystem Error
Careful
Undeliverable Message
Mail Delivery Failed Name of attachment: message.eml.pif
EXAMPLE: 
|
-
New Yahoo Toolbar - will provide Spyware Protection
http://techrepublic.com.com/5100-22_11-5221367.html
While this might be a good thing for existing users of the Yahoo toolbar, I thought I'd share a few additional comments, based on some sharing I did in some other security forums.
As a starting point, I’m not a big fan of ANY added toolbars, because they can complicate IE functionality. Secondly, all searches entered into the Yahoo toolbar will be collected for market research purposes, but still that's almost like the fox guarding the henhouse as some feedback expressed. 
SPYWARE PREVENTION
I stick mostly with mainstream sites and rarely have issues. I use Opera 7.50 and Mozilla Firefox 0.8 to compliment IE 6 SP1.
I recommend firewall controls, Spybot immunization. even front-end packages like PestPatrol and Spyware Blaster which can prevent infections.
Still, I use IE a lot on some key sites, so BEST PRACTICES (avoidance) will go a long way in protecting you.
SPYWARE DETECTION
On the detection side, I use Spybot and Adaware about once per month to look for adware or spyware. I rarely have issues, as I learned a long time ago "there are no free lunches on the Internet"
|
-
Five PC Security Safeguards for the corporate network
http://www.computerworld.com/securitytopics/security/story/0,,93232,00.html
1. Securing notebook computers (including encryption)
2. Strict Password policies (alphanumeric passwords)
3. Veiled computer screens (password protected screen savers)
4. Tightening security without wires (best practices in wireless security)
5. Sealing e-mails (encrypt outgoing email traffic)
|
-
 A great summary of the benefits a company can achieve by investing in education for the security team.  Six Ways to Justify Security Training (with a tight budget) http://www.computerworld.com/securitytopics/security/story/0,10801,93419,00.html SUMMARY OF SECURITY TRAINING BENEFITS
1. Avoidance of a costly security incident
2. Avoidance of disruptive downtime
3. Improved availability
4. Improved consistency
5. Improved failure analysis
6. Improved audit results
|
-
Hackers Target Microsoft TechEd 2004 ($50K bounty)
http://www.securitypipeline.com/21100274
The real story out of Microsoft Tech Ed wasn't highlighted on stage but wreaked havoc on attendees nonetheless.
Reporters first noted an inability to link into VPNs from the show's press room on Monday, opening day of Tech Ed 2004 in San Diego. They were able to connect over wire connections to the 'Net, but access to VPNs was precluded and many could not access instant messaging either. Microsoft network support technicians eventually admitted that relevant ports were shut down to prevent hackers who were targeting the show.
A Microsoft executive later said that hackers had put out bounties--she mentioned $50,000--to disrupt the show network. She did not specify further. One technician said the network had experienced 8,000 attempted exploits as of Tuesday morning.
|
-
http://techrepublic.com.com/5100-22_11-5221367.html
Yahoo on Thursday is expected to release an upgrade for its downloadable toolbar to help people detect and remove spyware, or malicious files, on their PCs.
For now, the Web portal will be testing the technology, which has been supplied by antispyware company PestPatrol. It will offer the toolbar upgrade only to a select number of people at beta.toolbar.yahoo.com, Yahoo spokeswoman Stephanie Iwamasa said.
The software can perform a high-level scan of files on a PC to detect viruses or other applications that were installed surreptitiously and are used to spy on computer behavior.
"The toolbar is the best place to present this application because of its accessibility--you can log on and use your toolbar from any machine--and because it's a persistent application in the browser window," Iwamasa said.
|
-
Symantec has made their DeepSight Analyzer service available for free to the general public. This service has previously only been available to enterprise-level companies willing to shell out the money necessary. The DeepSight service does several important things- it gives you day-by-day automated reports of your system activity, access to the Analyzer Console online, and you can use it to generate summary reports of that activity.
ARTICLE:
http://channels.lockergnome.com/news/archives/010496.phtml
REGISTRATION:
https://analyzer.symantec.com/register.asp
|
-
More good news and perhaps a contributing factor to the quieter times we've seen since the arrest of the Sasser author who was part of the Netsky group also.  One more bust. This time it's Mr. Wang An-ping who was arrested in Kaohsiung, which is in Taiwan. Mr. Wang is being charged for writing and distributing the Peep backdoor. Peep is a remote access trojan, similar to Netbus and Back Orifice. It consists of client and server parts. MORE DETAILS: http://www.chinapost.com.tw/taiwan/detail.asp?ID=49192&GRP=B http://www.f-secure.com/v-descs/peep.shtml F-Secure summarizes recent arrests http://www.f-secure.com/weblog/
quote:
So over the last three weeks we have:
- Several arrests in Germany on Sasser,
- Several arrests in Germany on Agobot
- One arrest in Canada on Randex
- One arrest in Taiwan, on Peep
...and we are aware of at least one virus investigation against an active virus group. Heck, if things continue at this pace, we can soon retire.
|
-
In testing Linux and Windows operating system security, I've found it's more about HOW YOU IMPLEMENT security -- rather than whether one is superior overall. Either OS can be implemented in a secure or non-secure fashion.
Any OS needs the following for the best levels of security:
Best Practices: Security Controls for Operating Systems
1. PLAN your security environment and controls before you install
2. Patch, Patch, Patch (keep it updated)
3. Firewall and Anti-Virus controls
4. Avoid highly privileged user accounts where possible , (e.g., Admin/Root),
5. Turn off unneeded services and privileges
6. Stay informed and take counteraction measures on any evolving threat.
7. Test your OS controls continuously in the corporate environment (using free security tools from Microsoft and other vendors)
|
-
This article compares and contrasts the current state of security controls between these two Operating Systems.
 Linux and  Windows security compared
http://os.newsforge.com/article.pl?sid=04/05/18/1715247
Key Linux and Windows Operating System Security Capabilities
|
Category |
Capability |
Linux |
Windows |
Qualitative Score |
|
Base security |
Authentication, access control, cryptography, audit trail/logging |
Pluggable Authentication Module, plug-in modules, Kerberos, PKI, Winbind, ACLs, LSM, SELinux, Controlled Access Protection Profile audit, kernel cryptography |
Kerberos, PKI, Access Control lists, Controlled Access Protection Profile audit, Microsoft crypto application programming interface |
Linux is superior |
|
Network security and protocols |
Authentication, layer, network layer |
OpenSSL, Open SSH, OpenLDAP, IPSec |
SSL, SSH, LDAP, AD, IPSec |
Both are comparable |
|
Application security |
Antivirus, firewalls, intrusion detection software, Web servers, email, smart card support. |
OpenAV, Panda, TrendMicro, firewall capability built into the kernel, Snort, Apache, sendmail, Postfix, PKCS 11, exec-shield |
McAfee, Symantec, Check Point, IIS, Exchange/Outlook, PCKS 11 |
Linux is somewhat superior |
|
Deployment and operations |
Installation, configuring, hardening, administration, vulnerability scanners |
Install and configuration tools, Bastille, mostly admin through command line interface, Nessus, distribution- specific Up2Date, YaST, Webmin |
Install and configuration tools come with Windows, no specific hardening tool, admin GUI, security by default has been emphasized lately |
Both are comparable |
|
Assurance |
Common Criteria Certification, flaw handling |
Linux has achieved EAL3 and has good flaw handling |
Windows has EAL4 and good flaw handling |
Windows is superior |
|
Trusted computing |
Trusted Platform Module, Trusted Computing Software Stack, instrumentation, attestation |
Trusted Platform Module device driver open sourced by IBM, Trusted Computing Group software stack is targeted for 2005 |
Next-Generation Secure Computing Base, possible availability with Longhorn 2006 |
Neither is superior |
|
Open standards |
IPSec, POSIX, Transport Layer Security, Common Criteria |
Linux meets all open standards |
Microsoft participates in open standards but has some proprietary standards. |
Linux is superior |
|
-
Unfortunately, the innovation continues with this new proof-of-concept PE infector that will run in native 64 bit mode.  W64.Rugrat - The First 64 bit Windows virus http://www.sarc.com/avcenter/venc/data/w64.rugrat.3344.html W64.Rugrat.3344 is a direct-action infector (it exits memory after execution) of IA64 Windows Portable Executable (PE) files - this includes most Windows applications - excluding .dlls. It infects files that are in the same folder as the virus and in all subfolders. It is the first known virus for 64-bit Windows, and it uses the Thread Local Storage structures to execute the viral code. This is an unusual method of executing code. It does not infect 32-bit Portable Executable files, and it will not run on 32-bit Windows platforms. The virus is written in IA64 assembly code. W64.Rugrat is a fairly simple proof-of-concept virus. However, it is the first known virus to attack 64-bit Windows executables on IA64 systems intentionally, and it does so successfully. The virus uses a handful of Win64 API-s from 3 different libraries, NTDLL.DLL, SFC_OS.DLL and KERNEL32 respectively.
|
-
My IT Forums is perhaps the best free resource for supporting Microsoft technologies. While it started as an SMS support center, it has expanded to cover a number of important topical areas. We had some good sharing on corporate spyware and adware protection as noted in the links below:
My IT Forums - Corporate Spyware/Adware discussions
http://myitforum.techtarget.com/forums/tm.asp?m=62741
One of our members did an excellent job of summarizing all the posts. The May 26th blog entry provides an informative status of adware/spyware protection in the corporate environment:
Roger's Information Security Blog (May 26)
http://www.infosecblog.org/
|
-
Microsoft is proposing new anti-spam technology which will validate email addresses to authenticate them, before they can be received. This new standard holds promise, as it would not allow "spoofed" email headers to be recieved. Microsoft working on new email "Caller ID" to reduce SPAM http://www.microsoft.com/mscorp/twc/privacy/spam_callerid.mspx Microsoft on Wednesday said it plans to submit a proposal to make its antispam technology a standard, becoming the latest Internet giant to seek industry approval for the adoption of its technique. The technology, called "Caller ID for E-mail," is an Internet Protocol-based method to ensure that the sender's return e-mail address is authentic. Many spammers have used a method called "spoofing," which makes their return addresses appear legitimate to the recipient's spam filters. Often, people open unwanted spam, thinking it originated from a contact, which could lead to the further dissemination of viruses and user annoyance. Microsoft plans to file its proposal to the Internet Engineering Task Force (IETF), an industry standards body, either this week or next. Caller ID for E-Mail: The Next Step to Deterring Spam" is the Microsoft draft specification to address the widespread problem of domain spoofing. Domain spoofing refers specifically to the use of someone else's domain name when sending a message, and is part of the larger spoofing problem, the practice of forging the sender's address on e-mail messages. Caller ID for e-mail would verify that each e-mail message originates from the Internet domain it claims to come from. Eliminating domain spoofing will help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk e-mail. Related Link: Bill Gates Outlines Technology Vision to Help Stop Spam http://www.microsoft.com/presspass/press/2004/feb04/02-24RSAAntiSpamTechVisionPR.asp
|
-
Even if you have some of the best security in the world, if there is any unpatched vulnerability, it can present an opportunity for hackers, crackers, and website defacers.  Microsoft Press site Hacked & Defaced http://www.neowin.net/comments.php?id=20516 Microsoft Press has been defaced this evening by a group named "Outlaw Group". Although the group doesn't seem to have caused much damage, this is clearly an embarassment for Microsoft.com webmasters. A clear example of where patches need to be applied. Defaced MS Press Screenshot: http://www.neowin.net/staff/creamhackered/mspresshacked.png
|
-
The Internet Storm Center warns of a new social engineering scheme to trick individuals into visiting hostile web sites that can exploit unpatched IE vulnerabilities 
Beware of False "Order Confirmations" in EMAIL
http://www.incidents.org/diary.php?date=2004-05-24
New Angle(r) On An Old Phish
First of all, my apologies for the headline... I couldn't help myself. It seems that the phisher folk have found some new bait. The newest angle(r) involves sending out fake "order confirmation" messages bearing links that lead to web pages containing exploits for some older IE vulnerabilities.
The idea is that no one will be able to resist simply looking at where the link points, and that the phisher will then snag a few unpatched folk in the process. Let's keep those browsers patched, people. And be careful out there...
|
-
W32.Korgo.A is a worm that attempts to exploit Microsoft LSASS Windows vulnerability, described in Microsoft Security Bulletin MS04-011. It attempts to use random ports like Bobax but due to a programming error it uses port 2041. It also starts an infinite loop to stop system shutdown.
MS04-011: W32.Korgo.A - New Internet worm
http://www.symantec.com/avcenter/venc/data/w32.korgo.a.html
Ports: TCP ports 113, 2041, 3067, 6667, 445
Target of infection: Unpatched machines vulnerable to Microsoft LSASS Windows exploit.
|
-
The Internet Storm Center is reporting that the cvs exploit published on May 20th has seen used multiple times. PATCH NOW!. The cvs main homepage (cvshome.org) appears to be down. However, you should still be able to obtain patches from mirrors.
New UNIX CVS Exploit circulating
http://www.incidents.org/diary.php?date=2004-05-21
http://isc.sans.org/diary.php?date=2004-05-19
We have received information that exploit code has been has been reported by K-OTik Security. This exploit is a particular concern to Unix admins and could be used to compromise a number of open source projects. It is recommended that you verify signatures. This exploit can affect your system even if you don't run CVS Server. Just using software that is maintained using a compromised server will put your system at risk. One of the Handler's will be setting up a test server this afternoon to confirm that the code works. Stay tuned for more information.
Gentoo update for CVS
http://secunia.com/advisories/11674/
Open BSD
http://secunia.com/advisories/11677/
|
-
Microsoft is offering a guide providing indepth information on AV defenses. This 900KB download is in the PDF format and requires the Adobe Acrobat Reader.
 |
The Antivirus Defense-in-Depth Guide | http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=enMicrosoft Solutions for Security: The Antivirus Defense-in-Depth Guide provides an easy to understand overview of the assorted types of malware, their risks, characteristics, means of replication and payloads. The solution also details the considerations for implementing a comprehensive antivirus defense for your network, servers and clients which goes beyond simply installing antivirus software into the related tools which will help reduce your risk of infection. Lastly, the solution provides a comprehensive methodology for quickly and effectively responding to outbreaks or incidents when they occur.
|
More Posts Next page »
|
|
|