March 2009 - Posts
Hopefully, as F-Secure notes, nothing major will most likely occur on April 1st, as much is still unknown regarding the new P2P update routines.
http://www.f-secure.com/weblog/archives/00001636.html
Recently, Chrome was to only browser to survive recent the Pwn2Own security testing contest. The code quality, sandbox isolation design, relative newness, and lack of major security testing were all contributing factors. Chrome is also a relatively simple browser lacking many advanced features. Sometimes less flexibility means less manipulation.
I've been beta testing Chrome since it's introduction and like the speed and even the simplicity of design. Still based on this test I'm not going discard IE8 or Firefox 3 as they offer good defense systems. They have stood fairly well from constant attacks and they are patched promptly when issues surface.
PERSONAL COMMENTS ON GOOGLE CHROME'S SECURITY
-- The sandbox isolation design is indeed beneficial from a security perspective
-- Chrome is among the newest browsers written from the ground up and avoids a lot of the legacy issues for W/2000 and supporting prior browser versions (like IE has to do for compatibility)
-- Chrome is somewhat untested in-the-wild. Firefox, IE, Opera, and Safari have been available longer
-- Google has been previously ranked as one of worst companies when it comes to privacy concerns (e.g., their sharing of IP addresses from searches)
-- Chrome has been patched along the way for security issues.
-- Most likely Chrome has been fuzz tested extensively given Google's extensive resources and the code is probably high quality.
-- Still "code is code" and no software product is totally invincible
-- A browser can't save users from themselves (so "think before you click")
Google Chrome - Only browser to survive recent Pwn2Own contest
http://arstechnica.com/security/news/2009/03/chrome-is-the-only-browser-left-standing-in-pwn2own-contest.ars
http://i.gizmodo.com/5177067/chrome-is-the-last-browser-standing-at-pwn2own-hacking-competition
QUOTE: Only Chrome was able to withstand the first day of the event thanks, in large part, to its innovative sandbox feature
Google Sandbox Design contributed to safety
http://google-chrome-browser.com/new-approach-browser-security-google-chrome-sandbox
These updates should be applied promptly, as there have been PDF based attacks in the wild involving JavaScript vulnerabilities.
http://www.adobe.com/support/security/bulletins/apsb09-04.html
QUOTE: Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).
Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.
These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. As of March 24, Adobe has also made available the Adobe Reader 9.1 and Adobe Reader 8.1.4 updates for Unix
Vundo is one of the most prevalent malware agents encountered in-the-wild. A new version will encrypt eligible data file types on a PC and try to trick users into paying to restore files. Symantec offers a free cleaning tool as noted at the bottom that will unencrypt these files.
Vundo - New Ransomware Version encrypts files
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/255
QUOTE: Symantec received news of a new twist in the behavior of Trojan.Vundo. Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer.
Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available.
If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted.
Symantec's free cleaning and decryption tool to restore encrypted files
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixXrupter.exe
Conficker.c - April 1st payload still a mystery to researchers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228
QUOTE: PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.
"So far, we haven't seen any evidence [on those machines] of what it will do April 1," added Stewart, although that's to be expected. "It's not April 1 yet, so they're not going to put something online, where it might be found. In fact, it's almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network." Symantec Corp.'s Vincent Weafer, vice president of the company's security response group, agreed with Stewart that it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. "Nobody has any real idea," said Weafer. "There's no indication of what it will do April 1."
Weafer characterized the Conficker.c update as one to "armor and harden the existing infections," and noted that the variant, unlike its predecessors, cannot spread to other PCs. "This variant is very defensive-oriented," said Weafer, "to make it less visible and more resilient." Like Weafer, Stewart sees Conficker.c as a move by the worm's maker or makers to consolidate what's already infected. "The big question is what's the end game?" he said. "Is it just as big as they want it to get?"
Hopefully, Conficker.C won't affect as many people as in the past when more unpatched systems were present. Still on April 1st, a much more robust version of Conficker will become active from its current dormant "sleep" mode. In preparation for this expected outbreak, the Internet Storm Center has updated their excellent list of cleaning and informational resources.
ISC - Updated Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860
QUOTE: I am hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker.
This advice differs from most articles. It focuses on internal self improvement and ideas that can help indirectly. These actions may also help relieve some of the job search stress during these difficult times.
Five Things To Do If You Lose Your IT Job
http://www.informationweek.com/news/showArticle.jhtml?articleID=215900165
QUOTE: Laid off. Downsized. Words that are heard often these days. That you would devote a significant amount of your time to finding another job -- as Fleming did -- is a given. But even the most aggressive job hunt won't take all your waking hours. There are only so many jobs ads to answer on Monster.com and Craigslist. Only so many recruiters who will take your calls. So to ward off what Fleming calls "the utter crazies," most unemployed IT workers are finding other outlets for their physical, intellectual, and emotional energy.
KEY SELF IMPROVEMENT TIPS WHILE SEEKING NEW JOB
1. Get Smart: Learn New Skills
2. Jumpstart A New Venture
3. Get In Shape (Physically Fit)
4. Spend More Time With Friends, Family
5. Volunteer To Help Others
You Tube has been actively cleaning malware that poses as complex video clips or games. These posts have links and a message that states "Note, you may need to turn off your Anti-Virus?". This is a dangerous option to take in letting down defenses just to see a video clip and users should avoid these schemes.
Malware asks users to turn off Anti-Virus protection
http://www.f-secure.com/weblog/archives/00001628.html
QUOTE: Today we took another look and found some more videos to flag. This video links to a file called Nintendo_Wii_Points_v2.exe. Wait, what does it say underneath the tooltip? Note, you may need to turn off your Anti-Virus? Right… that doesn't sound at all suspicious.
The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.
If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).
Please take precautions now, as this one will be even more difficult than "B" was to clean.
Conficker.C Worm - Major Attack targeted for April Fools Day
http://techfragments.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revving_Up_to_Spread.html
http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars
http://www.maximumpc.com/article/news/this_no_joke_confickerc_strike_april_fools_day
http://news.cnet.com/8301-1009_3-10196122-83.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976
QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:
• Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
• Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:
• Deactivates Windows Security Center notifications
• Prevents restart in Safe Mode
• Prevents Windows Defender from running at system startup
• Deletes all system restore points
• Disables various error-reporting and security services
• Terminates over twenty security-related processes
• Blocks DNS queries
• Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).
Conficker.C - Detailed Evaluation by SRI
http://mtc.sri.com/Conficker/addendumC/
QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. In fact, we estimate that C leaves as little as 15% of the original B code base untouched
Below are some resources for information and cleaning tools for the Conficker worm:
Conficker - Cleaning tips for corporate users
http://msmvps.com/blogs/harrywaldron/archive/2009/01/27/conficker-cleaning-tips-for-corporate-users.aspx
Internet Storm Center - Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860
Microsoft Resources
http://support.microsoft.com/kb/962007
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
PWN2OWN Contest - Fully patched MAC owned in 10 seconds
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129978
http://blogs.zdnet.com/security/?p=2917
QUOTE: "I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller on Wednesday, not long after he had won the prize. "It probably took five or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.
The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. "I gave them the link, they clicked on it, and that was it," said Miller. "I did a few things to show that I had full control of the Mac."
At noon EDT, Microsoft will initially offer the final production version of IE8. It represents a further improvement of it's browser technology in terms of security, functionality, and web standards support. Some precautions in installing this immediately include:
-- Read all dialogs and option selections carefully, instead of simply pressing next
-- Be patient in trying to download this during the next couple days, as the site will most likely be saturated with users
-- Experienced users should download this version initially, in case any technical issues surface that might require recovery. It will later be available to everyone through Windows Update.
-- Corporate users may need to wait for official approval, in case there might be incompatible web applications or software. It's always beneficial to lab test any new software release to ensure all applications are certified
However, based on my own beta testing for several months, this new version will most likely be a high quality product. Users who have been actively beta testing should certainly apply the official version right away, as they've worked through any incompatibilities.
So far, this new version is working well in early usage 
Microsoft's IE8 - Final version available for download today
http://www.eweek.com/c/a/Windows/Microsoft-Ships-Internet-Explorer-8-Browser-184414/
Microsoft's IE8 browser offers cool features, better security, and improved performance.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129906
QUOTE: Internet Explorer 8 has shipped in its final version and is ready to take on its rivals. This latest version of Microsoft's browser leapfrogs its closest competition, Firefox 3, for basic browsing and productivity features -- it has better tab handling, a niftier search bar, a more useful address bar, and new tools that deliver information directly from other Web pages and services. IE8 has also been tweaked for security and includes a privacy mode, new anti-malware protection, and better ways to protect your privacy.
CORPORATE USERS -- IEAK allows an enterprise to configure the browser to meet the company's default settings
Internet Explorer Administration Kit 8
http://technet.microsoft.com/en-us/library/cc817437.aspx
Microsoft Download Site
http://www.microsoft.com/windows/Internet-explorer/download-ie.aspx
TinyURLs allow a lengthly URL to be abbreviated. They are being used by malware writers to make links appear less suspicious. Always be careful with any link you click on, as malware can be automatically downloaded from a malicious website to vulnerable systems.
TinyURL usage becoming more common in Phishing and IM Attacks
http://blog.trendmicro.com/tinyurl-phishing-becoming-popular/
http://blog.trendmicro.com/tinyurl-now-used-in-im-phishing/
QUOTE: As TinyURLs become more and more popular, phishers are also exploiting the URL shortening service this said tool provides. They do this make phishing URLs less suspicious and less obvious than using the exact URL, which could be long and totally unrelated to the site a spammed message purports to be from.
AVERT labs shares a brief article on how malware can add start-up entries to the Windows registry, allowing it to operate even in SAFE MODE. Malware infections that impact the Safe Mode environment are a growing trend.
Windows Safe Mode - How Malware can add start-up entries
http://www.avertlabs.com/research/blog/index.php/2009/03/12/safe-mode-a-misnomer/
QUOTE: If malware gains control of the system, it can add its entry under the above keys to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.
These patches are working well on my home and work PCs. MS09-006 is rated as critical and these important updates should be promptly applied.
MS09-006 - Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
Affects: Windows 2000/XP/Server 2003/Vista/Server 2008
Link: http://www.microsoft.com/technet/security/Bulletin/MS09-006.mspx
MS09-007 - Vulnerability in SChannel Could Allow Spoofing (960225)
Affects: Windows 2000/XP/Server 2003/Vista/Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms09-007.mspx
MS09-008 - Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
Affects: WINS and DNS (Server 2000/2003/2008)
Link: http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx
ISC: http://isc.sans.org/diary.html?storyid=5995
Microsoft: http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx
Secunia:
MS09-008: http://secunia.com/advisories/34215/
MS09-007: http://secunia.com/advisories/34217/
MS09-006: http://secunia.com/advisories/34117/
Users should apply these beneficial security changes:
Firefox 3.0.7 security and stability release now available
http://www.mozilla.com/en-US/firefox/3.0.7/releasenotes/
http://blog.mozilla.com/blog/2009/03/04/firefox-307-security-and-stability-release-now-available/
SECURITY ISSUES ADDRESSED BY v3.0.7
MFSA 2009-11 URL spoofing with invisible control characters
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-08 Mozilla Firefox XUL Linked Clones Double Free Vulnerability
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
This is an excellent article for corporate IT administrators to consider:
Disaster Recovery - Planning Checklist for Windows Environment
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1349304_mem1,00.html
QUOTE: If your company files were lost, would you be confident that your IT disaster recovery plan complied with applicable legal requirements? Wouldn't it be nice to have a checklist that you could use to determine your disaster recovery plan's level of readiness?
Step 1: Assign disaster recovery responsibility
Step 2: Identify key business processes
Step 3: Document Windows IT processes that need to be incorporated into the DRP
Step 4: Develop the disaster recovery plan
Step 5: Create a budget for disaster recovery activities
Step 6: Test and implement the disaster recovery plan
Step 7: Execute ongoing DRP management activities
The latest 3.0 build 1506 is available and resolves critical security issues. Please be careful with the install process, as there are is now a Foxit toolbar plus ebay linking option that you most likely want to uncheck. Other than those concerns, the upgrade to v3.0 is working great so far.
Foxit Reader v3.0 - Critical security update released
http://www.foxitsoftware.com/pdf/reader/security.htm
http://secunia.com/advisories/34036/
QUOTE: The latest version 3.0 build 1506 of Foxit Reader has been released. Please download the latest version from
http://www.foxitsoftware.com/downloads/
While Google quickly addressed this new issue a few weeks ago, always avoid file attachments and URLs where possible in Instant Messaging systems.
Google Talk - ViddyHo Phishing Scheme uses TinyURL link
http://www.scmagazineus.com/Google-Talk-users-hit-by-phishers/article/127855/
http://www.sophos.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho-phishing-chat-attack/
QUOTE: Google said Wednesday it has reigned in a new phishing scam in which attackers were trying to steal usernames and passwords through the company's instant messenger program.
The phishing message arrived as an unsolicited Google Talk message and contained a TinyURL link to a site called “ViddyHo," which asked potential victims to login with their Google Talk or Gmail credentials.
“Potentially a hacker who has grabbed your Gmail password could have accessed your entire address book and scooped up all of your correspondence, including information that you may have archived about other online accounts,” wrote Sophos' senior technology consultant Graham Cluley in a blog post.
IT professionals must know the business and work closely with users for optimal solutions. This good article shares three areas of frequent failure.
Talking business: Three reasons why your opinion is being ignored
http://blogs.techrepublic.com.com/tech-manager/?p=801
QUOTE: In my experience, among the reasons for the voice of IT to be ignored, there are three that transpire in most if not all cases:
-- Lack of business knowledge
-- Using the wrong language
-- Lack of assertiveness
IT leaders and their staff must act assertively, if their words are to have any weight, and establish themselves as the authority in all decision-making involving IT. They must work to address business problems and opportunities, looking at the business content and applying innovative solutions. They must educate their business counterparts on the new developments in the IT and explore their application together.
More Posts
Next page »