November 2006 - Posts
Symantec has published a removal tool for the new Spybot.ACYR worm which manipulates the SYM06-010 vulnerability within the Norton or Symantec anti-virus product itself, (along with several popular Windows exploits). Symantec users should apply the AV updates offered by the vendor during Spring 2006, if they have not done so yet. The removal tool is beneficial as Spybot embeds itself within the Windows registry and it is tough to remove manually.
W32.Spybot.ACYR - New Symantec Removal Tool
Microsoft has released an improved version of their WGA anti-piracy facility and encourages all users to move to this latest version. Adjustments have been made based on customer feedback and issues with prior releases (e.g., false positives, etc).
I've applied the new version successfully with no issues so far. This control applies primarily to the Windows XP environment and allows users to upgrade to IE 7, Media Player 11, and other new software releases. The first link below provides the download site for the latest WGA version:
Microsoft releases new WGA version
Microsoft WGA Knowledge Base information
Microsoft WGA Home Page
Computer World Article on New WGA version
QUOTE: This is the most current release of Windows Genuine Advantage Notifications. We encourage you to upgrade to this version. This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft’s continually improving anti-piracy technology.
Specific features of this version include:
* Improved Setup – A new installation wizard provides an overview of the tool, and shows validation results immediately at the end of the installation process. No reboot is required following installation.
* Redesigned User Interface - The system tray notifications have been redesigned to make them more visually appealing with clear links to full details of each message and further options for resolving any problems.
* Improved User Assistance – Improved messaging for users who are unable to complete validation, along with links to more and better self-help tools.
I'm thankful WOODB didn't materialize. If they had exploitable code ready to publish, maybe the vendor took a proactive stance? I firmly believe all POC exploits should always be shared with the vendor in a private manner
Week of Oracle Data Base Bugs (WOODB) Project Cancelled
QUOTE: Argeniss has cancelled the week of Oracle bugs due to "many problems".
The key point I took from the article is that even with the overlapping standards, you can't rely on SAS 70 meeting SOX 404 compliancy needs completely (and vise-versa). Additionally, companies that take Information Security seriously shouldn't have too much difficulty with SOX 404. Most likely you're satisifying both sufficiently where there are unique items that aren't in common with both.
QUOTE: To be sure, it's clear that SAS 70 calls for a comprehensive report detailing the design, assessment, and effectiveness of a vendor’s internal controls and how they affect financial reporting for clients of the outsourcing services vendor.
But there are widespread misperceptions about the standard's purpose, particularly about what an audit covers in terms of technology activities, some say. "A SAS 70 is intended to be a service-auditor-to-client auditor communication tool. But some [information technology] people think it affirms privacy and security. It doesn’t," says Everett Johnson, president of the Information Systems Audit and Control Association.
QUOTE: Some bugs have been discovered in Adobe Reader and Adobe Acrobat, which may cause an included ActiveX control to crash.
The bugs are confirmed in Adobe Reader 7.0.5 and 7.0.8 for Windows. They have also been reported in Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform. Prior versions may also be affected.
The vendor is currently working on an update for version 7.0.8 for Adobe Reader and Adobe Acrobat.
Solution: The vendor recommends deleting AcroPDF.dll (this workaround will prevent PDF documents from opening in Internet Explorer).
This new IRC based threat attempts to spread using a number of security exploits, including the SYM06-010 vulnerability recently highlighted by several security sources. Staying up-to-date on all software updates as well AV protection, can prevent the 7 different methods this worm tries to infect vulnerable systems.
SC Magazine Article
W32.Spybot.ACYR - Symantec Description
W32.Spybot variant - McAfee Description
New Botnet impacts Symantec Client Port 2967 on unpatched PCs
W32.Spybot.ACYR - New Symantec Removal Tool (recommended)
Spread by exploiting the following vulnerabilities:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities
Mac OS X Security Update 2006-007
The 2006 edition of this list is available at the following site:
QUOTE: After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.
QUOTE: Symantec has acknowledged a vulnerability in NetBackup Puredisk, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
I'm seeing significant increases in SPAM activity in both corporate and personal email accounts. Here's hoping some of the proposed actions help.
SPAM Email - EU taking action for major increase at year-end
QUOTE: November 27, 2006 (IDG News Service) -- The European Commission has urged its member states to beef up their efforts to cut spam, spyware and malicious software, after research showed that up to 85 percent of all e-mail received in the European Union is unsolicited.
Better cooperation with enforcement authorities from other countries, including countries outside the Union, is essential to defeat the spammers, the Commission said, noting that the The U.S. and the E.U. have agreed to tackle spam through joint enforcement initiatives.
This link provides a good indepth overview of the new Bitlocker facility, designed to offer encryption of the hard drive for Vista laptop users:
BitLocker Drive Encryption: Technical Overview
Active Directory Checklist Version 1, Release 1.3 Updated! (posted Nov 21, 2006) Oct 05, 2006
Application Security Checklist Version 2, Release 1.9 Updated! (posted Nov 21, 2006) Nov 24, 2006
Application Services Checklist Version 1, Release 1.1
Sep 21, 2006
Oct 31, 2005
Cisco Router Checklist (Supplement to the Network Checklist V6R4)
Dec 2, 2005
Database Security Checklist, Version 7, Release 2.2 Oct 29, 2006
Defense Switched Network Checklist Version 2, Release 3.2
Nov 24, 2006
Desktop Applications Checklist, Version 2, Release 1.6 Updated! (posted Nov 21, 2006)
Nov 24, 2006
Domain Name System (DNS) Checklist Version 2, Release 2
May 16, 2006
Enclave Checklist Version 3, Release 1.6
ERP STIG Security Application Checklist Jun 2006
Draft Joint Information Assurance Officer Checklist Jan 11, 2006
Joint System Administrator Checklist Jan 11, 2006
Jan 11, 2006
Draft Joint Wireless Administrator Checklist Jan 11, 2006
Juniper Router Checklist (Supplement to the Network Checklist V6R4)
Dec 2, 2005
Keyboard, Video, and Mouse (KVM) Switch Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006
Macintosh OS X Checklist V1R13
Multi-Function Device (MFD) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006
.NET Framework Security Checklist V1R2
.NET Framework Security Memo
.NET Framework Security Comment Matrix May 2006
Oct 19, 2005
Oct 19, 2005
Network Checklist Version 6, Release 4.4 Jul 21, 2006
Open VMS Security Checklist April 2006
OS/390 Logical Partition Checklist
OS/390 RACF Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006)
OS/390 ACF2 Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006)
OS/390 Self Assessment Checklist April 2006
OS/390 TSS Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006)
Storage Area Network (SAN) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.3 May 2006
Tandem Checklist V2R1.2
Traditional Basic Checklist
Traditional Common Compliance Validation Checklist
Traditional DISA Checklist
Traditional NIPRNET Compliance Validation Checklist
Traditional SIPRNET Compliance Validation Checklist May 2006
Unisys Checklist Version 7, Release 2
Nov 24, 2006
Universal Serial Bus (USB) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006
UNIX Security Checklist Version 5, Release 1
Nov 15, 2006
Virtual Machine (VM) Checklist
VMS 6.0 Vulnerability ID to STIG ID Cross Reference April 2006
Voice Over Internet Protocol (VOIP) Checklist V2R2.2
May 19, 2006
Web Server Security Checklist April 2006
Windows 2000 Security Checklist Version 5, Release 1.7 Updated! (posted Nov 21, 2006 Nov 24, 2006
Windows 2003 Checklist Version 5, Release 1.7 Updated! (posted Nov 21, 2006 Nov 24, 2006
Windows NT Security Checklist Version 4, Release 1.21 Jul 28, 2006
Windows XP Security Checklist Version 5, Release 1.7 Updated! (posted Sep 19, 2006 Nov 24, 2006
Wireless Security Checklist Version 4, Release 2.1 Just added(posted Sep 07, 2006) Aug 25, 2006
Wireless Blackberry Security Checklist Version 4, Release 2.1 New! (posted Sep 07, 2006) Aug 25, 2006
Kaspersky Labs documents how folks can pay malicious individuals in the Internet underworld a fee to attack their sites. Alternatively, Internet sites can be held hostage by DDoS attackers, until a ransom payment is made
November 25, 2006 "Saturday Morning Specials"
QUOTE: If you are wondering, the cost to DDoS a website can range between $100 and several thousand US Dollars. For www.viruslist.com it would be around $3000 per day.
Apparently, there are even special discounts for "DDoS multiple sites" packs - "buy two, DDoS the third for free!". They even offer different methods to DDoS a website - for instance, syn flood or heavy traffic. This is because some ISPs charge by traffic, and several hundred GBs of extra traffic can cost the website owner a lot more than the DDoS attack.
Faced with a massive DDoS attack, many companies simply remove their websites from the net until is attack is over. Others pay up the ransom, if there is one. The best thing to do is to work with the ISP and companies specializing in blocking DDoS attacks. Please don't pay the ransom, it only encourages the bad guys to carry on.
There appears to be active exploitation of an issue patched by Symantec back in May 2006
New Botnet impacts Symantec Client Port 2967
Symantec Client Security and Symantec AntiVirus Elevation of Privilege
QUOTE: We've received reports of a massive new outbreak of bots exploiting the Symantec Client Security and Antivirus escalation of privilege vulnerability. ("new" implying the outbreak, not the vulnerability
F-Secure notes a significant number of new variants spammed to avoid AV detection. Be careful with all SPAM and unsolicited email messages:
QUOTE: We've been busy with the latest spam runs of the Warezov family over the last hours. We've added detection for the following variants, and there are probably more on the way:
This update will allow for the Windows XP, 2000, and 2003 versions to include the recently passed DST changes. These changes appear to be included in Vista Gold. This special update must be manually downloaded and applied (as it's not included in Windows Update). If users don't apply these changes, they'll have to manually change times to accommodate for the new DST rules.
Windows Time Zone Update - New Daylight Savings Time Rules
QUOTE: Starting in the spring of 2007, daylight saving time (DST) start and end dates for the United States will transition to comply with the Energy Policy Act of 2005. DST dates in the United States will start three weeks earlier (2:00 A.M. on the second Sunday in March) and will end one week later (2:00 A.M. on the first Sunday in November).
The update that this article describes changes the time zone data to account for the United States DST change. This time zone update will also include changes for other related DST changes, time zone behavior, and settings. Some of these changes will occur in 2007, and some have occurred since these versions of Windows were originally released.
This new vulnerability could be exploited during a phishing attack, however there are no reports so far of this being in-the-wild.
QUOTE: The vulnerability is caused due to the Password Manager not properly checking the URL before automatically filling in saved user credentials into forms. This may be exploited to steal user credentials via malicious forms in the same domain.
WORKAROUND: Disable the "Remember passwords for sites" option in the preferences.
More Posts Next page »