June 2007 - Posts
Please carefully process any e-cards and if you don't see a named sender specified it is unsafe. Never click on numerical IP addresses found URLs as malware can be automatically downloaded and installed from unsafe sites. Nuwar (aka Storm Worm) is very difficult to clean.
The wave continues - Subject line variation
QUOTE: In a followup to our previous story about the e-card exploit, we have received an unconfirmed report from one of our readers that the subject lines have begun to change. At this point in time, the reader has reported us the following variations:
You've received [a|n] [greeting|] [postcard|ecard] from a [admirer|class-mate|colleague|family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school-mate|worshipper]!
Example of the new Storm Worm variant from my in-box ... Please do not click on the numerical IP addresses found in the URL or you will get a malware infection that is very difficult to clean.
ISC: Riding out yet Another Storm Wave
EXAMPLE OF COPY BLOCKED FROM IN-BOX (red text below)
From: "americangreetings.com" [REMOVED]
Subject: You've received a postcard from a family member!
Date: Thu, 28 Jun 2007 20:40:01 -0700
Your family member has sent you an ecard from americangreetings.com.
Send free ecards from americangreetings.com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, choose from any of the following options:
Click on the following Internet address or copy & paste it into your browser's address box.
Copy & paste the ecard number in the "View Your Card" box at
Your ecard number is ee7c634591933434671c16a2e59b1
PDFs are being used to bypass Anti-Spam and Anti-Virus detections. I'm seeing stock related PDF spam daily and users should avoid opening all untrusted email, attachments, or URLs.
PDF Spam Outbreak
QUOTE: A large “pump-and-dump” stock spam campaign is underway, but rather than including the content of the spam in an image file, this campaign includes the spam content within a .PDF file. The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past.
ISC - Pump and dump scams now in PDF
QUOTE: Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment. These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism.
Kaspersky - Warezov.iq downloader includes PDFs
QUOTE: Earlier today we intercepted a number of mailings with a new Warezov downloader. The good news is that it's already detected as Email-Worm.Win32.Warezov.pk, which we added to our database two days ago. What's interesting about the mails is that along with the usual executable (which in this case is called "access.exe") the messages have a couple of PDFs attached.
Unfortunately, Spam based email continues to increase worldwide:
A new exploit has been found on a website related to the Microsoft security updates for June 2007. This is an example of why users should apply patches promptly during the second Tuesday of each month.
MS07-033: Internet Explorer based Exploit found in the wild
QUOTE: Symantec identified a website exploiting a bug from the June Microsoft patches, specifically the Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability.
This virus family can generate significant volumes of SPAM with URLs that can automatically download and install malware
. ISC: Riding out yet Another Storm Wave http://isc.sans.org/diary.html?storyid=3063 quote:
Sadly you won't need a surf board for this one. Just to give you a heads up, there is a new round of emails with malicious links that is making its way to the inbox of many folks. If you haven't gotten one yet, just give it time.
VERY LIMITED PROTECTION: AV vendors are adding this new variant
SAMPLE OF EMAIL MESSAGE
Subject: You've received a postcard from a family member!
Message: May have following text with hostile URLs
Click on the following Internet address or copy & paste it into your browser's address box. <URL removed>
Copy & paste the ecard number in the "View Your Card" box at <URL removed>
Below are both positive and negative security speculations regarding Apple's new iPhone. Until, this product emerges with more details, it's too early to truly evaluate security in both the home and corporate environments.
Any popular wireless device with Internet access and built-in data storage could become a target. In personally beta testing Apple's new Safari for Windows browser, I have seen them fix security issues expediently. Hopefully, a secure architecture has been designed into these new devices.
Still, folks purchasing this device should "think security" (and I'm hopeful that Apple has done that as well in it's design). We should know more next week.
The pros and cons of iPhone security
Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder." Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.
Analysts: iPhone Has Neither Security nor Relevance
The iPhone won't go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apple's Safari browser.
Is The iPhone Insecure?
The iPhone is capable of many of the same smart phone applications as business devices like Research In Motion's (nasdaq: RIMM - news - people ) BlackBerries. But unlike BlackBerries, Storms says, iPhones are unlikely to have a remote "lock and wipe" function that erases the device's data in the event that it's lost. The phone will use an operating system and a Web browser that have already been available in some form for years, so hackers will have a head start in finding entry points to exploit even before the phone is released. And the iPhone's "closed" operating system makes it impossible to install protection software from security companies like McAfee or Symantec.
The iPhone - Our new Security Nightmare
Questions for Apple regarding the iPhone:
Is data encrypted while in transit?
Is data encrypted on the device?
Is data encrypted on removable memory?
Is data removed if the device hasn't checked in centrally, hasn't received a policy update within a time window or if battery power is too low?
Is there S/MIME support?
Is there PGP support?
Are there electromagnetic analysis countermeasures?
Are there DRM applications? (Ability to read, but not forward data)
Is there user authentication by means of password, passphrase or smart card?
Does the device automatically lock and requires authentication to unlock?
Are the encryption keys stored on the devices and are they also encrypted?
Do the network devices have firewalls?
Are the network interfaces disabled by default and does the user has ability to disable at will?
Is there the ability to remotely lock and disable the device?
Is there the ability to remotely wipe and backup data?
Is there the ability to centrally develop and enforce policy settings?
Is there centralized reporting of all device events - calls made, data transferred, usage statistics?
As I use Excel extensively at work. About a month ago, I discovered this free forum that allows you to ask questions and get answers by experts. I've learned so much recently, that previously labourious research and financial reconcilation in Excel have been made much easier and enjoyable (e.g., Pivoting Tables, Advanced Formulas, Table matching, etc).
The Forum posts are also mapped to the microsoft.public.excel.* newsgroups
This new threat requires the popular Japanese archive utility Lhaca to be installed in order to associate the extension and capitalize on the vulnerability. This may be need to be added to the blocking lists where it is pertinent.
LhDropper - uses LHZ archive file extension
QUOTE: Trojan.Lhdropper is a Trojan horse that drops malicious files by exploiting a vulnerability in Lhaca, a freeware application that can compress and decompress LZH archive files.
I liked this new set of security guidelines recently shared in the DSL forums. This is educational and provides an excellent set of best practices for home users.
This may not have been sensitive content, but still any compromises to a sensitive site should be evaluated and prevented in the future.
Pentagon e-mail system hacked
QUOTE: A hacker infiltrated the e-mail system at the Pentagon, forcing Defense Department officials to take about 1,500 unclassified e-mail accounts offline this week.
Users should be careful with any of these files found in email (or potentially posted in an untrusted website). Most likely the virus is an EXE and prepends to each infected damaging dozens or even hundreds of files that may be on the hard drive. Please be careful with all attachments and stay up-to-date on AV protection. McAfee, Microsoft, Kapersky, Sanda, Sophos, and others have protection now.
W32/Zaflen.a - Infects DOC, RTF, JPG, GIF, and PNG files
QUOTE: This detection is for a parasitic file infector, which infects the files with extensions "doc, rtf, jpg, gif and png" by prepending itself to these files. This also uses a mass mailing component for spreading via e-mail. It searches all drives for these file types and changes the icon of the infected files to M.S.Word icon and the extension to scr or exe. It also appends 35 bytes to the end of file along with the extension of the original file.
Aliases: Worm.Win32.VB.gr (Kaspersky) Worm:Win32/Zaflen.A@mm (Microsoft) W32.SillyFDC (Symantec) W32/Nedro.C.worm (Panda) W32/Lovelet-AD (Sophos)
This list of questions is comprehensive in examining HIPAA controls which was used to help safeguard the confidentiality of patient medical records. They also provide an excellent list for an company to inspect their controls whether they are in the health insurance profession or not. Many of these questions are common for IT controls or possibly SOX audits as well.
HIPAA audit: The 42 questions HHS might ask
QUOTE: June 19, 2007 (Computerworld) -- In March, Atlanta's Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA). The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions.
PART ONE - HIPAA AUDIT QUESTIONS
1. Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
2. Emergency access to electronic information systems.
3. Inactive computer sessions (periods of inactivity).
4. Recording and examining activity in information systems that contain or use ePHI.
5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
6. Employee violations (sanctions).
7. Electronically transmitting ePHI.
8. Preventing, detecting, containing and correcting security violations (incident reports).
9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
12. Physical access to electronic information systems and the facility in which they are housed.
13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).
14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
15. Internet usage.
16. Wireless security (transmission and usage).
17. Firewalls, routers and switches.
18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
19. Terminating an electronic session and encrypting and decrypting ePHI.
20. Transmitting ePHI.
21. Password and server configurations.
22. Anti-virus software.
23. Network remote access.
24. Computer patch management.
PART TWO - HIPAA AUDIT QUESTIONS
1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
2. Please provide a list of terminated employees.
3. Please provide a list of all new hires.
4. Please provide a list of encryption mechanisms use for ePHI.
5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
9. Please provide entity wide security program plans (e.g System Security Plan).
10. Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
11. Please provide a list of systems administrators, backup operators and users.
12. Please include a list of antivirus servers, installed, including their versions.
13. Please provide a list of software used to manage and control access to the Internet.
14. Please provide the antivirus software used for desktop and other devices, including their versions.
15. Please provide a list of users with remote access capabilities.
16. Please provide a list of database security requirements and settings.
17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
Numerous web site attacks have occurred, particularly in Europe Web site administrators should ensure their security and infrastructure software is up-to-date and lock down PHP security appropriately.
Massive MPACK Compromise
QUOTE: MPACK is a tool that was first discovered in December of 2006 by Panda Labs. Its an PHP based application designed to run on a server. With it comes several different exploits (you can buy new ones to add on) which can be used to compromise a user's system based on what they are running. There are different methods to get a user to access the compromised server. One of the more popular methods being used right now is an IFRAME. Websites are compromised and IFRAMES are placed on the sites pointing to the MPACK server. Another interesting characteristic of this tool is the fact it has a database backend. Right now its being reported by Websense that there are over 10,000 compromised systems all with IFRAMES pointing to the MPACK server.
For more information:
WebSense - Shows chart of countries impacted
Panda Labs - Analysis of Current Attacks
Panda Labs - DETAILED REPORT (28 Pages - PDF)
McAfee Detection of MPACK hacking tool
QUOTE: MPack is a Web Attack Tool which we are seeing deployed in wild on a few web servers. This tool is an application designed to serve malicious content to users accessing compromised websites. We have seen several thousands of website URLs that are compromised and have a hidden IFRAME inserted to redirect unsuspecting users to malicious site hosting the MPack toolkit. The toolkit stores statistical information like Geo Location, Browser Type and Operating System info relating to users accessing bait websites.
Numerous tips on functionality and security can be found in this 10 page article:
Infoweek Vista Guide Chapter 15 - How to use Internet Explorer 7
The ISC is reporting that executives are being selected and sent email with malicious agents embedded in WORD documents. While AV scanners can detect these, a narrowly targeted attack may be well tested by the senders to ensure it gets past AV software. Additionally, many companies may not be blocking either ZIP or DOC based attachments.
Corporate executives would always be concerned over any "official looking" email from the IRS, Better Business Bureau, Federal Trade Commission, etc. The well socially engineered attack is not prevelant in-the-wild, but it is a growing concern. The main goal could be to gain confidential information, passwords, or even scam the company potentially.
All untrusted documents or web links must be avoided. Malware authors can copy true HTML from the website (or email) and create a document appears genuine in every respect. Sometimes they can't spell and that's a clue, but lately many items I've seen are very official looking.
PERSONAL EXAMPLE: I recently received in my bulk mail filters, a hallmark greeting card invitation that was so authentic, that I felt it was truly a congratulatory e-card from a friend. Having developed web pages for over a decade, I explored the underlying code. Everything was geniune, except for the main link with pointed to a numerical IP address. There was also a malicious POSTCARD.EXE downloader trojan horse as part of the web address. I closed out of the HTML edit session and browser and deleted this one immediately.
RECOMMENDATION: As a counter-measure, everyone should cross-check email messages from the IRS, government authorities, banks, credit card agencies, stockbrokers, billing entities, software vendors, etc. directly by phone or otherwise. Never take action on an email message alone and always be very careful to avoid any attachment or web links that might be present in unexpected or suspicious documents.
Corporate Executives targeted in Focused Security Attacks
QUOTE: This is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents”. A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
QUOTE: HOUSTON - Two Russian cosmonauts began to get crucial computers up and running Friday, four days after the machines crashed at the international space station and curbed the outpost’s ability to orient itself and produce oxygen. The progress came after days of frustrating effort and, for the time being, removed a set of troubling options lying ahead for NASA and the Russian space agency if the computers continued to fail. “They’re up and operational, and this is good news for all,” said Lynette Madison, a NASA spokeswoman in Houston.
Meanwhile, U.S. spacewalkers resolved another concern by stapling down a bent-back corner of the shuttle Atlantis' thermal protection blanket — a gap that NASA feared would cause problems during the shuttle's atmospheric re-entry next week.
Security issues were found with Apple's Safari beta for Windows, when it was released earlier this week. A new release has emerged, as Apple expediently resolved these issues.
Now that security has improved, I took this new Windows browser for a test drive. I found the rendering speed to be excellent and only ran into some minor UI customization issues. I found it to be stable under Windows XP SP2. It can also co-exist with IE, Firefox, and Opera, as a complementary tool and without conflict. Overall this new beta release appears to be off to a good start.
Apple Safari Beta v3.01 for Windows released to fix security issues
QUOTE: Apple Inc. took just three days to update the beta of its Safari browser for Windows, releasing a new version that patches three vulnerabilities. Safari 3.0.1 fixed three flaws in the Windows beta.
Apple's Download Site
I use the Office 2003 family of products extensively, (e.g., including Project, Visio, Front Page, etc.). While I've been interested in Office 2007, I've not had an opportunity to test it for myself yet. In the Excel forums, a user asked about Excel 2007 based on the chart below. I'm sharing the total response to point out that folks should not use just one article to either buy or refrain from software upgrades. They should instead review many evaluations, examine whether there are true benefits in moving to the next product, and most importantly test it before deciding if there are business benefits.
ORIGINAL POST: I have read some information that really scares me. It seems that Excel 2003 is still superior to Excel 2007. The comparison table is here:
What do you think about it?
REPLY: Hi - First of all thanks for sharing, as I found some of the comparisons informative
Some brief comments:
1. While much of this appears and may be accurate, I'd suggest not using just one article (or a 1 page chart in this case) to evaluate a product. Maybe some of the reviews found in this quick search might offer differing opinions. I've certainly read some positive reviews also. I'd suggest searching PC Magazine, PC World, ZDnet, CNET, and other sites for a more comprehensive reivew than just a 1 page generalized chart. These links might help in your research:
PC Magazine - Evaluation of Office 2007
PC World - Top 20 products of 2006
Office 2007 receives receives most innovative product of year award
PC World - Evaluation of Office 2007
PC World - Evaluation of each product in Office 2007
2. The vendor which did the comparison is selling add-in products which may be helpful. Still, they may even be selling something that Office 2007 now covers? I think many of their factual comments are okay, but when they use terms like "some users report ..." I'm not certain if it's one, dozens, hundreds, etc. Their product may even work with Office 2007 and I'm not suspecting a hidden agenda either. Still much of the review is slanted with no positive aspects for Office 2007 at all -- and thus that raises suspicions.
3. Personally, I'm most likely to stay with Office 2003 Pro for a while at work. As an IT professional, I need to be compatible with the rest of my company (even though you can save to older formats in Office 2007). Still, on the other hand, if I could switch to Office 2007 I'd jump at the opportunity. I'd probably do so just for the learning experience and based on favorable reviews I've read elsewhere (even though I know I could get by with Office 2003).
4. As I've shared in Point #3, a company should perform due diligence in certification testing of their more complex Excel applications, so that they have assurances of compatibility with VBA or macro based code. If there are no driving business reasons to move to Office 2007, then they should enjoy at least a few more years of good support under Office 2003.
5. Companies definitely need to move away from O/2000 and Office XP as these older versions are either no longer supported or near end-of-life. I'd recommend folks moving to at least Office 2003 as their standard Microsoft based Office suite
I had read some favorable reviews on the speed and functionality, while seeing commentary that it was buggy in some areas and needed a little work on the User Interface. Still, I may wait until an improved version surfaces to test out, as a number of security issues surfaced in the first day of it's release. All these security issues were proof-of-concept and were most likely not circulating in the wild at this point.
Apple's new Safari for Windows Browser Beta - Early security issues
My favorite type of breaking news ...
FBI - Operation Bot Roast
QUOTE: As a result of Operation Bot Roast, an ongoing and coordinated initiative to disrupt and dismantle these bot-herders, we’ve identified about 1 million computers across the country that have been compromised.
F-Secure: Operation Bot Roast
QUOTE: US Federal Bureau of Investigation (FBI) had launched an operation called Bot Roast that aims to disrupt botnet activities. This is a result of the growing botnet threat that results to more security issues such as information theft, fraud, and email scams. This ongoing operation had already charged several individuals with cyber crimes and had identified about a million compromised machines in the US alone.
FBI Takes Down Cyber Hijackers
ABC News has learned the FBI is targeting a small number of suspected hackers who allegedly took over thousands of personal computers secretly and used them to steal identities and send out massive amounts of spy and spam ware.
The FBI says they have identified 1 million computer addresses that have been affected. It's called "botnetting" -- where criminals turn other people's computers into servers and then use them for illicit activity.
The FBI plans to use its victim assistance program to contact the many victims who have had their computers hijacked. "The majority of victims are not even aware that their computer has been compromised or their personal information exploited," said FBI Assistant Director James Finch of the Cyber Division.
More Posts Next page »