September 2008 - Posts
Sunbelt is warning that a new variant of the Fake Antivirus 2008 family has emerged. Please be careful of any pop-up message you might receive and keep AV protection updated.
eAntiVirusPro - New Fake AntiVirus pop-up variant emerges
http://sunbeltblog.blogspot.com/2008/09/rogue-mania.html
QUOTE: eAntivirusPro is a new clone of Antivirus XP 2008 rogue security product.
Microsoft has announced the the next version of its development platform as Visual Studio 2010 and .NET Framework 4.0. Some preliminary features are noted in the links below:
Microsoft Announces Visual Studio 2010 and .NET Framework 4.0
http://www.eweek.com/c/a/Application-Development/Microsoft-Announces-Visual-Studio-2010-and-NET-Framework-40/
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=210604432
QUOTE: Microsoft announces Visual Studio 2010 and .NET Framework 4.0, and says the overall development strategy revolves around five pillars. The first pillar involves the Visual Studio Team System (VSTS) 2010, formerly codenamed “Rosario.” In the announcement on Sept. 29, Microsoft also described the next release through the following five focus areas:
1. Riding the next-generation platform wave
2. Inspiring developer delight
3. Powering breakthrough departmental applications
4. Enabling emerging trends such as cloud computing
5. Democratizing ALM (application life-cycle management)
This article promotes the need for users to block all pop-out messages by using the latest version of browser software. However, even then sometimes pop-up dialogs can be successfully launched. When this occurs, it is a best practice to always read these carefully and safely exit out. One good approach for safely exit pop-ups is noted below. Finally, most users are not "idiots" as noted in the referenced link, but at times they may be unaware of the risks or careless in their behaviors.
NC State tests students on how they react to pop-up messages
http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html
Examples of pop-up messages
http://arstechnica.com/news.media/FakeDialog.png
http://media.arstechnica.com/news.media/malware_warning.png
QUOTE: The authors, who work in the Psychology Department of North Carolina State University, crafted a set of four fake dialog boxes. All of them contained the following warning: "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." One of the warnings was indistinguishable from the standard Windows XP system dialog, but the remaining three were had a number of warning signs that should tip off users to potential malware.
In all cases, mousing over the "OK" button would cause the cursor to turn into a hand button, behavior more typical of a browser control; all dialogs also had minimize and maximize buttons, while a second added a browser status bar to the bottom of the window. Finally, the most blatant one alternated between black text and a white background and a white-on-black theme. All of these should metaphorically scream, "This is not safe!"
Use of Task Manager to close pop-up messages more safely
http://msmvps.com/blogs/harrywaldron/archive/2008/08/22/malware-close-encounters-close-pop-ups-using-task-manager-to-safely-exit.aspx
Computer security has become more important than ever at both home or work. Security products, promptly applying security patches, and the user's actions are all vital. Years ago, many malware writers acted more as pranksters writing software to delete files or make the PC inoperable. The goal today is to trick users with highly realistic email or websites and then to hide on the PC in order to gain highly sensitive or confidential information over time.
Many attacks user social and technical engineering approaches that can deceive even highly experienced users. For example, malware authors use embed actual HTML from the real websites or simulate Windows dialog boxes (as noted in the article below). Security is so vital today, that it cannot be ignored.
For example, companies MUST have an active awareness program. It's true that some users will march to the beat of a different drum and ignore advice. Still, security awareness cannot be totally ignored. A good program would include:
1. User responsibilities, as most companies have "business use" and "information protection" policies. Users need to know what they can and cannot do at work.
2. Some general training on avoiding malware attacks is helpful in case innovative malware slips past the technical defenses. For example, the Help Desk should be contacted if there are questionable items.
3. Users must know their vital role in safeguarding customer and corporate information. Their laptops, passwords, and other resources could be compromised if safe practices are not followed.
4. Occasional brief all-employee bulletins and an Intranet website can help communicate and promote user responsibilities in the process
Security evangelism is achieved one step at a time and companies won't see immediate results. However, these small differences will add up over time. A train the trainer model may emerge, as technically savy users gain knowledgeable and act as leads in their departments or offices.
The tone and communications make all the difference in the world. While security sometimes requires a "thou shalt not" approach, it shouldn't be the primary theme. A more positive tone of "how to be safe at work and home" may help users become more receptive to learning the principles of protection.
Home and corporate users cannot be expected to become security experts. Conversely if someone totally ignores the many dangerous security exposures, they will most likely experience technical issues with their PC or they could even become a victum of fraud. Instead, users should be taught the basic principles of risk avoidance and where to go to for help.
Office 2003 SP3 has been reliable on all home and work PCs, as it installed as soon as it became available one year ago. Anyone on SP2 or earlier releases should update their systems to the latest version for improved security and to remain on active support.
Office 2003 - Move to Service Pack 3 as SP2 Support has ended
http://blogs.technet.com/office_sust...ack-2-sp2.aspx
http://blogs.pcmag.com/securitywatch...oaching_en.php
Office 2003 - SP3 Home and Download Site (118MB)
http://www.microsoft.com/downloads/d...displaylang=en
QUOTE: Microsoft® Office 2003 Service Pack 3 (SP3) represents a major evolution in security for Office 2003. It further hardens the Office suite against potential attacks and other security threats. This service pack also includes fixes that have been previously released as separate updates for Office 2003.
Trend Micro has documented a new bank phishing attack that appears to be a realistic message. This new attack may appear as a Wachovia (latest version) or Bank of America "connection or security update". It warns the user that they will loose their online banking privileges if this agent is not installed.
If users follow these directions, a rootkit will be installed. This is one of the worst forms of malware circulating, as it alters Windows settings so that it becomes completely hidden except by the best rootkit detection tools.
Please always avoid taking any direct actions from ANY email message that you may receive. Always confirm by phone or other more trustworthy sources to ensure any messages that might happen match your circumstances are truly legitimate. These attacks are so well done, that they can deceive experienced users.
Fake Wachovia Security Update installs Rootkit
http://blog.trendmicro.com/wachovia-security-certificate-installs-rootkit/
QUOTE: At 4:18 PM PST yesterday, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then siphon for their own use.
AVOID EMAIL MESSAGES WITH THESE SUBJECT LINES:
Wachovia Connection Update Alert.
Wachovia Connection Customer Support - Security Updates.
Wachovia Connection upgrade warning.
Wachovia Connection Emergency Alert System.
Sample email message currently circulating
http://www.trendmicro.com/vinfo/images/blog/wachovia_2.gif
Example of Fake Wachovia site can be found here
http://blog.trendmicro.com/phishers-hit-multiple-banks-with-one-stone/
Good article noting that laptops are highly subject to theft or get misplaced by users 
like car keys do for some of us older professionals 
Users need awareness and training on how to properly safeguard laptops while traveling. More importantly, companies need to look at fully encrypting laptops to ensure any sensitive information is protected.
Why Your Laptop Is Definitely Lost
http://www.avertlabs.com/research/blog/index.php/2008/09/19/why-your-laptop-is-definitively-lost/
QUOTE: Laptop and notebook theft is a major problem; it rates at between 3 percent to 7 percent of reported thefts, according to experts. In 2006, a company making computer-tracking products estimated 750,000 pieces of equipment a year were being stolen.
For public email accounts like Hotmail, Yahoo, or Gmail, below are some safety tips:
1. Always be careful of what you say when it comes to email. Think of it as a permanent record even if you delete it. Finally "it's always good to be careful in what you say, and twice so in what you write".
2. Never store any sensitive email in a public facility where security could be compromised. As a better practice, any sensitive message should be copied to your hard drive and deleted from potential public access.
3. Security questions are your MOST IMPORTANT safeguard in any web based facility where a password can be mailed back. If the 3 questions are easy to guess, any unauthorized person could gain entry (e.g., family member, friend, or criminal). When it comes to security questions, it's good to be "less forthcoming" by misspelling or using incorrect answers. As a best practice, ensure that only you know the answers to the password-reset questions.
4. Complex and difficult-to-guess passwords are mandatory for any Internet site (letters, numbers, case, etc)
5. It is a good practice to change passwords on a regular basis
6. Don't use the same password for every website or email account
7. You may also want to write down the security questions/answers in case of future account lockout issues. If you create a special file containing password or secret question information, keep it in a confidential and offline location.
How Sarah Palin's Yahoo email was Hacked
http://www.eweek.com/c/a/Security/Sarah-Palin-Hack-an-Example-of-Password-Recovery-Backfire/
http://www.mtv.com/news/articles/1595343/20080922/story.jhtml
http://isc.sans.org/diary.html?storyid=5068
http://www.usnews.com/blogs/paper-trail/2008/09/22/tennessee-student-is-focus-of-palin-e-mail-hack-investigation.html
http://news.slashdot.org/article.pl?sid=08/09/21/160222
http://itmanagement.earthweb.com/secu/article.php/3772981/The+Security+Lesson+in+the+Sarah+Palin+Email+Hack.htm
http://garwarner.blogspot.com/2008/09/governor-palins-email-security.html
QUOTE: The ease with which Republican vice presidential candidate Sarah Palin's e-mail was hacked is striking and underscores the importance of improving privacy questions for password recovery. A person claiming responsibility for the hack posted details of what he did Wednesday on a 4chan.org message board. The handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell.
Yahoo required the user provide Palin’s birthday and zip code, which the hacker said he found through Wikipedia and Google. The final security measure required him to answer a question regarding where Palin met her spouse; another Google search turned up the answer.
This free PCI/DSS training course was downloaded and installed. So far in a brief review, it offers great advice for developers in creating more compliant and secure e-commerce applications.
Free Computer Based Traing class - PCI DSS for Developers (38MB download)
https://www.foundstone.com/us/resources/downloads/pci_compliance_developers.zip
QUOTE: Foundstone Professional Services, a Division of McAfee, has recently released a free 2-hour computer based training entitled "PCI DSS v1.1 Compliance for Developers." This hype-free CBT focuses on the PCI DSS requirements and sub-requirements that are most relevant to software developers and offers developer-to-developer technical advice to help achieve compliance. Software security best practices are also stressed throughout the presentation. This is not an advertisement for McAfee products or Foundstone services, just solid information that will help your development teams create more secure software.
During our tough economic times, fraudulent scams are at all-time high now. While this highly informative article discusses primary mail and phone scams, these soliciations are also being spammed by email as well. It is important to validate any potential contract and to use only major trustworthy firms for any type of financing or sale.
MILLIONS AT RISK OF FORECLOSURE FRAUD
http://redtape.msnbc.com/2008/09/post.html
QUOTE: There are many variations on the scams, but they all boil down to two types. There’s a simple fee-based racket, in which the criminal offers to help the homeowner stave off foreclosure, collects an up-front fee and then disappears. But the more lucrative scam involves seducing homeowners into complicated transactions that allow con artists to steal equity in the house or walk away from the closing table after netting thousands in phony payouts.
Consumers facing foreclosure can get help, but they should be very careful where they look. Experts recommend ignoring unexpected solicitations, whether through the mail, by phone or in person. Instead, enlist the help of a HUD-certified counselor. A state-by-state list is available at HUD’s Web site
A new exploit for the latest version of Apple's Quicktime and iTunes products has been publicly published. So far, this exploit is minor in scope, as it can only alter cookie files and cause the new product version to crash. Users should follow further developments and ensure the music and media files they are using are safe. AV protection is also emerging for this new exploit.
New QuickTime 7.5.5 and iTunes 8 Exploits
http://www.avertlabs.com/research/blog/index.php/2008/09/18/the-true-of-recent-0day-for-quicktime755itunes80/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114999
QUOTE: A 0day exploit for the latest Quicktime7.5.5/Itunes8.0 was released yesterday. The exploit author announced this as a Remote Heap Overflow so we decided to take a look and analyze it. After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points are:
1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.
2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns, If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime/Itunes application.
Hence, it is unlikely that code execution via this attack vector would be feasible. Users of these apps however should take them seriously and look at appropriate defenses.
Another variant of the shipping invoice attacks has emerged and should be avoided. AV protection is improving and folks expecting actual shipments should always use the phone instead email for contacting their shipping company, if there are any issues.
More Fake UPS Invoice Attacks
http://isc.sans.org/diary.html?storyid=5051
We received two reports of fake UPS invoice tracking Trojan zip files. This is similar to other invoice Trojans we have seen. This appears to be a two way conversation it was really just the spammer who created the whole thing.
EXAMPLE OF EMAIL TO AVOID
To: victims @ email.address
Subject: Re: missing package
From: John Henry <johnhenry.support @ ups.com>
Reply-To: johnhenry.support @ ups.com
Mr./Mrs. Victims First and Last name
I am sorry for this late reply, but we have good news.
We managed to track your package, and we have attached the
invoice you asked for to this reply.
The invoice contains the correct tracking# , since the one
you gave us was invalid.
You can use it on the ups website to track your shipment.
Thank you
John Henry
UPS Customer Care Department
ATTACHMENT: invoice.zip <--- Do not open this file
One might assume a prestigous site like Business Week would always be completely safe. However, a weakness in their website security was discovered by malicious individuals which allowed SQL Injection. These SQL Injection attacks would secretly route user requests or information back to fake sites hosted in Russia. However, these fake websites are currently offline.
SQL-Injection attacks are usually more of a weakness in programming rather than a security flaw in the supporting website software. While I'm certain Business Week will take measures to correct this issue, this example illustrates the need for all of us to be cautious when surfing the Internet. McAfee, Sophos, and other vendors have also added AV protection.
Business Week website attacked by new SQL Injection attack
http://www.net-security.org/malware_news.php?id=990
http://vil.nai.com/vil/content/v_150261.htm
http://www.theregister.co.uk/2008/09/16/businessweek_hacked/
QUOTE: Folks from Sophos have discovered that the website of BusinessWeek, the world famous weekly magazine, has been attacked by hackers in an attempt to infect its readership with malware.
Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server.
At the time of writing, the code injected into BusinessWeek’s website points to a Russian website that is currently down and not delivering further malicious code. However, it could be revived at any time, infecting hundreds of MBA students looking for high-earning jobs. Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.
A home based wireless LAN (WLAN) can provide convenient and easy access to the Internet for all family members. However, if it is not locked down properly, it provides access to anyone who is in reception range. Most "visitors" would access a non-secured WLAN for free Internet connectivity. However, there are dangers where private information on the WLAN hard drive could be discovered or these visitors may access to highly inappropriate sites.
Likewise, a business must protect the privacy of their customer information. If a WLAN is setup, there is a need to use the latest equipment, safest security protocols, and take time to learn the key elements of wireless security. As the article from AVERT labs reflect, it's too dangerous to leave unsecured.
Wireless Security - Too Dangerous to ignore
http://www.avertlabs.com/research/blog/index.php/2008/09/15/the-perils-of-leaving-wi-fi-networks-unsecured/
QUOTE: People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.
Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.
Additional links and resources are noted below:
Example of failure that may cost $1 billion in Financial damages
http://blogs.zdnet.com/Ou/?p=485
How to Secure a Wireless LAN
http://www.dailywireless.com/features/secure-wireless-lan-021507/
Windows XP - Use WPA2 protocol (never use WEP)
http://en.wikipedia.org/wiki/WPA2
Wireless Security - 10 tips to secure your laptop
http://www.informationweek.com/news/showArticle.jhtml?articleID=203102748
George Ou - More on Wireless LAN security
http://blogs.techrepublic.com.com/Ou/?p=404
Simple Advice for Wireless Home Networking
http://blogs.techrepublic.com.com/Ou/?p=42
http://blogs.techrepublic.com.com/Ou/?p=43
Greek hackers were able to penetrate LHC web server security controls to deface their public website. The network control system remained secure, as this is usually isolated by design from the Internet. CERN is evaluating this incident further to ensure all critical access remains secure.
CERN's Large Hadron Collider - Website security compromised
http://government.zdnet.com/?p=3996
http://www.telegraph.co.uk/earth/main.jhtml?view=DETAILS&grid=&xml=/earth/2008/09/12/scicern212.xml
QUOTE: A team of Greek hackers calling themselvses Greek Security Team has penetrated the Large Hadron Collider and defaced a public website. No real damage done, but the hackers got perilously close.
Scientists working at Cern, the organisation that runs the vast smasher, were worried about what the hackers could do because they were "one step away" from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 metres in length and 15 metres wide/high.
If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, "it is hard enough to make these things work if no one is messing with it." Fortunately, only one file was damaged but one of the scientists firing off emails as the CMS team fought off the hackers said it was a "scary experience".
To refine security methods Cern set up a working group called Computing and Network Infrastructure for Controls. One document written by the group said: "Recent events show that computer security issues are becoming a serious problem also at Cern."
Large Hadron Collider - Home Page (currently offline)
http://cmsmon.cern.ch/
The Internet Storm is warning folks to be cautious with be careful with Word documents they might find in email or receive from others. A macro virus can spread rapidly, as the Word master template will become infected and embed a copy of the virus in any documents edited or created. The virus spreads through an organization like wild fire, as documents are shared with other and their Office environments become infected. Staying up-to-date with AV protection and the safe handling documents can help protect users.
Word Macro Viruses - Blast from the future?
http://isc.sans.org/diary.html?storyid=5029
http://www.virustotal.com/analisis/0fc3a70eff0b9ec447794acbda2402e7
QUOTE: It is 1995 and users are complaining that a weird dialog box is popping up in their word document. The first macro virus was doing the rounds. Fast forward to September 2008 and yes you guessed it new word macro viruses are doing the rounds. They have been updated somewhat. Rather than pop up a little dialog box it is behaving more like the traditional downloaders and the road to pain afterwards.
While most users avoid malicious email attachments, some may not be aware of the danger of URLs. To stay safe folks must treat all email attachments and websites link with the utmost caution. One accidental mouse click can lead to hours of agony, repair work, and even permanent loss of information.
Below are some general practices that have been helpful for protecton:
-- Treat all email with caution, even from folks you know
-- Avoid opening email from anyone you don't know
-- Avoid any offers that seems "too good to be true"
-- Avoid Real or Fictional News Alerts (go to the news site directly instead)
-- Any email that asks for sensitive or personal information (never send this out except through a secure web connection)
-- Avoid bills, invoices or any e-commmerce found in email. For example, spammers can get lucky find Citibank customers in their Citibank spam runs. Use the phone or a trusted web site instead.
-- Avoid any unexpected or out-of-character from someone you know. Their email address may have been spoofed or their PC may be infected.
-- Avoid email detected as Spam (as email software can detect early issues, like spoofing for example)
-- Keep AV and Firewall protection active and up-to-date (while AV protection is limited on day one of an attack, it can still help)
-- Keep Windows and other products up-to-date (as exploits may be blocked)
-- Use Text mode for email for added safety when possible
It is important to recognize that the Internet has criminals and malicious indivduals. The use of security tools plus safe practices will go a long way in protecting you from the constant attacks that are circulating.
New spam runs using sensationalized headlines have merged. Folks should not let their curiousity get the best of them or they could loose hours of time repairing their PC. AV vendors are also beginning to provide protection.
Trend Micro Blog - News Videos, Anyone?
http://blog.trendmicro.com/news-videos-anyone/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FFAKEALER%2EFR&VSect=T
QUOTE: Keeping the texts short and malicious, the spam our filters caught this time use catchy headlines so absurd they could actually pique their readers’ curiosity. Some of the spammed messages here use prominent news organizations like CNN and BCC to look more credible, a technique popular with spammers as seen in several previous spam runs. CNN in particular looks to be a favorite.
A new version of this EXCELLENT network scanning tool is available for security and network administrators. 
NMAP 4.75 Released
http://nmap.org/
QUOTE: Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
The FTC has recently enhanced it's OnGuard Online site to provide practical tips that help users in guarding their privacy and staying safe while using the Internet. It provides a comprehensive and good list of safety practices.
FTC revamps education site
http://sunbeltblog.blogspot.com/2008/09/ftc-revamps-education-site.html
QUOTE: A just-released Web 2.0 redesign allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while getting useful tips and information about computer security.
FTC Home
http://www.ftc.gov/
FTC OnGuard Online Home Page
http://www.onguardonline.gov/Default.aspx
FTC Security Topics
http://www.onguardonline.gov/topics/overview.aspx
Comprehensive list of Topics Covered
-- Overview of Computer Security
-- Cross-Border Scams
-- Email Scams
-- Identity Theft
-- Internet Auctions
-- Laptop Security
-- Malware
-- Online Investing
-- Online Shopping
-- P2P Security
-- Phishing
-- Social Networking Sites
-- Spyware
-- VoIP
-- Wireless Security
Stop • Think • Click: An Overview of Computer Security
http://www.onguardonline.gov/topics/computer-security.aspx
Seven Major Practices for Computer Security 
1. Protect your personal information. It's valuable.
2. Know who you're dealing with.
3. Use security software that updates automatically.
4. Keep your operating system and Web browser up-to-date, and learn about their security features.
5. Keep your passwords safe, secure, and strong.
6. Back up important files.
7. Learn what to do in an emergency.
Phishing Scam Videos
http://www.onguardonline.gov/videos/overview.aspx
More Posts
Next page »