August 2004 - Posts
A good article covering the basic protective methods from PC World:
This morning I installed the latest corporate version of McAfee's Virus Scan product. VS 8.0i offers enhanced capabilities over VS 7 in a number of areas (e.g., including intrustion detection, buffer overflow protection, desktop firewall capabilities, limited adware/spyware/joke program removals, etc). So far no issues have surfaced in early testing, and this new version is a keeper, even though I'm only using only part of the overall functionality of this product.
McAfee® VirusScan® Enterprise 8.0i
McAfee® VirusScan® 8.0i takes anti-virus protection to the next level, integrating elements of intrusion prevention and firewall technology into a single solution for PCs and file servers. This powerful combination delivers truly proactive protection from the newest of today’s threats—including buffer-overflow exploits and blended attacks—and features advanced outbreak management responses to reduce the damage and costs of outbreaks. Everything is managed by McAfee ePolicy Orchestrator® or ProtectionPilot™ for scalable security policy compliance and graphical reporting.
Their new portal implementation is awesome 
Talisker's - Network Defense Security Portal
http://www.securitywizardry.com/radar.htm
This new GIF based email attack was spammed extensively over the weekend. While GIF files are safe, the HTML body of these email messages contain a trojan horse that could be launched on systems that are not up to date on Windows security patches (from last year MS03-032 and MS03-040).
Suspicious GIF files being mailed?
http://isc.sans.org//diary.php?date=2004-08-27
There are an increasing amount of suspicious gif attachments to email reported to us. The filenames 1.gif and 2.gif seem to be popular, but it looks like the exploit isn't in the gifs, but rather in the body of the message that tries to download from a -currently down- website. The reports so far indicate outlook warns about ActiveX permissions, but that might not be the case in all instances. Our best preventive advise would be to disable preview panes in outlook, keep anti-virus software up to date at all times, and perhaps consider to return email to plain text as much as possible both when sending and receiving messages.
McAfee releases update for 1.gif trojan
http://vil.nai.com/vil/content/v_100715.htm
McAfee releases update for 1.gif trojan, This trojan takes advantage of the exploits covered in Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040. McAfee notes that if these patches are applied, you are immune from this virus. McAfee will still and identify the trojan with the latest updates applied.
McAfee information on new 1.gif and 2.gif trojans
http://vil.nai.com/vil/content/v_100715.htm
Update - 8/27/2004: A mass-mailing of this exploit occurred today. Messages appear as:
Subject: 1 or 2
Attachment: 1.gif or 2.gif
The attachments are simply 8 byte ascii files containing a number. They are not valid GIF files, nor are they infectious. The message body of such messages is typically blank, but contains HTML exploit code to load a page from a remote site, which is currently inaccessible. The code on the remote site may contain additional malware that could be responsible for the sending of the messages.
This detection covers HTML documents that attempt to exploit the Microsoft Security Bulletin MS03-032 or Microsoft Security Bulletin MS03-040 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed.
It simply means that an HTML document was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system. All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.
Version 5.05 is available to correct critical vulnerabilities associated with downloading skins. While MP9 is my default player on all home and work systems, the 700KB Lite version was tested and it's an excellent secondary media player that's now more secure with this release.
Full
Lite
Pro
Strata
change log for Winamp 5.05:
* Security bug fix
* Fix for upside down videos through DirectShow
* JTFE v0.96c
* Added prompt when loading a skin for the first time
This article made a key point that if you're connected to a cable modem, don't key anything and simply watch the connection light and it'll flicker constantly, indicating a steady stream of worms and other malware are attempting to infect your system through unpatched vulnerabilities or unprotected ports.
Article - The "polluted" Internet - (constant security attacks)
http://www.theregister.co.uk/2004/08/27/polluted_internet/
This one is bad news on unpatched systems and tries every imaginable way possible to infect unprotected systems
W32.Spybot.DAZ - uses 7 MS security exploits http://www.symantec.com/avcenter/venc/data/w32.spybot.daz.html W32.Spybot.DAZ is a worm that spreads through IRC, network shares, exploits, and computers that are infected with common backdoor Trojan horses.
Connects to a remote IRC server on TCP port 6667 and listens for commands, including any of following: * Download and execute files.
* Scan the network for server with running backdoor trojan horses.
* List, stop, and start processes.
* Launch Denial of Service (DoS) attacks.
Steal system information and send it to the attacker.
* Log keystrokes to a file in the %System% folder.
* Open a backdoor port.
* Control the file system (Delete, create, and list files).
* Perform port redirection.
* Flush DNS server.
May spread by exploiting the following vulnerabilities: * The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
* The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
* The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
* The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-04
As noted by SANS in the Internet Storm Center:
Insider Threat Paper The CERT Coordination Center recently published an excellent paper on the insider threat facing banks and other financial institutions. This one is worth a read:
http://www.cert.org/archive/pdf/bankfin040820.pdf
http://secunia.com/advisories/12381/
A vulnerability has been reported in Winamp, which can be exploited by malicious people to compromise a user's system.
The problem is caused due to insufficient restrictions on Winamp skin zip files (.wsz). This can e.g. be exploited by a malicious website using a specially crafted Winamp skin to place and execute arbitrary programs. With Internet Explorer this can be done without user interaction.
An XML document in the Winamp skin zip file can reference a HTML document using the "browser" tag and get it to run in the "Local computer zone". This can be exploited to run an executable program embedded in the Winamp skin file using the "object" tag and the "codebase" attribute.
NOTE: The vulnerability is reportedly being exploited in the wild.
The vulnerability has been confirmed on a fully patched system with Winamp 5.04 using Internet Explorer 6.0 on Microsoft Windows XP SP1.
This may take 4-6 weeks to recieve but will definitely be a worthwhile update for dial-up users.
Click on the CD or this Link to order
Please print this order confirmation, and keep it for your records. Your CD should arrive in 4 - 6 weeks. In the meantime, register with Microsoft to be contacted about important security, product, event and other information.
We will send an e-mail confirmation of your order to you shortly.
Order Number: Order Date: Pay Method:
************* 8/25/2004 No Charge
Even as an experienced Office user I found some of these tips to be valuable 
PC World - How to use Office 2003 more effectively
http://msn.pcworld.com/howto/article/0,aid,116756,00.asp
Also Office update provides an important method of keeping your Office XP or Office 2003 up-to-date with respect to security changes.
An excellent article for anyone managing SQL-Server DBs.
MSDN Article: Stop SQL Injection Attacks Before They Stop You
http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx
This article discusses:
* How SQL injection attacks work
* Testing for vulnerabilities
* Validating user input
* Using .NET features to prevent attacks
* Importance of handling exceptions
This link featured in SANS explains how to recover your computer if your Windows XP SP2 Setup program is not completed successfully
Microsoft Help - Windows XP SP2 Setup Problems
http://support.microsoft.com/default.aspx?scid=kb;en-us;875355
This is a new proof-of-concept virus that is currently not in-the-wild written in AMD 64 bit assembly language.
W64.Shruggle.1318 - First AMD64 bit virus
http://www.symantec.com/avcenter/venc/data/w64.shruggle.1318.html
W64.Shruggle.1318 is a direct-action file infector, similar to W64.Rugrat.3344, that infects AMD64 Windows Portable Executable (PE) files. It is a fairly simple proof-of-concept virus; however, it is the first known virus to attack 64-bit Windows executables on AMD64 systems. The virus is written in AMD64 assembly code.
A new Download.Ject worm variant has surfaced. Installing either MS04-025 or XP SP2 provides protection from this security vulnerability
StartPage-EU
http://vil.nai.com/vil/content/v_127691.htm
ComputerWorld Article
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,95387,00.html AUGUST 20, 2004 (IDG NEWS SERVICE) - Users who have not yet installed the three out-of-cycle patches contained in Microsoft Corp.'s July 30 security bulletin MS04-25 now have another reason to do so immediately.
A new version of a worm called Download.Ject takes advantage of one of the flaws fixed by the patches and has begun circulating online, according to Thor Larholm, a researcher at PivX Solutions Inc.
Like its predecessor, the new version of Dowload.Ject infects vulnerable systems with a Trojan horse and a keystroke logger. But unlike the original worm, which was designed to capture sensitive information such as credit card numbers and ATM codes from infected systems, the new worm generates pop-up advertisements to pornographic sites, Larholm said.
The worm also changes the Web home page and the Internet Explorer search pane on infected systems, Larholm said. A user's regular home page is replaced with a site called TargetSearch and several browser windows with adult advertisements and links to adult sites, a PivX advisory said.
"The worm is still using the same vulnerabilities and the same attack vectors" as its predecessor, Larholm said. Those who have already installed the recently released Service Pack 2 for Windows XP or the patches contained in MS04-25 should be safe.
The SANS Internet Storm Center has received alot of questions from folks wanting to learn more about network security and how to get started. This guide provides an excellent starting point for this process.
First Things First Guide: An Introduction to Network Security
http://isc.sans.org/presentations/first_things_first.php
SANS featured a list of some of the most popular Spyware removal resources and this is listed below:
Anti-Spyware Tool Kit
http://www.incidents.org/diary.php?date=2004-08-19
Yesterday's diary entry solicited a number of replies regarding the "tool kits" people use for fighting spyware, malware and viruses. I've collated the most popular, from both e-mail submissions and some from the Handlers themselves. This list is not necessarily complete in anyway...just a starter for people to help build their own kit.
Tools:
Spybot - Search & Destroy: http://security.kolla.de/ or http://www.safer-networking.org
Ad-Aware SE: http://www.lavasoftusa.com/software/adaware/
SwatIt: http://www.swatit.org
TDS-3 - Trojan Defence Suite: http://tds.diamondcs.com.au/
TrojanHunter: http://www.misec.net/trojanhunter
TheCleaner: http://www.moosoft.com/
BHOdemon: http://www.spychecker.com/download/download_bhodaemon.html
SpySweeper: http://www.webroot.com/
Process Explorer: http://www.sysinternals.com/
HijackThis: http://www.spywareinfo.com/~merijn/
AntiVir: http://www.free-av.com/
AVG: http://www.grisoft.com/us/us_index.php
Sites:
Rogue/Suspect Anti-Spyware Products & Web Sites:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Broadband Reports (aka DSL Reports):
http://www.dslreports.com/forum/security,1
Please note, some or all of these tools are NOT for the novice, and should be used with GREAT care. If you are not careful, you may damage parts of your operating system.
The following links pertain to the Sarbanes-Oxley Act of 2002 based on research to ensure compliance for a key project at work. These links provide information on the new law itself and it's impact on IT and security reporting concerns.
The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".
Some Key Links
http://www.sarbanes-oxley.com/
http://www.pcaob.com/standards.php
http://www.soxtoolkit.com/
http://www.sarbanes-oxley-forum.com/
http://www.entrust.com/governance/sox.htm
http://www.accountancyage.com/Specials/1131092
http://www.auditnet.org/sarbox.htm
http://www.ifsworld.com/ifs_applications/sarbanes_oxley/default.asp
These link provides the full text of this new law in HTML and PDF formats:
http://vscpa.com/Advocacy/SOtext.htm
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
http://www.aicpa.org/sarbanes/index.asp
Key Target Dates for Compliance
|
Details |
Section |
|
302 |
404 |
409 |
|
What is it about? |
Certification of financial reports quarterly |
• Annual certification of internal controls
• Independent accountant attests to report
• Quarterly reviews for updates/change |
• Material event reporting
• "Real-time" implications |
|
Who signs off? |
• CEO
• CFO |
• Management
• Independent accountant/auditor |
• Management
• Independent accountant/auditor |
|
Effective Date? |
August 29, 2002 |
Fiscal year ends on/after:
• November 15, 2004 for accelerated filers*
• FY ending on/before July 15, 2005 for all others
*Note: For organizations on a calendar fiscal year, this means that compliance is an issue for January, 2004 |
• Not finalized
• Expected in 2004 |
Information Technology - Critical Success Factors
Using IT successfully to comply with Section 404 means intergrating IT into your Sarbanes-Oxley program by:
- Making IT an active participant in the company's program management office for Sarbanes-Oxley compliance;
- Organizing IT resources and establishing an IT internal control program;
- Providing IT representation on the steering committee;
- Identifying, documenting and evaluating IT-related COSO requirements, IT processes and application controls, including:
- Application Controls: data validation, e-checks and output reconciliations, segregation of duties, protection of sensitive data;
- General Application Controls: application development, testing, change control, database management, and application level security;
- General Computer Controls: hardware/software configuration and management, performance and capacity management, security, data center operations, database administration;
- Employing Best Practices: tools, approaches and internal control specialists as required.
Information Technology - Key Links
http://www.computerworld.com/securitytopics/security/story/0,10801,94535,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci929451,00.html
http://www.cioinsight.com/article2/0,3959,1217378,00.asp
http://www2.cio.com/analyst/report2271.html
http://www.eweek.com/article2/0,4149,1527933,00.asp
http://www.nwfusion.com/news/2004/0730pwc.html
The new MSBA 1.2.1 version support XP SP2 based workstations in the corporate network environment.
Microsoft Baseline Security Analyzer 1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
New version, MBSA 1.2.1, needed for Windows XP SP2 compatibility: Users of Windows XP Service Pack 2 will need to update their MBSA to version 1.2.1 for compatibility with SP2 security improvements. Windows XP SP2 users who are running MBSA 1.2 will be automatically notified when they run the tool from the Start menu with an Internet connection.
MBSA is the free, best practices vulnerability assessment tool for the Microsoft platform. It is a tool designed for the IT Professional that helps with the assessment phase of an overall security management strategy. MBSA Version 1.2.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems.
More Posts
Next page »