|
Security News and Best Practices for corporate and home users
November 2007 - Posts
-
 Minyanville is a neat site that offers stock market and investment tips. These 6 tips are excellent in avoiding scam artists that try to take advantage of this business season.
Holiday Safety Tips - Don't Fall Prey to Holiday Scams
http://www.minyanville.com/articles/index/a/14897
QUOTE: The holidays bring good cheer, mistletoe – and scam artists. Holiday scammers play on your trusting nature, desire for a bargain and “urgent need” to update your financial information in their continuing quest to separate you from your money. Keep an eye out for these holiday scams:
1. Avoid E-Card greetings
2. Phony Sign-Up Tables at the mall or other public places offering charge cards
3. Emails requesting "Account information needed"
4. Emails, phone calls, or regular mail claiming "You are the winner"
5. Emails or regular mail claiming that "You are approved for credit cards"
6. Other telemarketing scams
SUMMARY: Just remember what your mother taught you: If it’s too good to be true, it’s a scam. Keep that in mind and no crook will spoil your holiday.
|
-
This advice is excellent for better ensuring safety while shopping online during the holidays.
QUOTE:
5 Ways To Increase Safety While Shopping Online
1. Shop from Reliable Retailers. It's wise to do business with companies you already know and trust. If the retailer is unfamiliar, look up information on the company with the Better Business Bureau or the Office of the State Attorney General in the state where the seller is located.
2. Use a Credit Card, Not a Debit Card Online. Credit cards limit your liability for unauthorized charges to $50. You're not assured this protection with a debit card.
3. Ask about Single Use Credit Cards. Some credit card companies use a new technology that allows them to issue a single use credit card number for online purchases. With this number, you avoid having to use your real credit card number online, so security isn't jeopardized.
4. Avoid Buying On Public Computers. A hacker or thief can easily put a keylogger on a public computer that allows him or her to know everything you've typed — including your credit card numbers and passwords. Stay away from public access computers when shopping!
5. Don't Save Your Credit Card Numbers Online. Many reputable sites give you the option to save credit card numbers online to make future purchases easy. However, if the company's database is ever successfully hacked, your information could be exposed. It's safer to re-enter your numbers with each transaction.
Webroot Safe Holiday Shopping Guide - (PDF format, 16 pages, 1.8MB)
http://www.webroot.com/pdf/Webroot_HolidayShopping_USA_1107.pdf
|
-
I may have spoken too soon, as a new batch of .cn sites are starting to show up, according to Sunbelt 
Internet Search poisoning - 2nd wave could be on the way?
Sunbelt is reporting new seedings for the .cn domain (China) oriented websites in Google (and this could possibly show up in other search engines). The sites are not launching exploit attacks yet, but this could change.
What to avoid: Avoid unusual sites with random letter/number combos, numerical IP addresses, and sites which end in a domain name of "cn" from Internet searches.
Sunbelt: HEADS UP: More Google poisoning on the way?
http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html
quote:
Google has removed the sites responsible for the recent massive Google poisoning attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here. Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change.
|
-
-
 Good news = Google has filtered out these malicious sites from it's indexes
 Bad news = These malicious sites are still out there on the Internet
Google fixes Malicious redirects to malware sites from it's search results
 The malicious redirecting sites are still present and folks need to be cautious at all times. The improved filtering should help reduce the likelihood of hostile sites being returned on the 1st few pages of a search.
Google expunges malware sites from search results
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049820
QUOTE: Google Inc. has purged its index of the thousands of malware sites that wormed their way into results lists for hundreds of legitimate search phrases, researchers confirmed today.
"They look gone to us," said Alex Eckelberry, the CEO of Sunbelt Software, the company that broke the news Monday of a massive, coordinated campaign by attackers to spread malware through search results on Google, Yahoo, Microsoft Live Search and other sites.
|
-
Some updates are noted below on this very serious threat related to malicious web sites that may be offered from Internet searches (e.g., Google). Numerous malicious pages are being created in a manner that they will appear prominently on the 1st few pages of a search (e.g., ranked high in order of appearance from a search and the malware gang appears to be keyed in on Google's site ranking methodology).
Below is some excellent advice from Sandi on what to avoid:
http://msmvps.com/blogs/spywaresucks/archive/2007/11/27/1359221.aspx
QUOTE: Take a close look at the URLs for the malware links; they are all random collections of letters and numbers, and they're all Chinese domains. Users of Google (and other web search engines) need to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly avoid 'nonsense' domains like those in the Sunbelt screenshots
Below is the latest update from Sunbelt on this threat:
http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html
QUOTE: Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.
Sunbelt is classifying this particular threat as follows in CounterSpy:
SCAM.IWin Malware Family
http://research.sunbelt-software.com/threatdisplay.aspx?name=Scam.Iwin&threatid=43561
QUOTE: Scam.Iwin is created by a browser exploit for the purpose of transmitting false clicks to internet URLs. The victim's computer is used to generate income for the attacker in a pay-per-click affilate program by transmitting false clicks to the attacker's URLs without the user's knowledge. The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the internet. Scam.Iwin is thought to be related to CoolWebSearch.
Original post from yesterday:
http://msmvps.com/blogs/harrywaldron/archive/2007/11/27/internet-searches-massive-number-of-redirects-to-malicious-sites.aspx
|
-
 If the "123" extension type (Lotus 1-2-3 spreadsheet format) is not being used, this might be valuable to add to the email attachment blocking list used by Lotus Notes shops. There are some workarounds for version 5 and 7 and IBM may have a version 6 solution by the end of the month.
Lotus Notes - vulnerable to attack thru "123" extension
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049439
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21285600
QUOTE: Sebastián Muñiz from the CORE IMPACT Exploit Writers Team (EWT) at Core Security Technologies contacted IBM® Lotus® to report a potential keyview buffer overflow vulnerability in Lotus Notes® when viewing a Lotus 1-2-3 (.123 extension) file attachment. In specific situations it was found that the possibility exists to execute arbitrary code.
To successfully exploit this vulnerability, an attacker would need to send a specially crafted Lotus 1-2-3 file attachment to users, and the users would then have to double-click and View the attachment.
|
-
 There are a number of new features and improvements that the next version of SQL Server will provide when it is released in 2008.
MVP Brad McGehee discusses the ins and outs of SQL Server 2008
http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1283694,00.html
QUOTE: With the release of the recent SQL Server 2008 Community Technology Preview, and a final product expected in the second half of 2008, SQL Server MVP Brad McGehee shared some of his insights with SearchWinIT.com on the product's complexity, what's new for IT managers and DBAs and where the database still needs a little work.
|
-
Sunbelt posted this cautionary note today noting that folks should be careful when selecting links provided from an Internet search. One theory for the seeding might be malicious links posted in blogs, forums or other community sources? Given the dangers of email and hostile URLs, it's important for folks to stay as up-to-date as possible on security patches, AV protection, and old fashioned common sense
BREAKING: Massive amounts of malware redirects in searches
http://sunbeltblog.blogspot.com/2007...f-malware.html
QUOTE: We’re seeing a large amount of seeded search results which lead to malware sites. These are using common, innocent terms — one researcher landed on a malware site through searching for alternate firmware for a router.
|
-
 Quicktime and possibly iTunes processing could be affected by malformed RSTP headers found in QT music formats. Users should be careful with email attachments and website visitation, plus watch for any forthcoming QT updates, as Apple will most likely patch this serious vulnerability promptly.
Apple QuickTime and iTunes Critical Vulnerabilities
http://secunia.com/advisories/27755/
http://isc.sans.org/diary.html?storyid=3690
http://www.frsirt.com/english/advisories/2007/3984
http://www.kb.cert.org/vuls/id/659761
http://www.f-secure.com/weblog/archives/00001325.html
QUOTE: Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.
ISC UPDATE-1: We have received a report that exploits are now working for Vista, XP, IE6, IE7, and Safari 3.0 on Windows. Keep in mind that other attack vectors may be vulnerable as well.
ISC UPDATE-2: Firefox has been reported as an exploit vector as well.
|
-
While these 10 tips shared in an Information Week article require some work, they will help ensure safety both at home and while on the road as well:
Wireless Security - 10 tips to secure your laptop
http://www.informationweek.com/news/showArticle.jhtml?articleID=203102748
QUOTE: Whether you're home or on the road, these security steps will help protect you and your computer from wireless scoundrels:
1. Make sure you are connecting to the right network.
2. Secure your connection.
3. Use frequency settings that are different from others
4. Find the strongest signals
5. Turn off your wireless network adapter when you are on the plane
6. Use whole disk encryption on your laptop
7. If you are having trouble connecting to a network, trying rebooting Windows
8. Make sure you have a firewall and it is running
9. Pick your hotspot connection and your supplier carefully
10. Finally, don't blithely accept SSL certificates and SSH public keys
|
-
-
I recently received a copy and this is well crafted. The email address is spoofed to appear as if it came from this government agency and text related to the company complaint appears to be convincing This as I'm not the proper person this should be addressed to, I was 99% certain this was similiar to other recent attacks and avoided any infections.
Email attacks can be both convincing and dangerous In this case, McAfee DAT protection came a few days after receving this copy (and they are usually among the 1st of AV companies providing protection). When any unexpected email message calls for action, it's always beneficial to pause and avoid taking any actions. In most cases, an unexpected email of this nature is an attack. When in doubt, verify an email message through a phone call or via the true main web site.
McAfee Information - Keylog-LMtry Trojan
http://vil.mcafeesecurity.com/vil/content/v_143577.htm
Washington Post
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog
WebSense Alert
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=822
|
-
-
The following resources are excellent in defining the requirements related to SOX 404 IT controls:
SOX 404 Powerpoint presentation by EKS&H (11 slides, 820KB)
selecting this link will download this PPT file
http://www.hftpcoloradofrontrange.org/dwnlds/HFTP_SOX_Presentation.ppt
SOX 404 PDF detailed requirements by KPMG (48 pages, 880kb)
http://www.kpmg.com/aci/docs/PCAOB_S-O_404_v9.pdf
ISACA - Free PDF version of COBIT 4.0
http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1920
QUOTE: The ISACA is now offering a free PDF versions of COBIT 4.0, (plus the older 3.0 standards as well). You'll need to follow the registration process through and once you become a member you can login and obtain a PDF copy. There are also additional benefits and documents if you become a paid member of ISACA. Many external audit firms use COBIT standards to ensure SOX 404 requirements are met. This free benefit can help folks get started with key IT standards they may need to implement to safeguard their financial systems
|
-
 Please beware of any spam emails that contain Geocites links, as this is the lastest storm worm tactic 
Storm Worm - now uses Geocities based links
http://blog.trendmicro.com/storm-brews-over-geocities/
 QUOTE: Storm is back, and according to TrendLabs researchers, the infamous malware family has added yet another twist to their tactics. “It looks like Google will have its hands full in the next couple of days,” Senior Threat Researcher Ivan Macalintal says. “There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets.”
This newest chapter in the Storm saga proves that the creators of the said malware are still very much active. Its use of a popular free server like Geocities and disguising itself as a plug-in may mean that they are still looking for more systems to infect.
|
-
-
This article from Government Computer News provides a good high level summary of key features, which include:
- Firewall on by default
- Bitlocker capabilities
- Network Access Protection (NAP)
- Internet Information Server 7 (IIS7)
- Remote management improvements
- Read-only Domain Controllers
- Enhanced authentication in Active Directory environment
GCN Article: Windows Server 2008 provides improved security
http://www.gcn.com/online/vol1_no1/45401-1.html
QUOTE: Microsoft Corp. unveiled a significantly more secure server operating system in showcasing its new Windows Server 2008 last week at the Microsoft Windows Server Technical Summit held in Redmond, Wash.
|
-
Spam authors continue to craft highly convincing schemes. For example, they can use disposable phones and even spoof the caller-ID display number so it appears to be officially coming from a bank or credit union. They may ask for highly confidential information (e.g., SSN, bank account, credit cards). Finally, if information is revealed, they can use this in identity theft or direct fraud attacks 
The specific attack documented by the Internet Storm Center is one where the email recipient appears to have their credit card or bank account locked out due to highly unusual activity. If individuals panic and rely on these email messages, the phone call may appear to be legitimate as they provide sensitive details related to their accounts. Later, they may become victims where it could weeks or months to straighten these matters out.
If you receive phone numbers in suspicious documents and are unsure, contact the bank or firm directly using the publicly listed phone numbers in the phone directory or at their official websites instead.
Social Engineering Techniques - Don't call phone numbers in spam email
http://isc.sans.org/diary.html?storyid=3639
QUOTE: From an awareness point of view to your customers and users:
* not only to teach your users not to follow links in (possible) phishing messages, but to use bookmarked URLs instead
* but to also tell them to use only contact data from a safe location (and especially nothing originating directly or indirectly from the email message itself)
 Below is also an excellent site to help validate toll free numbers, where the caller-ID information is listed as Private or Unavailable
Site listing Suspect Toll Free Phone Numbers
http://800notes.com/
News related Toll Free calls
http://800notes.com/articles/NewsList.aspx
Best Practices - Toll Free Calls
http://800notes.com/articles/ArticleList.aspx
|
-
More Posts Next page »
|
|
|