May 2007 - Posts
A new version of Firefox has been released and should be applied promptly to address security concerns. Most folks should Autoupdate without issues (and users can also select HELP and CHECK FOR UPDATES from the Menu bar)
Firefox 2.0.0.4 Released - Security and Improved Vista Support
http://isc.sans.org/diary.html?storyid=2891
What's New in Firefox 2.0.0.4
Release Date: May 30, 2007
http://www.mozilla.com/en-US/firefox/2.0.0.4/releasenotes/
1. Security Update
2. Windows Vista Support: More enhancements and fixes for Windows Vista are included.
3. New Languages: Afrikaans (af) and Belarusian (be) are now available. Beta releases for several new languages are also available for testing.
Security Update: The following security issues have been fixed.
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.4
Fixed in Firefox 2.0.0.4
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)
First of all, good security ain't solely about operating systems themselves 
It's more about the process itself. You can implement either OS poorly, not keep them updated, etc. You also need more than just the OS alone to be properly protected from the dangers of the Internet.
However, if the right protective processes and best practices are followed, both versions of Windows as are fairly secure. If good security management principles aren't followed, neither operating system will ultimately protect the system from "click happy" users.
With that prelude, I disagree the theme of the article, as Vista clearly has some advantages (e.g., improved kernel protection, improved code base, UAC warning system, etc). In fact, in the charts it was rated as providing better spyware/adware protection (which is probally the most frequent hidden exposure folks encounter)
Yes, Vista security could have been tweeked a little better (e.g., in my opinion a better bi-direction Firewall). Still, on paper see security is at least slightly better than XP and thus I respectfully disagree particularly with the "Bottom Line" proposed in the article.
Review: Vista, XP Users Equally At Peril To Viruses, Exploits
http://www.crn.com/software/199701019
QUOTE: After a week of extensive testing, the CRN Test Center found that users of Windows Vista and Windows XP are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP. One of Microsoft's big promises with Vista was a more secure operating system. But when stripped to the bare bones and thrown into the wild, wild Web, Vista's security failed to impress Test Center engineers.
THE BOTTOM LINE -- Based on the Test Center's findings, businesses that migrate their Windows PCs from XP to Vista will get a slightly more secure OS. But as the Finjan reports showed, Vista's security remains wafer thin.
In the end, both the Vista and the XP test notebooks were almost equally damaged by viruses, trojans and other malware. And because most of the Web sites in the test were able to exploit Vista's weaknesses, Internet users are just about equally vulnerable with both OSes.
VARs can still cite improved security as a selling point for Vista upgrades. Yet to avoid giving customers a false sense of safety, solution providers should stress that third-party security suites also will be needed to provide systems with ample protection
Most AV vendors only highlight the most prominent new viruses, but they usually have to add dozens of new signatures daily to their detection files. More amazingly, it's a miracle that AV software can even run, much less efficiently without impacting performance.
AV vendors are always challenged by the growing signature file sizes, (e.g., McAfee's has almost doubled in the past 2 years). There is alsooccasional need to adjust the scanning engine when new treats emerge in previously safe file types or system areas. As one of friends recently stated, "AV Detection is Rocket science" 
F-Secure estimates there are over 300,000 viruses
http://www.f-secure.com/weblog/archives/archive-052007.html#00001198
QUOTE: Question: How many viruses or malware exist in general? Can you give me some number? The approximate count is now over 300,000.
The full text of the PCAOB recommendations has been posted at their website. While these are still subject to SEC approval, that action is anticipated with an effective date for implementation around Nov 2007 (effective for fiscal year 2008 from an accounting perspective). The SOX 404 standards are controls and guidelines for automated IT financial systems, required for publicly listed companies.
Sarbanes-Oxley - Accouncement of proposed changes for Section 404
http://www.pcaob.org/News_and_Events/News/2007/05-24.aspx
Quote: The adopted standard and related documents are available on the Board’s Web site under Rulemaking Docket 21
Sarbanes-Oxley - Full text of proposed changes for Section 404
http://www.pcaob.org/Rules/Docket_021/index.aspx
Key PDF files (1st 2 PDFs from main link above)
PCAOB Release No. 2007-005: An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements and Related Independence Rule and Conforming Amendments (Size=351KB)
http://www.pcaob.org/Rules/Docket_021/2007-05-24_Release_No_2007-005.pdf
SEC Filing Form 19b-4 (Size=42MB - download this huge PDF to your PC rather than viewing with browser)
http://www.pcaob.org/Rules/Docket_021/AS5_19b-4.pdf
I work with Excel spreadsheets often and recently captured the process for pivoting tables. In the past I did it the "hard way" as formulas and even table matching techniques were used. The Pivot function is much simplier than using formulas or macros, and works like magic in comparison. The example shared is a simple one to illustrate to use the Pivot function. With further experimentation, you can easily build upon this example. When there is a lot of detailed information that must be summarized by keys, this will always be my first approach in the future.
Who says you can't teach old dogs new tricks 
Excel - Step by Step instructions on How to Pivot a Table
http://www.excelforum.com/showthread.php?p=1787972#post1787972
Please Download the attached Word Document with Step-by-Step Instructions ... "How to Pivot a Table.doc"
I've used 2 of the 3 sites below for years. I discovered the Internet Health Report site today and bookmarked it as a monitoring resource.
Internet Storm Center - Significant Security Events
http://isc.sans.org/
Internet Health Report - Status of Major Carriers
http://internethealthreport.com/
Internet Traffic Report - Status of Performance by Continent
http://www.internettrafficreport.com/
While this email is most likely not wide spread, folks should be cautious of spoofed messages from banks and software vendors. Links in email messages can download hostile malware agents that can be difficult to recover from.
Microsoft Support has something very important to say
http://www.f-secure.com/weblog/archives/archive-052007.html#00001200
QUOTE: A few hours ago we received reports of an important update supposedly coming from Microsoft Support. Since this "update" is not part of the monthly cycle, we were of course suspicious. Looking at the e-mail, our suspicions grew due to the glaring typos and the non-Microsoft domain link.
The sample contained in the link is now detected as Backdoor:W32/VanBot.CA since 2007-05-28_05. Updates are always good, but in this case, keep your virus definitions updated instead.
EICAR is an industry standard virus signature file that all AV vendors use for testing purposes. It is harmless. At work, I've used it often in the past to test corporate server and PC systems to ensure AV defenses were working. Vendors not detecting this test file most likely should adjust their systems
AVERT: Rich Text Malware
http://www.avertlabs.com/research/blog/index.php/2007/05/25/rich-text-malware/
16 of 30 AV vendors detect EICAR encapsulated in Rich Text Files
http://vil.nai.com/images/Blog-%20RTF%20Malware4.JPG
QUOTE: Every single scanner detected the antivirus test file EICAR.COM, but only 16 out of 30 scanners were able to detect it embedded inside a rich text file. In layman’s terms, one could take an already detected malware and embed it inside a rich text file and half the antivirus software on the market would not detect this type of threat. A perfect foil for virus authors to use in phishing and spam runs.
http://www.microsoft.com/technet/technetmag/issues/2007/06/
QUOTE: It's security month again. Learn how User Account Control in Windows Vista protects the machines you manage by limiting the administrator privileges users normally run with. BitLocker Drive Encryption, another Vista feature, adds security as well by providing full volume encryption and the validation of startup components.
Also this month, finally get the tools you need to manage and control the kinds of hardware users install and connect to your network. You may be surprised at the range of security improvements this provides. Plus, read up on the four security must-haves: risk management, anti-malware, network anomaly detection, and configuration monitoring.
Below is part of a recent post in a forum, where a member asked how they might protect themselves better after a major virus or spyware infection created an unbootable system that needed reformatting.
QUOTE: Yes, sometimes advanced spyware or viruses become so ingranulated in the Windows registry and startup process that reloading is your only method of recovery. Tools, more secure settings and best practices will help prevent future occurrences. You probably know most of this general advice and I'll share what I see as a helpful in protection from some of the dangers out there:
1. Good AV package (there are certainly good free versions)
2. Good Firewall (bi-directional preferred)
3. Ensure you are using XP SP2 and IE7, (IE 6 has so many unpatched holes)
4. Firefox offers a good complementary browser with very few working exploits in the wild
5. Best practices and avoidance and "thinking security" at all times are probably your best defenses. Avoid all attachments and URLs in emails (plain text mode is also preferable). Be careful in website visitations (avoid all ads and untrusted sites). Think of every spam message as a telemarketing call or door-to-door salesman visiting ... There ain't no free lunches out there.
6. Monitor new developments. You don't have to become a security expert, but when a new risk emerges take the precautions, workarounds, countermeasures, etc. You're welcome to bookmark my Security Blog (link in signature) as I try to share new developments, best practices, etc. from a user standpoint (and there many other great sites out there as well)
7. You might want to research Anti-Spyware solutions (Counter-Spy, Spysweeper, AVG's version, AdAware, etc.)
8. Ramp up your security services and lock down unneeded services
9. When it comes to email or websites, avoid trusting them too quickly. I like the "No Trust" rule, rather than "Trust but Verify", as top-notch scammers can create authentic looking HTML that appears to come from a bank, Paypal, Microsoft, or other vendors. Call if you have to and validate anything suspicious.
10. Protect your privacy and avoid sharing sensitive info.
11. Use strong passwords and even change them periodically.
12. Stay up-to-date on all Windows patches and security updates for other products
While this is still subject to PCAOB and Congressional approval, passage of the proposed change appears promising according to the article. It's good to see these changes coming to SOX 404 
SEC approves Sarbanes-Oxley changes for section 404
http://www.forbes.com/feeds/ap/2007/05/23/ap3751963.html
http://www.reuters.com/article/ousiv/idUSN2323489520070523
http://www.washingtonpost.com/wp-dyn/content/article/2007/05/23/AR2007052301106.html
QUOTE: The U.S. Securities and Exchange Commission approved new guidance on Wednesday to help companies comply with what critics say is a burdensome and costly provision of the Sarbanes-Oxley corporate reform law. The agency, by a 5-0 vote, encouraged companies to take a more risk-based approach to complying with Section 404 of the legislation.
"Congress never intended that the 404 process should become inflexible, burdensome and wasteful," SEC Chairman Christopher Cox said at the agency's open meeting. Section 404 requires companies to assess their internal controls over financial reporting. It also calls for external auditors to report on management's assessment and on the controls themselves.
Corporations and business lobbyists have complained that Section 404 was too expensive and the SEC has conceded that, in some cases, overly cautious companies caused the law's costs to exceed its benefits.
The new guidance allows managers to identify the highest risks to their books as opposed to forcing them to test a long list of controls. The Public Company Accounting Oversight Board is expected to vote on Thursday in favor of revised guidance for auditors on a risk-based approach when assessing a company's internal controls.
Google has launched a new online security blog that discusses security controls for this major website
Google's New Online Security Blog
http://googleonlinesecurity.blogspot.com/
Introducing Google's online security efforts
http://googleonlinesecurity.blogspot.com/2007/05/introducing-googles-anti-malware.html
QUOTE: Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post.
Opera has just released v9.21 for Windows which corrects a serious security issue. All Opera users should update to the latest version. So far there are no issues in upgrading to the latest version in my own personal testing.
Opera Browser - 9.21 change log
http://www.opera.com/docs/changelogs/windows/921/
Advisory: Malicious torrent files can execute arbitrary code
http://www.opera.com/support/search/view/860/
Opera Torrent File Handling Buffer Overflow Vulnerability
http://secunia.com/advisories/25278/
QUOTE: A vulnerability has been reported in Opera, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the handling of torrent files and can be exploited to cause a buffer overflow when a user right-clicks a malicious torrent entry in the transfer manager. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in versions prior to 9.21 for Windows.
This MSNBC article was informative and while the threat isn't new, web malware has increased in scope to where the volume of email viruses have declined in favor of other ways to compromise user security.
Internet Threat - Growth of Infectious Web Pages
http://redtape.msnbc.com/2007/05/the_next_net_th.html
The Ghost In The Browser - Analysis of Web-based Malware
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf
QUOTE: Don't click on attachments? Good. Always keep that firewall turned on? Even better. Stay away from the Internet's unsavory neighborhoods? Better still. Think you are protected? Wrong.
Computer criminals are evolving their tactics to subdue your computer, experts say. Each time you invest more money and time in staying safe, the bad guys just find another way around your defenses. Their newest method may be the trickiest yet: Web pages booby-trapped with infectious computer code.
In the study, Google found 300,000 Web sites laced with such malicious code, and another 700,000 suspicious sites. For perspective, the study found only 18,000 Web sites laced with adware.
So called drive-by downloads are not new, but criminals have seized on the tactic lately because their success rate with traditional e-mail viruses has tapered off thanks to improved software and consumer education. Avoiding e-mail viruses is fairly easy, as long as consumers following clear rules like "don't click on any attachments." But drive-by downloads are much more sinister, as no user interaction is required beyond opening an infected site in a Web browser.
Corporate and home users should ensure they are using WPA2 for the best levels of wireless security. Otherwise, a "lightly secured" environment can be defeated easily as noted in this article.
Gone in 120 seconds: cracking Wi-Fi security
http://www.theregister.co.uk/2007/05/15/wep_crack_interview/
QUOTE: WEP is dead - and here's the proof. Cracking the Wi-Fi security protocol WEP is a probability game. The number of packets required to successfully decrypt the key depends on various factors, luck included.
When WEP was compromised in 2001, the attack needed more than five million packets to succeed. During the summer of 2004, a hacker named KoreK published a new WEP attack (called chopper) that reduced by an order of magnitude the number of packets requested, letting people crack keys with hundreds of thousands of packets, instead of millions.
Last month, three researchers, Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann developed a faster attack (based on a cryptanalysis of RC4 by Andreas Klein), that works with ARP packets and just needs 85,000 packets to crack the key with a 95 per cent probablity. This means getting the key in less than two minutes.
Based on CERT, ISC, and other warnings below, the capability for security software to interrogate embedded Unicode characters in HTTP requests could be a serious exposure that needs to be patched by several vendors? So far, there are no known in-the-wild attacks:
Full-Width/Half-Width Unicode Bypasses HTTP Scanning
http://www.kb.cert.org/vuls/id/739224
http://isc.sans.org/diary.html?storyid=2807
http://www.gamasec.net/english/gs07-01.html
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
http://www.frsirt.com/english/advisories/2007/1803
http://secunia.com/advisories/25285/
What is Unicode?
http://www.unicode.org/standard/WhatIsUnicode.html
QUOTE: The US-Cert has a vulnerability note out that describes how Full-Width and Half-Width Unicode encoding manages to bypass many HTTP content scanning engines (739224). This would allow remote attackers to hide malicious HTTP traffic by encoding it and have it slip happily past your IDS/IPS. This isn't an exploit itself, but allows exploits that would normally be detected (or blocked) to get through your IDS/IPS undetected.
SPAM emails are simply traps to entice folks to buy items or worse yet to take $$$ from folks with nothing in return. Users should treat SPAM email they way they would telemarketing calls or postal mass marketing mail.
Sometimes spammers give you the option to supposedly "opt out" within the email message. However, can you trust someone to truly let you opt out; when as a spammer, their ethics may be in question? As the sender's email address may be forged (spoofed) your request may not be received. If it does get back to the sender, you might end up sharing your email address as a "clean address" that will be added to many more SPAM data bases. Worse yet SPAM messages are full of adware, spyware, and even viruses.
The best option is to line up all email messages from unexpected senders, and delete them all without opening them.
AVERT Blogs (McAfee) - Unsubscribe getting Worse
http://www.avertlabs.com/research/blog/?p=274
QUOTE: My advice is simple: Never unsubscribe from email you did not specifically request
EXAMPLE >>> Click here for an example of why URLs in email messages might be dangerous 
Each month in the Roanoke area, I have the privilege of attending a Leadership Training series of programs to actively continue my education in leadership skills. It appears that each month, free Podcasts will be offered related to this leadership training series 
Leadership Training - Free Maximum Impact Podcast
http://www.maximumimpact.com/podcast/
| Quote: |
| Welcome to the new Maximum Impact Podcast! The Maximum Impact Podcast delivers must-have leadership, teamwork, and personal growth content for leaders in any organization, anywhere. Each episode will feature notable leaders from the world of business, education, sports, entertainment, military, government, life-coaching, and profiles of emerging leaders who are making a difference. You'll learn from renowned leadership experts, such as John Wooden, Larry Bossidy, Peter Drucker, John Maxwell, and many others. Become a leader who leads from the heart! Download each month's episode FREE from MaximumImpact.com. |
Technical note - after downloading, I had to rename and add a .mp3 to the file name (e.g., from 01-John to 01-John.mp3 ... sharing just in case you can't play this file afterwards
This informative article offers good advice for recovery and hopefully a passing grade later 
Article: How to Recover from Failed Security Audit
http://www.itsecurity.com/features/failing-a-security-audit-050707/
An abbreviated version of the 5 key recovery points are noted below:
QUOTE: The most important result of your audit will be the list of vulnerabilities your auditor discovers. Simply being aware of the specific vulnerabilities facing your company is a good step toward designing a comprehensive security program. Whatever your specific goals and time frame, you'll need to manage the recovery process as you would any company project -- by designing a plan, allocating resources and setting a time frame.
1. Prioritize -- You'll come away from the audit with a lot of data -- and all of it's important, according to Julian. If your auditor hasn't already assigned a risk level, you'll need to sit down and decide what is high risk and what can wait.
2. Assign Recovery Roles -- Decide who will manage each task and hand off the solutions to the appropriate manager or team, whether it's IT, a development group or the management. To make sure that each group follows through, assign a specific individual with responsibilities for specific solutions.
3. Require Status Reports -- Once you've assigned roles, you want to make sure that the project is completed as promised, by a given deadline. Make sure to plan out milestones along the way when certain steps toward the end goal need to be completed.
4. Run Your Own Assessments -- Once you've started repairing any security holes or reconfiguring systems, you can start testing the work you've done. Before you plan a second all-encompassing security audit, you'll want to run automated scans or penetration tests, that focus on specific aspects of your security system to make sure each section is secure.
5. Schedule Another Audit -- ... it's rare for a company to return for a second audit, even if they failed the first. However, companies should have regular assessments.
More Posts
Next page »