November 2007 - Posts
This is shared more in interest that you can never be too careful, even with a brand new hard drive from the factory.
Seagate - A few Maxtor 3200 hard drives may contain a virus
QUOTE: Seagate is warning that a "small number" of its Maxtor Basics Personal Storage 3200 hard drives recently shipped with the Virus.Win32.AutoRun.ah virus, malicious software that "searches for passwords for online games and sends them to a server located in China," according to a note posted on the Seagate Web site. Only drives purchased since August 2007 are affected, Seagate said. The hard drive maker is blaming an unnamed subcontractor, located in China, for the problem.
Below is an interesting commentary related to the SOX regulatory requirements which are imposed on all publicly traded companies in the United States. While I personally feel there have been many benefits, SOX has been costly. Some of the requirements have also been sometimes difficult to interpret (e.g., SOX 404) which have excerbated the overall cost factors. Hopefully, the forthcoming changes will help alleviate some of these costs
MARKETWATCH: Sarbanes-Oxley turns 5 amid mixed results
QUOTE: SAN FRANCISCO (MarketWatch) -- Congress enacted Sarbanes-Oxley in 2002 in the wake of the spectacular collapse of Enron Corp. in an accounting scandal. The collapse led to the demise of auditor Arthur Andersen, one of the "Big Five" accounting industry giants.
Soon after Enron imploded, telecom giant WorldCom blew up in its own accounting scandal. It was with WorldCom in mind that lawmakers added the now infamous section 404 to SOX, which requires that chief executives and chief financial officers personally certify that financial statements are complete and accurate, under penalty of jail time. The kicker has been the responsibility of auditors to attest to management's assertions, which critics contend led to additional cost burdens.
A survey released this year by the Financial Executives Research Foundation revealed that the average 2006 cost for SOX compliance was $1.2 million at publicly-traded companies for auditor attest statements alone. If this estimate, which did not factor in money spent on internal preparation, was to include all filers at more than 15,000 public concerns, it would equal about $180 billion in 2006 costs.
This web server based attack has impacted several sites recently. While these are most likely less mainstream sites, folks should be cautious with email links or web site visitation
QUOTE: Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40,000 pages across the internet, covering around 150 domains which we so far know of. This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.
UPDATE: The good news so far is that the executable being downloaded seems to be detected by most AV products. The sad news is that when I checked the other day the number of infected sites was about 30K and now about 52,000 sites.
Windows Live has now moved from beta status to an official product offering
Microsoft Windows Live goes Live
QUOTE: Microsoft has officially taken the beta moniker off the next generation of its Windows Live services, which it launched at events in New York and Los Angeles on Nov. 6. This new generation of Windows Live will be available in 36 languages and 59 countries across the world, and is the first integrated release of the services. Windows Live is designed to focus on three main things: putting the user at the center, providing an integrated experience across everything that Microsoft does on this front and bringing the best of the Web to Windows.
Windows Live updated suite announced in September
Windows Live Home Page (2.8MB download)
Windows Live Functional Overview
Windows Live Security Page
Windows Live Search
Paul Laudanski, founder of the Castlecops, reports that an estimated $150 million in losses have been prevented through the work of the PIRT team in "frying phish" and even taking down malicious web sites. While Castlecops promotes awareness like many security firms, they go the extra mile in reporting malware to authorities and even working to combat hostile attacks (e.g., phishing, malware, and spam).
These efforts are greatly appreciated in making email and the Internet a little safer through the efforts of all the teams participating there. I've also been a member of Castlecops for a couple of years and assist in sharing new security developments and best practices in the forums.
Castlecops PIRT - Prevented over $150 Million in Phishing attack losses
QUOTE: Since May 2006, our Phishing Incident Reporting and Termination team has directly prevented more than $80 million in credit card losses, and indirectly an additional $75 million by working with our partners. We've shut down not only phish sites, but drops all the while preserving evidence for law enforcement. And we need your help by donating your time as handlers to keep on investigating phish crimes so we can continue to prevent even greater numbers. PIRT right now is receiving around 47,000 unique phish submissions per month. Our PIRT handlers are doing amazing work and trailblazing new roads in phish investigations and intelligence.
Some of the key services provided by Castlecops include:
PIRT - Phishing Incident Reporting and Termination
MIRT - Malware Incident Reporting and Termination
SIRT - Spam Incident Reporting and Termination
Castlecops - Free Technical and security forums
Castlecops - Advanced Malware Removal (HiJackThis analysis)
In testing internal corporate security in the past, I've also seen that longer passwords require more time to crack than shorter ones. Every character added to the password length better protects you. Using LophtCrack, CAIN, and other password testing tools I had also run experiments on password lengths from 3 through 8 characters. While the 3 character passwords would be found almost instantly, times increased exponentially for each subsequent test as the password grew in size.
Both complexity and length are important. The point of the blog post is that a short complex password may not offer sufficient protection even though in human terms it may seem more difficult to guess. Password strength is all about increasing combinations and permutations of character strings and longer passwords make the difference. It might be good to ensure all passwords are eight or more characters.
QUOTE: The bottom line:
* In general, password length trumps password complexity. This applies to both cracking and rainbow table attacks.
* Given the opportunity, users will choose the simplest passwords, such as ‘Password1!’
* Make sure you account for human tendencies that include usernames in passwords, too many repeating characters, passwords based on dictionary words, capitalization of the first letter, symbols & digits at the end, etc.
* Enforce your password policy
This site provides an overall of all Mozilla products and their history in fixing security issues.
Mozilla - Security Vulnerabilities Master List for Products
"Bugzilla" is the tracking system for all outstanding Mozilla issues. To find currently outstanding issues for Firefox, please enter terms of Firefox as product and security as search word:
Release notes suggest it's only stability fixes, no security fixes.
Mozilla Firefox 220.127.116.11 Release Notes
After over a decade in the security profession, there's nothing I enjoy better than seeing Best Practices shared that help protect folks from the continous and evolving threats. October was "cyber-security awareness" month and the Internet Storm Center handlers (plus the readers) did an awesome job in sharing how we can better protect ourselves from the dangerous risks out there.
Cyber Security Awareness Month - Summary and Links
1. Establishing a User Awareness Training Program
1 Penetrating the "This Does Not Apply To Me" Attitude
2 Multimedia Tools, Online Training, and Useful Websites
3 Getting the Boss Involved
4 Enabling the Road Warrior
5 Social Engineering and Dumpster Diving Awareness
6 Developing and Distributing Infosec Policies
2. Best Practices
7 Host-based Firewalls and Filtering
8 Anti-Virus, Anti-Spyware, and Other Protective Software
9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
11 File System Backups
12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
13 Patching and Updates
3. Hardware/Software Lockdown
14 Data Encryption
15 Protecting Laptops
16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
17 Windows XP/Vista Tips
18 Mac Tips
19 Linux Tips
20 Software Authenticity (Digital Signatures, MD5, etc.)
4. Safe Internet Use
21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
22 Detecting and Avoiding Bots and Zombies
23 Using Browsers, SSL, Domain Names
24 Not All Patches Are Released on a Tuesday
25 Using Email, PGP, X509 Certs, Attachments, Instant Messaging and IRC
26 Safe File Swapping
27 Online Games and Virtual Worlds
5. Privacy and Protection of Intellectual Property
29 Insider Threats
30 Blogging and Social Networking
31 Legal Awareness (Regulatory, Statutory, etc.)
More Posts « Previous page