Recent Posts


Email Notifications

Personal Links


Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

February 2008 - Posts

More Targeted attacks - Disguised as official government emails

Email A new series of targeted attacks have been spammed that appear as official government business. These new attacks will even download actual PDF forms from the government site to make them appear more legitimate. Users should delete these messages and particularly avoid opening any attachments as AV protection may not be fully available in all cases.

More Targeted attacks - Disguised as official government emails

QUOTE: McAfee Avert Labs has seen multiple large spam runs of  The attachment callled is malicious.  Upon execution the trojan connects to malicious web sites. It also downloads legitimate PDF files probably to decieve the user that it is a legitimate application. This variant of trojan also has capability to download other trojans and malware on the system, for that it may contact the following website ...

EnergyMech IRC Bot - ported to Mac, Linux, and FreeBSD

This is not a major concern, except that AV detection is almost non-existant for anyone who might be careless in these environments 0

EnergyMech IRC Bot - ported to Mac, Linux, and FreeBSD

QUOTE: Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc). After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.

Castlecops Security Forums celebrate 6th Birthday


Cake Security forums are a valuable resource for emerging developments, best practices, and technical assistance in cleaning malware infections.  Castlecops is one of the more established forums as they now celebrate their 6th year.  They provide a public service in capturing and fighting phishing attacks (PIRT) and are a valuable participant in the security community.

WinCE/InfoJack - New Trojan impacts Windows Mobile PocketPC

Mobile computing devices like the iPhone or Windows Mobile Pocket PC should be periodically checked for updates and AV protection may also be desired. More importantly, users should be careful in sites visited and particularly with any new software they install on their systems.
WinCE/InfoJack - New Trojan impacts Windows Mobile PocketPC 
QUOTE: A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China. WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning. The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

IE 8 Beta - Passes Acid2 test

Idea There is speculation among some of the technology watch groups that the first beta for IE 8 may be released in the near future.  IE 8 will feature improved compatibility with some of the industry standards, including the Acid2 test. This new browser environment will be interesting to both test and explore when it debuts. 

IE 8 Beta 1 may be offered to developers soon

QUOTE: According to the invitation, Microsoft is planning to make IE 8 Beta 1 available to the general public, as well. But before that happens, an invitation-only test program will be conducted. The invitation describes IE 8 Beta 1 being focused on developers.

IE 8 Beta - Passes Acid2 test

QUOTE: As a team, we’ve spent the last year heads down working hard on IE8. Last week, we achieved an important milestone that should interest web developers.

Watch for official news that might be posted on Microsoft's IE blog:

Microsoft Announcement - Offers greater interoperability with 3rd parties

Idea It is always beneficial when standards and best approaches are shared between vendors, as security, interoperability, and efficiencies improve.

Microsoft Announcement - Offers greater interoperability with 3rd parties

QUOTE: Microsoft today announced a set of broad-reaching changes to its technology and business practices to increase the openness of its products and drive greater interoperability, opportunity and choice. These changes are codified into four new interoperability principles and corresponding actions: 1) ensuring open connections; 2) promoting data portability; 3) enhancing support for industry standards; and 4) fostering more open engagement with customers and the industry, including open source communities.

SEC looses insider trading computer hacking case

This is a case about a hacker who stole sensitive pre-announcement information from a company with weak security controls.  The hacker invested on the likelihood that the stock prices would tumble and made close to $300,000 in the process.  The courts ruled in favor of the hacker allowing him to keep the money and since he's in the Ukraine he probably won't be proscecuted.

I feel the judge made an error, in evaluating the case.  Most likely the ruling was based on the wording, rather than the spirit of the law.  Whether sensitive stock valuation information is shared or stolen in an unauthorized manner -- it still violates laws applicable for insider trading. The SEC should strengthen applicable wording to prevent re-occurrences in the future.     

SEC looses insider trading computer hacking case

Vista SP1 verses XP SP2 performance benchmarks

Automobile Based on ZDNet lab tests, Vista SP1 provides equal and in some cases better performance than Windows XP SP2. It's always tough to benchmark different operating systems, as various settings may need to be adjusted so that there is equal footing for performance testing.  In earlier tests, there was a very slight advantage for XP SP2, so YMMV but not substantially enough to make that a point of differientiation in selecting which OS you may want to use.

Vista SP1 verses XP SP2 performance benchmarks

QUOTE: The first rule of benchmarking is: Your mileage may vary. On Ed Bott's test bed, with one exception, Vista SP1 was consistently as fast as or faster than XP SP2. Why the difference from Adrian Kingsley-Hughes' experience? Ed has a few theories.

Earlier tests

Ozdok/Mega-D Botnet - May be generating 30% of all spam world-wide

Email  Based on testing and extrapolation of spam sampling results, this new 35,000 member botnet may be generating up to 30% of the spam email sent world-wide. While the Storm Worm still has far more spam producing capabilities, it can fall into periods of silence based on controls issued by the malware authors. This botnet should be followed closely as it's most likely in second place when it comes to world wide spam generation. 
Ozdok/Mega-D Botnet - May be generating 30% of all spam world-wide 
QUOTE: Last week the TRACE research team at Marshal put forth some statistics regarding spam activity from botnets. The statistics pointed to a botnet dubbed "Mega-D" as the new leader of the spambot pack, spewing 32% of the world's spam according to Marshal's spamtraps. This set off a firestorm of speculation: what family of malware was behind this previously unknown botnet? How had it emerged to challenge Storm with hardly a mention in any research articles or press?
Based on the number of bots connecting to mail servers we monitor, we estimate that Mega-D consists of around 35,000 infected machines worldwide. This is a very strong botnet, but hardly a challenger to Storm. Even though Storm has waned to around 85,000 bots, it still holds far more spamming capacity. 
Most AV Vendors ae currently detect the Ozdok Botnet

Corporate Network Vulnerability and Penetration Testing

Star Companies should perform vulnerability and penetration testing assessments on a regular basis.  This best practice is valuable for IT security professionals to perform on a quarterly basis to assess security defense weaknesses. There is also a signficant educational value, as security team members will increase their knowledge and better protect the company's informational assets.

The vulnerability assessment is the analysis of the entire network and human control systems, in looking for any design weaknesses in the security architecture.  Penetration testing involves using network scanning tools to locate hidden weaknesses in the technical safeguards protecting the company.     

Many basic security concerns can be checked with commercial and even freely available scanning tools.  Annually, a more comprehensive test can be performed by an external consulting firm specializing in this process.  Companies that are not evaluating or testing their controls could encounter unexpected weaknesses in controls (e.g., test server settings, admins not completely locking down servers, etc)

Doing an audit/pentest or other assessment?

QUOTE: Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network.  It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies.

What is Network Penetration Testing?

Network Penetration Testing - Best Practices,289483,sid97_gci1233892,00.html

Virus found in Hillary Clinton video circulating by email

Malware authors are attempting to trick folks in this disguised email message currently circulating during our election season

Virus found in Hillary Clinton video circulating by email

QUOTE: Malware is being distributed disguised as a video of her. First, an e-mail with the subject line "Hillary Clinton Full Video !!!" arrives advertising a video of her speaking to supporters in Virginia. The link goes through a redirect on Google (a common technique these days) and downloads a file mpg.exe, a trojan downloader which downloads a file named inst241.exe. This file (detected by Symantec as Trojan.Srizbi). So far the volume appears to be low.

Trojan.Srizbi Description

Damage Level: Medium
Payload: Sends spam.
Compromises Security Settings: Rootkit is able to bypass firewall and IDS systems.

Firefox Version 3 Beta 3 - New Security and Functional Features emerge

The Mozilla foundation has released the 3rd beta for Firefox version 3, which contains some new security and functional features. This new beta version is mainly targeted for IT professionals rather than users.  So far in early testing, it is reliable, performs well, and provides significant improvements from the second beta version

Firefox Version 3 Beta 3 - New Security and Functional Features emerge

QUOTE: With the release today of Beta 3 of Firefox 3, we are definitely getting closer to the final release of Mozilla's open-source Web browser. But for a third beta, this version of Firefox 3 includes some fairly significant changes from the previous betas, including changes to the main user interface of the browser.
New features and changes in this milestone that require feedback include:

-- Improved security features such as: better presentation of website identity and security including support for Extended Validation (EV) SSL certificates, malware protection, stricter SSL error pages, anti-virus integration in the download manager.

-- Improved ease of use through: easier add-on discovery and installation, improved download manager search and progress indication in the status bar, resumable downloading, full page zoom, and better integration with Windows Vista, Mac OS X and Linux.

-- Richer personalization through: one-click bookmarking, smart bookmark folders, location bar that uses an algorithm based on site visit recency and frequency (called “frecency”) to provide better matches against your history and bookmarks for URLs and page titles, ability to register web applications as protocol handlers, and better customization of download actions for file types.

-- Improved platform features such as: new graphics and font rendering architecture, JavaScript 1.8, major changes to the HTML rendering engine to provide better CSS, float-, and table layout support, native web page form controls, colour profile management, and offline application support.

-- Performance improvements such as: better data reliability for user profiles, architectural improvements to speed up page rendering, over 350 memory leak fixes, a new XPCOM cycle collector to reduce entire classes of leaks, and reductions in the memory footprint.

Firefox download site for all world-wide versions

Storm Worm - New Valentines Day e-card Attacks

Lightning After some "test runs" in early February, new waves of the Storm worm are now surfacing using Valentine's Day themes. These spammed email messages are designed to trick individuals into visiting the malicious websites (uses numeric IP addresses and lacks more detailed personalization that one would find in true e-cards sent this time of year). 
If the associated EXE file lurking on the website is opened, the malware can automatically install silently on the system. This new wave of attacks is not well detected by AV products, as the malware agent is being constantly changed each hour automatically.
 Avoid these emails completely, so you don't end up broken-hearted on Valentine's Day Broken Heart Broken Heart Broken Heart
 Storm Storm Worm - Valentines Day e-card Attacks 
QUOTE: With Valentine’s Day coming this week, we have seen a new wave of Nuwar spamming this Monday evening, amounting to more than 20 variants in a couple of hours. Detection for these variants from major AV vendors was near nonexistent, as the Nuwar writer is using a new compiler this time to bypass detection. 
While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)
 -- raw IP addresses in the spam lures
 -- the filename is now “valentine.exe”, using a redirect and a clickable link
 -- much more simple HTML websites
 -- subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
 -- rapidly changing MD5 hashes
 -- poor AV detection 
 Subject: Sweetest Things Aren't Things!
 Date: Mon, 11 Feb 2008 13:13:58 +0900
 To: Susan
 Text: Love Poem: (Malicous Numeric IP address removed)

Vista Service Pack 1 - Key planning information

Star Below are several links related to Vista SP1 that can help in planning for this important update, once it becomes more publicly available.

Vista Blog - RTM announcements

Vista SP1 - FAQ

Vista SP1 - The promised performance gains are here

Vista SP1 - Rolls up 551 bug fixes

Microsoft Vista SP1 - Notable changes

Microsoft Vista SP1 - Release notes

Microsoft - Vista Home Page

Overview of Windows Vista Service Pack 1

When will SP1 be available?

* Mid-March: Release to Windows Update (in English, French, Spanish, German and Japanese) and to the download center on
* Mid-April: Begin delivery to to Windows Vista customers who have chosen to have updates downloaded automatically.
* April: Remaining languages RTM.

Microsoft Security Updates - February 2008

Star There are a "bumper crop" of important security updates for Windows, MS/Office, and IE this month.   I've installed these at work and so far so good.  The ISC link should be monitored for any developments of exploits or installation issues related to these important updates.

Microsoft is releasing the following eleven new security bulletins for newly discovered vulnerabilities:

Bulletin Number: MS08-003
Maximum Severity: Important
Affected Products: Windows 2000, Windows XP, Windows Server 2003
Impact: Denial of Service

Bulletin Number: MS08-004
Maximum Severity: Important
Affected Products: Windows Vista
Impact: Denial of Service

Bulletin Number: MS08-005
Maximum Severity: Important
Affected Products: Windows 2000, Windows XP, Windows Server 2003,
 Windows Vista
Impact: Elevation of Privilege

Bulletin Number: MS08-006
Maximum Severity: Important
Affected Products: Windows XP, Windows Server 2003
Impact: Remote Code Execution

Bulletin Number: MS08-007
Maximum Severity: Critical
Affected Products: Windows XP, Windows Server 2003, Windows Vista
Impact: Remote Code Execution
Bulletin Number: MS08-008
Maximum Severity: Critical
Affected Products: Windows 2000, Windows XP, Windows Server 2003,
 Windows Vista, Office 2004 for Mac, and Visual Basic 6.0
Impact: Remote Code Execution
Bulletin Number: MS08-009
Maximum Severity: Critical
Affected Products: Office 2000 SP3, Office XP SP3, Office 2003 SP2
Impact: Remote Code Execution
Bulletin Number: MS08-010
Maximum Severity: Critical
Affected Products: All IE on Windows 2000, Windows XP, Windows Server
 2003, and Windows Vista
Impact: Remote Code Execution
Bulletin Number: MS08-011
Maximum Severity: Important
Affected Products: Office 2003 SP2, Office 2003 SP3, Works 8.0, and
 Works Suite 2005
Impact: Remote Code Execution
Bulletin Number: MS08-012
Maximum Severity: Critical
Affected Products: Office 2000 SP3, Office XP SP3, and Office 2003 SP2
Impact: Remote Code Execution

Bulletin Number: MS08-013
Maximum Severity: Critical
Affected Products: Office 2000 SP3, Office XP SP3, and Office 2003 SP2,
 Office 2004 for Mac
Impact: Remote Code Execution

PATCH NOW -- Adobe PDF exploits in-the-wild

0 As PDFs are one of the standard documents exchanged by businesses, this new malicious exploit has already infected thousands of users.  While McAfee and other AV companies offer detections of this new PDF based malware, it's important to move to v8.1.2 for the best level of protection (please see the link at the bottom for full version)

PATCH NOW -- Adobe PDF exploits in-the-wild

QUOTE: McAfee Avert Labs is tracking an active exploitation of a recently patched vulnerability in Adobe Acrobat Reader now in the wild. The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript.  Complete mitigation requires upgrading Acrobat and Adobe Reader 7.x and 8.x to Version 8.1.2.

Adobe PDF exploit infects 'many thousands,' says researcher

Security update available for Adobe Reader and Acrobat 8

Affected software versions
-- Adobe Reader 8.1.1 and earlier versions
-- Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions

Adobe 8.1.2 PDF Reader site (22MB Download - uncheck Google toolbar option)

Cisco Study - Remote workers need to follow more secure practices

Professionals who work at home should ensure they are following the best practices as well as ethically providing a good full day of work for their employers.  This Cisco study highlighted some areas of security concern for remote workers.

Cisco Study on Remote Workers Reveals Need for Greater Diligence Toward Security

QUOTE: Some of the key findings and reasons for risky behavior in year two include:


  • Opening emails and attachments from unknown or suspicious sources: Although it is one of the age-old security risks, many remote workers admit that they still open suspicious emails and attachments despite the potential for triggering malware attacks. China (62 percent) is the most egregious offender. But arguably more disturbing is a growing trend in entrenched Internet-adopter countries like the United Kingdom (48 percent), Japan (42 percent), Australia (34 percent) and the United States (27 percent). For example, in Japan, 14 percent admit they open both an unknown or suspicious email and any attachments.

  • Using work computers and devices for personal use: A 3 percentage-point increase year-over-year shows that more remote workers use corporate devices for personal use, such as Internet shopping, downloading music, and visiting social networking sites. This trend occurs in eight of the 10 countries, and the highest year-to-year spike occurs in France (27 percent to 50 percent). In Brazil, this trend rose 16 percentage points despite an increasing number of respondents agreeing that this was unacceptable behavior (37 percent to 52 percent year-over-year).
    Reasons Offered: "My company doesn't mind me doing so", "I'm alone and have spare time", "My boss isn't around", "My IT department will support me if something goes wrong".

  • Allowing non-employees to borrow work computers and devices for personal use: As employees work more from home, the likelihood increases that they will share corporate devices with non-employees (e.g. family, roommates) who are not educated by IT or held to a company's security policies. This trend is increasing. While China features the highest rate of "device sharing" for the year (39 percent), the United Kingdom (from 7 percent in 2006 to 22 percent in 2007) and France (from 15 percent to 26 percent) reveal steep year-over-year increases.
    Reasons Offered: "I don't see anything wrong with it", "My company doesn't mind me doing so", "I don't think it increases security risks", "Co-workers do it".

  • Hijacking wireless Internet connections from neighbors: Globally, 12 percent of remote workers admit to accessing a neighbor's wireless connection, with threefold year-to-year increases in Japan (6 percent to 18 percent) and France's 10 percent year-to-year rise (5 percent to 15 percent) representing the fastest-growing rates. China (from 19 percent in 2006 to 26 percent in 2007) and the United Kingdom (from 6 percent to 11 percent) also feature significant increases.
    Reasons Offered: "I needed it because I was in a bind", "It's more convenient than using my wireless connection", "I can't tell if I'm using my own or my neighbor's wireless connection", "My neighbor doesn't know, so it's OK".

  • Accessing work files with personal, non-IT-protected devices: Accessing corporate networks and files with devices that are not protected by an employee's IT team presents security risks to the company, its information and its employees. As the number of remote workers grows, the study reveals an annual rise (45 percent in 2006 to 49 percent in 2007) in this behavior. It's widespread in many countries, especially China (76 percent), the United States (55 percent), Brazil (52 percent) and France (48 percent).
    Reasons Offered: "These devices are secure with antivirus and other content security software", "I regularly use these devices to access my network", "My IT department has said it's OK to do so".
Windows Security for users - Limited rights can improve security

Idea While a few software packages write to the Windows registry and config files, often a group of corporate users might be able work in a more protected mode.  If this group of users would not be installing software or needing advanced local ADMIN functionality, using limited accounts can better protect them against malware attacks.  While there are some malware attacks that can be successful even with limited accounts, this setting can greatly improve their protection for the many virus or spyware attacks.

For home users, creating additional protected accounts of this nature can enhance protection as well.  Home users can boot to the secondary accounts for safer web browsing and email processing in their routine use of the system.  Then they can boot to the ADMIN account when they need to install software.  This gives users the best of both worlds. 

Minimizing User Rights Can Increase Security

QUOTE: Minimizing user rights on a machine is a key part of security and risk management, and should be balanced with business continuity concerns. Sometimes, less is more—at least when it comes to user rights and security.  Taking a least-privilege approach to user accounts is a key part of any in-depth defense strategy, many analysts and security pros say.

In its defense, Microsoft has built the User Account Control feature into Windows Vista, allowing IT administrators to elevate their privilege for specific tasks and application functions while still running most applications, components and processes with a limited privilege. Other companies such as Symark Software and BeyondTrust also look to address the issue of least privilege with their software.

A least-privilege approach, some argue, ensures that users always log on with limited account privileges, and can be used to restrict the use of administrative credentials to certain individuals and for certain tasks, such as installing programs. Malware sometimes is written to exploit elevated privileges and thus spread more rapidly, offering businesses another reason to restrict privileges. However, doing so can affect business productivity, which makes some businesses wary.

Further recent discussion can be found in this forum thread:

Article - Windows Server 2008 Is Microsoft`s Leanest, Meanest Yet

Star Microsoft has done a noteworthy job in designing both security and performance into the new Windows Server 2008 operating system as reflected in the following review by e-Week: 

Article - Windows Server 2008 Is Microsoft`s Leanest, Meanest Yet

QUOTE: Networking enhancements, a reduced attack surface and virtualization capabilities earn Windows Server 2008 eWEEK Labs' Analyst's Choice award.  "Faster" and "slimmer" are two adjectives to which few software product upgrades can lay legitimate claim—particularly if the software upgrade in question is a Windows operating system. 

And, yet, Microsoft's Windows Server 2008, which recently hit the  RTM (release to manufacturing) milestone, demonstrates that Microsoft is capable of producing a lean, mean server machine—and doing it, no less, atop the same code base that backs the company's oft-maligned Windows Vista client operating system.

Slideshow of key features

Below is also the home page for the new W/2008 server operating system:

ActiveX Vulnerabilities - Facebook, MySpace and Yahoo

There are warnings for at least 6 Active controls that may experience buffer overflows or crashes and thus be subject to exploit developments   So far there are no known in-the-wild attacks and in using the ISC's GUI based tool (link at the bottom) I had no exposures on my current system.

ActiveX Vulnerabilities - Facebook, MySpace and Yahoo

Six key sites and Killbits for those sites

QUOTE: The US-CERT is urging Web surfers to immediately disable ActiveX controls from Internet Explorer to protect against a swath of publicly reported—and unpatched—software vulnerabilities.

The US-CERT (Computer Emergency Response Team) recommendation follows the release of exploit code for multiple zero-day flaws in image uploaders used by Facebook and MySpace and bugs in the ActiveX control that ships with the Yahoo Music Jukebox software.

According to Erik Kamerling, a vulnerability analyst at Symantec's DeepSight threat center, the availability of exploits for flaws in high-profile targets like Facebook and MySpace is cause for concern.

Although Symantec is unaware of in-the-wild exploitation of the ActiveX flaws, there's a feeling that attacks are inevitable. Admins are advised to set the kill bit for the following CLSIDs as soon as possible:

Aurigma: CLSID 6E5E167B-1566-4316-B27F-0DDAB3484CF7 ('ImageUploader4.ocx')
Aurigma: CLSID BA162249-F2C5-4851-8ADC-FC58CB424243 ('ImageUploader5')
Facebook: CLSID 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0
Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139
Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2

The GUI based tool is an EXCELLENT resource that checks for the 6 current vulnerabilities.  It will highlight whether these are present on your system.  If so, you can check any of these you desire to be made inactive until this issue is resolved. 

ISC GUI Tool can be downloaded from here:

ISC Command line

More Posts Next page »