March 2007 - Posts
In one of the most significant search breaches ever millions of individuals could be impacted due to stolen credit card information.
TJX Intruder had retailer's encryption key
http://www.eweek.com/article2/0,1895,2109299,00.asp
QUOTE: The massive data breach at $16 billion retailer TJX involved someone apparently armed with the chain's encryption key, but it might not have been needed as the cyber-thief was accessing data during the card-approval process before it was encrypted.
These are among the latest details in what is almost certainly the worst retail data breach ever. In a 10-K filing to the federal SEC (Securities & Exchange Commission), TJX said it didn't know who the intruders were, but it did provide more details about what they say happened that led to the card information of some 46 million consumers to get into unauthorized hands.
Additional Links
http://www.eweek.com/article2/0,1895,2106322,00.asp
http://www.eweek.com/article2/0,1895,2104200,00.asp
Some tech writers speculate this might be a practical joke or it could also be a legitimate campaign. If this becomes a legitimate attack, all MySpace users should track developments carefully during April 2007.
Up next: Month of MySpace bugs
http://blogs.zdnet.com/security/?p=127
QUOTE: The month-of-bugs phenomenon is showing no signs of slowing down. Next up: MySpace. During the month of April, hackers plan to expose security vulnerabilities in the popular social networking portal. The idea behind the planned Month of MySpace Bugs, according to the organizers, is to publish "silly XSS/misleading CSS style bugs" that affect MySpace user pages.
Kim Komando: Prepare now for MySpace bugs
http://www.komando.com/tips/index.aspx?id=3097
QUOTE: How secure is MySpace? It appears as if we are about to find out! The "month of bugs" trend continues with the recently announced MOMBY (Month of MySpace Bugs, Yuss!). Scheduled for April, MOMBY follows similar projects such as the Month of Apple Bugs.
MOMBY: a place for bugs (Official Tracking Site)
http://momby.livejournal.com/
QUOTE: The purpose of the exercise is not so much to expose Myspace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular websites populated by users of various levels of sophistication. We could have just as easily gone after Google or Yahoo or MSN or ZDNet or whatever.
Month of MySpace Bugs: April Fools?
http://news.com.com/2061-10789_3-6168655.html
QUOTE: It appears that the effort is meant mostly to poke fun at the previous "Month of" campaigns that focused on browser, Apple and kernel bugs. "Months of Bugs are whiny, attention-seeking ploys for acceptance," "Mondo Armando" and "Mustaschio" wrote. Oh, when is the MySpace campaign starting? "Were you not paying attention? April 1, 2007
There is limited information from AV vendors currently, but several excellent write-up on the threat itself is noted below. The SSL/Winsocks interface used by the trojan would make even trusted server connections unsafe for infected users. Users should be careful in all apsects of Internet access (e.g., email, IM, websites, etc).
CERT: Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities
http://www.us-cert.gov/current/current_activity.html#gozi
QUOTE: The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:
- Install anti-virus software, and keep its virus signature files up-to-date.
- Review the Securing Your Web Browser document.
Secure Works - Excellent In-Depth Analysis
http://www.secureworks.com/research/threats/gozi/?threat=gozi
QUOTE: A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.
- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million
Additonal Articles:
ISC: Gozi Trojan Steals SSL Encrypted Data for Fun and Profit
http://isc.sans.org/diary.html?storyid=2498
Russian (Gozi) Trojan powering massive ID-theft ring
http://blogs.zdnet.com/security/?p=133
Gozi Trojan Data Up For Sale Using Webmoney
http://digitalmoneyworld.com/gozi-trojan-data-up-for-sale-using-webmoney/
Google Links
http://www.google.com/search?hl=en&q=gozi+trojan
Home
http://www.antispywarecoalition.org/
Documents (Best Practices)
http://www.antispywarecoalition.org/documents/index.htm
FAQ
http://www.antispywarecoalition.org/about/FAQ.html
Members
http://www.antispywarecoalition.org/about/index.htm
CURRENT MEMBER LIST
Current ASC Members
Aluria Software , an Earthlink company
AhnLab
AOL
Berkman Center for Internet & Society, Harvard Law School
Bit9
Blue Coat Systems
Canadian Coalition Against Unsolicited Commercial Email
US Coalition Against Unsolicited Commercial Email
Canadian Internet Policy and Public Interest Clinic
Center for Democracy & Technology
CNET Networks
Computer Associates
Dell, Inc.
Eset
F-Secure Corporation
Google
Grisoft
HP
ICSA Labs
Internet Education Foundation
ISS
Lavasoft
McAfee Inc.
Mi5 Networks
Microsoft
National Center for Victims of Crime
National Cyber Security Alliance
National Network to End Domestic Violence
Panda Software
PC Tools
Radialpoint
Safer-Networking Ltd.
Samuelson Law, Technology & Public Policy Clinic at Boalt Hall,
UC Berkeley School of Law
Sana Security
Shavlik Technologies
Sophos
Spamhaus
Sunbelt Software
SurfControl
Symantec
Tenebril
Trend Micro
Webroot Software
Websense
Yahoo! Inc.
In the "what will they think of" next column ... March 24th (Saturday) is supposed to be a day without computers 
National Computer Shutdown Day - March 24th
http://www.eweek.com/article2/0,1759,2105644,00.asp
QUOTE: Tach it up, tach it up, buddy gonna shut you down," crooned the Kitty, Beach Boys-like, when he heard that March 24 has been designated Shutdown Day 2007 by the folks at shutdownday.org. The global experiment hopes to see if people can function without their computers for one day. "Of course, it has to be a Saturday—why couldn't it be a work day?" laughed the lazy Lynx.
Cisco phone users should apply the relevant patches if needed to prevent DoS based lockouts of service. So far, there are no known exploits of this in the wild. This one was of interest as I use a 7961 at work.
Cisco IP Phone 7940/7960 Denial of Service Vulnerability
http://secunia.com/advisories/24600/
http://www.frsirt.com/english/advisories/2007/1023
QUOTE: A vulnerability has been reported in Cisco IP Phone 7940 and 7960, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain SIP INVITE messages. This can be exploited to reboot the device by sending a specially crafted INVITE message with a malformed "sipURI" field of the Remote-Party-ID. The vulnerability is reported in devices running firmware POS3-07-4-00.
Users should ensure they are on the latest version of Quicktime and always be careful with email, IMs, and websites.
New QuickTime exploit hits MySpace, steals passwords
http://www.f-secure.com/weblog/archives/archive-032007.html#00001144
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9013702
QUOTE: March 19, 2007 (Computerworld) -- A Trojan horse exploiting a flaw in Apple Inc.'s QuickTime that was patched two weeks ago is infecting MySpace.com users' computers, collecting confidential information, including passwords, several security companies said today. The attack is reminiscent of one late last year that plagued MySpace users and forced the popular social networking site to shut down hundreds of profiles.
The use of rootkits continues to be grow, so that detection and removal are more difficult.
VideoCach - New Adware agent uses Rootkit Techniques
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=8337
http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?idvirus=153672
QUOTE: PandaLabs has detected the appearance of VideoCach, a new adware specimen. This malicious code is designed to fraudulently promote certain security applications. This adware includes the novelty of using rootkit techniques. Rootkits are programs designed to hide files or processes running on a computer. This makes malicious code that use rootkit techniques more difficult to detect.
Secunia has a created a test page for this new vulnerability that could be used in possible phishing attacks. This new vulnerability requires users to hit the REFRESH button when navigation is cancelled to cross script to another site.
Internet Explorer 7 Cross-Site Scripting Vulnerability
http://secunia.com/advisories/24535/
http://www.frsirt.com/english/advisories/2007/0946
QUOTE: A weakness has been identified in Microsoft Internet Explorer 7, which could be exploited by malicious websites to conduct spoofing or phishing attacks. This issue is due to an input validation error in the resource page "res://ieframe.dll/navcancl.htm" when generating the "Refresh the page" link in order to reload a site, which could be exploited by attackers to spoof the displayed address bar by tricking a user into clicking on the "Refresh the page" link while visiting a malicious web page.
This new trojan horse attack has interesting visual features when users become infected.
JS/Shake - Creates an earthquake effect for Internet Explorer
http://vil.mcafeesecurity.com/vil/content/v_124353.htm
QUOTE: JS/Shake is a trojan which invokes your Internet browser and shakes the browser window side to side for a few seconds and then stops. It will then connect to a Russian website which contains adverts and popups.
The only DST issue to report is related to synchronizing "my biological clock" with the new time 
Still, it's nice having an extra hour of daylight in the evenings
Yesterday, my XP system at home had no time related issues, as the DST patch worked properly. I also accepted a special DST patch for my Blackberry PDA and within 10 minutes this was properly synchronized with the new time changes.
Today at work both of my XP systems had the correct time, as expected. I even tested my token based RSA SecureID access and it's synchronizing with the secure server environment fine. While I'm sure we have a few issues to revolve, it appears that our network administrators did an excellent job overall in preparing for this important change.
Below are related DST articles shared by the Internet Storm Center handlers. While there are some issues, most likely the industry came through this change much better than predicted. This is due to the efforts by network and security administrators in taking this change seriously and patching in advance:
http://isc.sans.org/
As an IT professional I've worked with PCs since 1981, after working on a large corporate project to introduce this new technology in our company. I used PCs on daily basis in supporting our corporate users for the next 10 years. Security issues and viruses were rare and unheard of by most users.
Then in 1991, the Michelangelo virus was discovered and analyzed. It was a highly destructive boot sector virus that would wipe out an entire hard drive. The destructive routine to alter the MBR was triggered on March 6th of each year (birth date of Michelangelo, the great artist).
This hidden danger was discovered because some PCs were set with an incorrect date and triggered the virus early. The technical and regular media forecast major impacts of possible (as the Wiki link notes there were even claims of over 1 million infections).
In our own company, we took precautions and purchased copies of early AV software. Our technicians then scanned PCs throughout our company and some copies were found and cleaned in advance. We only lost 1 PC that I was aware of and we came through this event fine.
Worldwide around 20,000 PCs were lost, but this was one virus was a turning point in history. A major initiative started to improve PC security started, as the dangers and costs associated with highly destructive viruses were realized from this one event.
AVERT Blogs: Michelangelo Virus turns 15
http://www.avertlabs.com/research/blog/?p=214
QUOTE: In 1991, in Australia, Roger Riordan from Cybec discovered a new variant of the Stoned virus. The new threat was a boot sector virus, which infected the hard disk’s master boot record and the floppy disk boot sector. When researchers discovered that the virus contained a destructive payload triggering on the 6th of March each year, it gained the name Michelangelo. (The Italian Renaissance artist was born on March 6, 1475.)
Before Michelangelo, viruses were usually discreet and confined to the antivirus-specialist world. In March 1992, however, this virus changed the way the world looked at malware. With this newcomer, viruses really came into the public eye.
Michelangelo - Virus Details
http://en.wikipedia.org/wiki/Michelangelo_(virus)
http://www.answers.com/topic/michelangelo-computer-virus
http://www.pcworld.com/printable/article/id,129301/printable.html
QUOTE: So who's making the biggest impact online? We considered hundreds of the Web's most noteworthy power brokers, bloggers, brainiacs, and entrepreneurs to figure out whose contributions are shaping the way we use the Web. We whittled the list down to the top 50--well, actually the top 62--people, but as you'll see, there are some you just can't separate
Month of PHP bugs launched
http://articles.techrepublic.com.com/2100-1009_11-6163822.html
QUOTE: A security researcher has kicked off a project to put the spotlight on flaws in the widely used PHP scripting language.
The initiative, dubbed "Month of PHP Bugs," started on Thursday. Five vulnerabilities have so far been disclosed, several of which could allow a system running PHP to be compromised, according to the project Web site.
"This initiative is an effort to improve the security of PHP," Stefan Esser, a noted PHP security expert, wrote on the project Web site. The bug releases will focus on vulnerabilities in the PHP core, not on problems in the PHP language that might result in insecure PHP applications, he wrote.
PHP, which originally stood for Personal Home Page, is a popular scripting language used to create dynamic Web pages. Applications written in PHP accounted for 43 percent of the total vulnerabilities reported in 2006, according to a tally by Security Focus, a security news Web site.
More Posts
Next page »