April 2006 - Posts
This new company provides web protection services and offers several free and informative articles related to web security.
http://www.acunetix.com/Websitesecurity/
Learn more about web attacks:
Security Articles:
QUOTE: Start-up Acunetix protects Web sites against unauthorized
modifications and denial-of-service attacks. The company
announced its Web Vulnerability Scanner last July as a tool for
identifying vulnerabilities before they can be exploited.
Acunetix also recently announced a useful site for anyone
interested in security Web sites (as usual, I have no
relationship whatsoever with the vendor)
This link discusses network penetration testing using a Star Wars themed approach.
Star Hacks, Episode V: The Empire Hacks Back
http://www.ethicalhacker.net/content/view/55/2/
A new Internet Explorer 6 vulnerability has been documented by Secunia and so far no exploits have surfaced. Still folks should always be careful with sites they visit and avoid all URL links in spam email.
Internet Explorer 6 "object" Tag Memory Corruption Code Execution
http://secunia.com/advisories/19762/
QUOTE: The vulnerability is caused due to an error in the processing of certain sequences of nested "object" HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site. Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
This ComputerWorld article evaluates improvements in the latest build of IE 7
IE 7 Beta - Has security improvements under the hood
http://www.computerworld.com/securitytopics/security/story/0,10801,110847,00.html
If the April updates are working well, there is no need to reinstall the MS06-015 security update. As a limited number of users were impacted, Microsoft is addressing this with a release. This can be found as follows:
MSRC Blog Posting - This is Great site to bookmark for Patch news & info
http://blogs.technet.com/msrc/archive/2006/04/21/425838.aspx
When the update is re-released, it's going to be very much targeted to people who are having the problem, or people who have not installed MS06-015 yet. That means if you have already installed MS06-015 and are not having the problem, there's no action here for you.
Microsoft released Service Pack 1 for SQL-Server on April 19 with functionality improvements for it's latest version of SQL-Server.
SQL Server 2005 Service Pack 1 - Home Page
http://www.microsoft.com/sql/sp1.mspx
Microsoft Releases SQL Server 2005 Service Pack 1 - Press Release
http://www.microsoft.com/presspass/press/2006/apr06/04-19SQLExpands06PR.mspx
SQL Server 2005 SP1 Arrives with Production-Ready Mirroring
http://www.eweek.com/article2/0,1759,1951914,00.asp
QUOTE: Microsoft on April 19 introduced Service Pack 1 for SQL Server 2005, the server's first major update since its launch Nov. 7, 2005. SP1 encompasses several new features besides database mirroring, including SQL Server Management Studio Express and additional, flexible options for independent software vendors.
The SP1 release is the first result of a new SQL Server "customer-collaboration model" Microsoft has instituted, which uses customer feedback as the company formulates feature and security updates.
Key new features include the production-ready version of database mirroring, in which the primary production server is mirrored at all times by a standby server. "This allows for automated, seamless failover between primary and standby server, if the primary server needs to come down," SQL Server Senior Product Manager Carol Dullmeyer told eWEEK. "It's a really critical feature."
Microsoft sketches out it DB roadmap
http://www.eweek.com/article2/0,1895,1947288,00.asp
This article provides an update on HIPAA. This is a legal requirement for Health Insurance companies to ensure the privacy of their policyholders.
HIPAA article: Health Insurance Privacy Compliance Lags
http://www.eweek.com/article2/0,1895,1949646,00.asp
Current status ....
QUOTE: The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.
The bad news? All were supposed to have done so by April 2003.
More bad news? The percentage hasn't changed since last summer, meaning about 20 percent of health care companies are "unable or unwilling to implement federal privacy requirements," according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS.
Some key issues in meeting HIPAA compliancy ....
QUOTE: The problem is that HIPAA rules are often vague and technology is developing so quickly that it's often hard to decide whether flash drives, hot-site disaster recovery, and other specific storage and file management technologies are covered or satisfy the rules.
"The regulations didn't have much precision," said Gillespie. "They were very general in a lot of cases. Regulatory statements said something about the requirements but didn't come out and say what technology was involved. We went through the regulation sections for more than a year to interpret those regulations into technology solutions that seemed to work and meet the regulations too."
Recent MyTob variants are beginning to spread and email messages as follows should be avoided:
AVOID THESE EMAIL MESSAGES
Subject: (any of the following)
• You have successfully updated your password
• Your new account password is approved
• Your password has been successfully updated
• Your password has been updated
Message body: Varies
Attachment: (any of the following with EXE and other extensions)
• accepted-password
• account-password
• approved-password
• email-password
• new-password
• password
• updated-password
More information can be found as follows:
Recent new Mytob variants
http://secunia.com/virus_information/28516/mytob.pz/
http://secunia.com/virus_information/28515/mytob.pj/
http://www.sophos.com/virusinfo/analyses/w32mytobhj.html
http://www.viruslist.com/en/alert?alertid=184538968
http://www.viruslist.com/en/viruses/encyclopedia?virusid=118626
Kaspersky Weblog -- New Mytob becoming prevalent
http://www.viruslist.com/en/weblog?calendar=2006-04
Some new Mytob variants are showing up in the top 10
http://myavert.avertlabs.com/myavert/default.aspx
http://www.virustotal.com/en/indexf.html
http://www.fortinet.com/FortiGuardCenter/global_threat_stats.html
The following are scams that are circulating by email, regular mail, or phone calls that everyone should be aware of:
Article: Would I lie to you? Five cons still kicking
http://www.msnbc.msn.com/id/12394486/
http://www.msnbc.msn.com/id/12394486/page/2/
They've been around for generations, but people still fall for them
1. The Scam: Free Money -- Charismatic individuals claim they know of funding sources that don't have to be repaid.
2. The Scam: Patent and Invention Services -- Business "experts" evaluate your invention or business idea, declare it a sure-fire winner, and ask for thousands of dollars to secure intellectual property protection, help you find manufacturers, and do marketing.
3. The Scam: Advance Fee Loans -- Companies promise loans to would-be entrepreneurs who cannot get capital from banks or investors.
4. The Scam: Work From Home -- It's only after you've made an investment that you find out the business isn't so easy.
5. The Scam: Wealth-Building Seminars -- Few people actually get richer, but many people get poorer attending these meetings, which are often held at hotels near airports.
The ISC published a good finding this afternoon. This is good advice that extends beyond just banks. ALL ORGANIZATIONS requesting info should use SSL and other secure server techniques.
ISC Article -- Banks use non-ssl login forms
http://www.incidents.org/diary.php?storyid=1277
SecureWebBank.com - SSL Login Page Status
https://www.securewebbank.com/loginssluse.html
This new virus and any CAB extension should be avoided in email messages.
Bagle.GM - New Variant with Russian text ands CAB attachements
http://secunia.com/virus_information/28391/bagle-gm/
http://www.sarc.com/avcenter/venc/data/w32.beagle.ea@mm.html
EMAIL MESSAGES TO AVOID
From: [SPOOFED]
Subject: The text of the subject is in Russian.
Message Body: The text of the message is in Russian.
Attachment: One of the following: cool.cab, new.cab, me.cab, you.cab, Re.cab
It was an interesting coincidence that F-Secure is commenting on the new Microsoft Update approach, as I used this approach for the 1st time on April 11th on some of my home and office PCs. Microsoft Update is essentially Windows Update plus Office Update plus perhaps other products that might be found during the more comprehensive checking performed by this facility. The Microsoft Update process worked well in my own testing of it and it applied all Windows and Office related updates properly. As noted by F-Secure, you must be at least Office XP to use this facility.
F-Secure article: Forget about Windows update (use Microsoft update instead)
http://www.f-secure.com/weblog/archives/archive-042006.html#00000854
Microsoft Update Link
http://update.microsoft.com/microsoftupdate/
A new version of Firefox is now available. Current users who have autoupdate capabilities will most likely be automatically prompted for updates. More links are noted below:
Product Page
http://www.mozilla.com/firefox/
Release Notes
http://www.mozilla.com/firefox/releases/1.5.0.2.html
Security Enhancements
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.2
Kaspersky has noted the 1st MS/Publisher virus to appear in the wild. PUB file extensions will most likely be necessary to include in scanning routines.
Avarta.A - First Microsoft Publisher Virus appears
http://www.viruslist.com/en/viruses/encyclopedia?virusid=117864
This is the first known virus that infects MS Publisher (*.pub) documents. It is a very simple overwriting virus, written in Visual Basic for Applications (VBA). The virus uses a rather crude replication method - it searches for Publisher documents and copies itself over them, thus destroying their content. Avarta gets the location which it will scan for Publisher documents to infect by opening the registry and fetching the key for the recently used files in Publisher. It sets the macro Security Level in Publisher to Low. This is a common technique in macro viruses.
The Internet Storm Center always provides an excellent in-depth analysis of each security bulletin:
http://www.incidents.org/diary.php?storyid=1257
The county or any governmental agency has a fiduciary responsibility to protect a person's privacy. That is the greater good over even legal requirements to display documents as part of the public records available through the Internet. Hopefully, they can address this issue by blocking all sensitive information that might be part of the document presentation requirements.
Florida's Broward County Posts Residents' Sensitive Data On Public Web Site
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,110389,00.html
QUOTE: APRIL 11, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on county Web sites.
A Florida state statute that requires county officials to post images of certain official documents online has led to the public exposure of sensitive data on potentially millions of current and former residents in Broward County.
The latest updates have just become available and were successfully installed on my laptop and desktop at work. These include security updates for Windows, Internet Explorer and Office and should be applied by individual users or companies as quickly as possible.
http://www.microsoft.com/technet/security/Bulletin/ms06-Apr.mspx
The ISC featured this site which offers extensive information related to spam based email.
Spamlink - Anti-Spam portal
http://spamlinks.net/
Spamlink Site Map
http://spamlinks.net/sitemap.htm
Spam FAQs
http://spamlinks.net/faqs.htm
Spam Laws
http://spamlinks.net/legal.htm
Spamlinks - Blog
http://spamlinks.net/blog/
The ISC lists several categories for reporting spam to authorities. Folks should always delete spam and never click on URLs to opt out or look at the offered products or services in detail. For an example, an opt out URL lets spammers know they have a valid address and your quantity of spam could increase significantly. Also, URLs can be always be a source for downloader trojan horses, viruses, spyware, or other forms of attack. The best practice is to line these up in the in-box and delete these messages.
http://www.incidents.org/diary.php?storyid=1252
Symantec has issued information on
MSIL.Letum.A@mm, "a worm written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed.". Trend's analysis for WORM_LETUM.A is
here.
More Posts
Next page »