November 2009 - Posts
Recently, our son gave me his former PC after building his own system with high-end hardware (e.g., RAID, 28" display, 1GB graphics card, etc). He also loaded Windows 7 on his new system, as he purchased this inexpensively from the book store of the college he is attending.
The rebuild of the older system from scratch went well. The following tactics were used to save some time and ensure a secure approach from Conficker or other threats circulating on the net. The strategy was to bring all components up-to-date on the latest version and service packs first to reduce the number. This process greatly reduces the time and complexity of the Microsoft Update process in bringing the system completely up-to-date.
1. Started with base load of Windows XP SP2 (latest version I had on MSDN CD)
2. Re-partitioned and re-imagined C: drive as part of rebuild for a clean install
3. After successful load, loaded several software products were loaded via USB (IE8, SP3, MP11, WGA client, etc)
4. Next SP3 was loaded (as it provides years worth of updates)
5. After rebooting, IE8 was loaded to move to a more secure version of Internet Explorer
6. Next the DSL client was loaded, as there was no Internet connectivity to activate Windows (ensured FW and AV clients were working and up-to-date as well)
7. Windows was activated and also registered this build
8. Applied WGA client and successfully validated license
9. Loaded Media Player 11 to ensure it was completely up-to-date
10. Next Office 2003 was loaded (plus Front Page, Project, and Visio add-ins)
11. Office 2003 SP3 was loaded to bring it as up-to-date as possible
12. Microsoft Update was then run (while it had over 50 updates for both Windows and Office, this was probably 2-3 times less than are needed otherwise)
13. Performed a second Microsoft Update to review the optional updates for hardware and other enhancements (and selectively applied these)
14. Set up additional accounts with complex passwords
15. Continued to load the rest of the software products
Malware writers are already starting spam runs to infect vulnerable PCs. Stay up-to-date on all AV protection and Windows updates.
HO HO HO Santa has a virus for you
http://www.sophos.com/blogs/sophoslabs/v/post/7584
QUOTE: This one was Christmas themed, normally we would expect Thanksgiving themed spam before the Christmas glut. The spam has a subject of “HO HO HO Santa has the best offer of the year for you”
This may better explain the recent non-security patches last Tuesday.
Fourth Tuesday of Month may be a Patch Tuesday also
http://blogs.pcmag.com/securitywatch/2009/11/the_other_patch_tuesday_is_the.php
QUOTE: Everyone knows about Patch Tuesday on the second Tuesday of the month, but it's less-known that Microsoft regularly releases non-security updates on the 4th Tuesday of the month. You might have noticed Automatic Updates rebooting your system with several non-security updates just this Tuesday.
I dug a little more and found some references to the policy:
Trend Micro - SPAM Email Safety Tips
http://blog.trendmicro.com/don%e2%80%99t-give-spammers-a-reason-to-be-thankful/
QUOTE: Users are strongly advised to be wary of online offers. Here are some useful dos and don’ts that will help you stay safe from spammers and scammers on the Web:
EXCELLENT SAFETY TIPS
-- Do not open emails that come from senders you do not personally know
-- Do not click links embedded in emails. To check if these are legitimate, you may use free tools such as Trend Micro’s Online URL Query
-- Do not rashly give out your personal credentials online. You may end up just being another phishing victim
-- Do keep in mind that legitimate offers are only sent to subscribers
-- Do remember, too, that cybercriminals will do anything for money so stay safe online by using a security suite that stops threats before they even reach you.
ADDITIONAL SAFETY LINKS
Social Engineering Watch: Summer
’Tis the Season to Stay Secure
Holidays for Hackers
This blog hosted by Sophos is an excellent resource. I've bookmarked this as a regular resource for IT Security developments.
Graham Cluley Blog - IT Security Blog of Year
http://www.sophos.com/blogs/gc/
http://www.sophos.com/blogs/gc/g/2009/11/26/crumbs-great-night-computerweekly-blog-awards/
Major News events are used to setup fake email or website lures that may infect user PCs with malware. Please avoid email links and only use mainstream sites to research news (e.g., CNN, USA Today, Fox, etc).
Tiger Woods Car Accident - Malware Surfacing
http://www.sophos.com/blogs/gc/g/2009/11/28/hackers-exploit-tiger-woods-car-accident-spread-malware/
QUOTE: Cybercriminals have wasted no time taking advantage of the news that the world's number one golfer, Tiger Woods, has been involved in a car accident outside his house in Florida. Hackers have created webpages claiming to contain video content related to the accident where Tiger Woods reportedly crashed his car into a fire hydrant and tree as he left his home at 02:25 local time.
With a more severe flu season (e.g., H1N1), many users don't realize their PCs, telephones, and desks could become a primary source for germs to collect. The keyboard, mouse, touch screens, or other devices may be neglected in the cleaning process. Techs who support user PCs often may want to use dry wipes or other cleaners to stay safer. I often clean my PC on work and home systems and found some good related articles, as I just cleaned our family PC this morning.
Office PCs and Desk area can contain lots of germs
http://www.google.com/search?hl=en&q=keyboard+germs
http://www.cnn.com/2004/HEALTH/12/13/cold.flu.desk/index.html
QUOTE: Office toilet seats had 49 germs per square inch, he found. But desktops had almost 21,000 ... Phones were worse -- more than 25,000 germs per square inch.
Cleaning Tips
http://www.google.com/search?hl=en&q=keyboard+germ+cleaning
http://www.sixwise.com/newsletters/06/05/10/computer-keyboard-germs-your-fingers-arent-the-only-things-dancing-all-over-your-computer-keyboard.htm
CLEANING TIPS:
1. Only clean when devices are turned off to avoid short-circuiting
2. Do not apply too much water or cleaner onto sponge or paper towel
3. Lightly clean keys or other devices several times
4. In tests, even plain water works well, plus there are special cleaners available
5. Allow surfaces to dry before powering back on
Some excellent suggestions can be found on password management in this article. The Microsoft security password checker is
Some key considerations are:
- Don't use same universal password for all sites. When one is discovered, all accounts may be compromised)
- Use password complexity. Microsoft has a good website to test passwords (see link at bottom). I avoid creating highly complex passwords as noted in the article. However, I always mix case, letters, numbers. I've also started using the '-' (dash) and '$" as special characters to create passwords that are meaningful but not too cryptic.
- Keep password master lists secure. Hide them carefully and name any electronic versions so that they will not be easily discovered.
- Change passwords on a regular basis. Incrementing passwords (e.g., Rainbow03, Rainbow06, Rainbow09) is one technique to help recall past ones and stay safe (esp. if you don't increment by 1).
- Avoid sharing your passwords with others. Be careful when responding to email or websites requesting it.
AVERT Labs - Password Security Tips
http://www.avertlabs.com/research/blog/index.php/2009/11/25/make-your-password-secure/
QUOTE: No matter how sophisticated security gets, we still need to handle the basics properly. One of the most basic tasks is to create and use secure passwords. You need them to log onto your computer, reach internal applications, and enter just about every website you visit. They are pervasive in our connected world.
MICROSOFT SECURITY PASSWORD CHECKER
(you can enter passwords here for testing)
http://www.microsoft.com/protect/fraud/passwords/checker.aspx
The ISC has a great summary related to important updates that should be applied to keep Windows updated. These are more functional than security related. This may be the reason they were published outside the Patch Tuesday process. I've experienced no issues after applying these changes (which required rebooting).
Microsoft Updates requiring reboot
http://isc.sans.org/diary.html?storyid=7645
QUOTE: We've been informed by several readers that they've received updates from Microsoft in the last 24 hours (via Automatic Update or similar) that required a reboot. Microsoft has apparently updated several of their bulletins. Two of them are related to previous updates MSXML (v3.0 or v6.0), one with MSXML Core Services 4.0 SP2, one is additional daylight saving time updates, and the 4th is also daylight saving time-related and has to do with an error in the Date and Time control panel on Vista and Windows Server 2008. While it isn't unusual for Microsoft to make some minor updates to bulletins and patches (especially detection fixes) at times other than "Patch Tuesday" some of our readers (and some of us, handlers) were surprised by updates that required reboot.
References:
Microsoft KB 973685
Microsoft KB 973687
Microsoft KB 973688
Microsoft KB 976098
Microsoft KB 976470
Microsoft is currently evaluating this new vulnerability and zero-day exploit code has been published. Please be careful at all websites and move to IE8 if possible as it's more secure. Many AV products have implemented protection.
Microsoft Security Advisory 977981 - IE 6 and IE 7
http://isc.sans.org/diary.html?storyid=7633
QUOTE: Microsoft has released Security Advisory 977981. It details vulnerabilites in Internet Explorer 6 and 7 on various operating systems. The advisory does not provide any patches or new versions at this point, but does provide several recommendations for mitigation.
Microsoft Security Advisory (977981)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/977981.mspx
IE6 and IE7 0-Day Reported
http://isc.sans.org/diary.html?storyid=7624
http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
While I disagree with many of the specific reasons noted in the article, I agree with the overall premise that it can happen again. Folks need to stay patched up and protect their systems with multiple layers of defenses. There are certainly improvements there, but there's also a greater need for more participants in the process.
It was estimated that only 1/3 of all PCs had the proper patches in place weeks after they were available when the first variant of Conficker appeared in the wild. There's not been a substantial improvement in folks staying patched up, although many have learned valuable lessons.
Conficker - Why it can happen again
http://www.eweek.com/c/a/Security/10-Reasons-Why-Conficker-Can-Happen-Again-103283/
QUOTE: The Conficker worm affected users nearly one year ago. But now that it has left the headlines, there might be a false sense of security in the Windows ecosystem. There shouldn't be. Even the most up-to-date security programs are hard-pressed to keep up with the latest threats. There are countless millions of PCs and thousands of applications that aren't protected by the latest security software or have never been patched to close known security flaws. There is no telling when some new virus or Trojan as cunningly malicious as Conficker will appear.
It was just under a year ago that the Conficker worm was first detected. It was ravaging Windows PCs all over the world. The worm exploits Windows flaws to link the host computer to virtual command that can be controlled by the worm's remote authors. Conficker still controls millions of computers all over the world.
History repeats itself, as safety trade-offs occur when a product's security layers are altered for ease-of-use or greater functionality. There is very limited exposure for this new threat that F-Secure is currently analyzing. It only impacts devices where Apple's original security safeguards for the iPhone are intentionally altered through a process called "Jailbreaking".
New iPhone Worm attempts to build botnet
http://www.f-secure.com/weblog/archives/00001822.html
QUOTE: it only affects Jailbroken iPhones which have SSH installed and have not changed the default password. This one connects to a web-based command & control center running in Lithuania. The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices.
Ikee - First iPhone Worm impacts "Jailbroken iPhones"
http://www.f-secure.com/weblog/archives/00001814.html
What are "Jailbroken iPhones"?
http://en.wikipedia.org/wiki/Jailbreak_%28iPhone_OS%29
How to change root password in "Jailbroken iPhones"
http://www.f-secure.com/weblog/archives/cydia.htm
Cloud computing is a new paradigmn where processing formally done by the PC are performed by the cloud servicing firm. Panda has implemented an interesting design where files are sent to their Internet cloud facilities for malware testing and cleaning. While it solves staying on the latest AV definitions, the design relies on high-speed Internet connectivity. It will be interesting to follow future developments for this new design.
Panda Cloud Antivirus Free Edition 1.0 - SUMMARY
http://www.pcmag.com/article2/0,2817,2355827,00.asp
Panda Cloud Antivirus Free Edition 1.0 - FULL REVIEW
http://www.pcmag.com/article2/0,2817,2355828,00.asp
QUOTE: Panda Cloud Antivirus Free Edition 1.0 (free for personal use) aims to head off disaster by pushing its malware detection activity into the cloud, eliminating the need for local signatures. Panda likes to call it "the first antivirus without an update button." It's a powerful defender against malware attacks—and it's free.
PROS: Free. Small download. Fast install. No updates needed. Extremely effective at keeping malware out of a clean system. Detected all malware samples on infested test systems. Attractive user interface.
CONS: Can't function properly without Internet connection. Failed to remove huge amounts of malware traces from threats it detected.
A denial-of-service creates an endless loop where PCs or servers become unresponsive. The Windows 7 security system will prevent malware infections to the system itself for this specific attack. An infected system could lock up and require rebooting if an attack were successful.
These attacks may spike to 100% CPU utilitzation or be overwhelmed with intense network traffic. Windows 7 and Server 2008 R2 and users should keep autoupdates enabled and monitor developments for a forthcoming patch. Keeping your firewall enabled and AV protection in place also provides protection for current unpatched systems.
Windows 7 and Server 2008 R2 - SMB denial of service attack exploit
http://www.microsoft.com/technet/security/advisory/977544.mspx
http://blogs.technet.com/msrc/archive/2009/11/13/microsoft-security-advisory-977544-released.aspx
http://isc.sans.org/diary.html?storyid=7597
http://isc.sans.org/diary.html?storyid=7573
QUOTE: this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted.
MSRC - Excellent site to monitor further developments
http://blogs.technet.com/msrc/
Rogue security products are popular methods of attack as evident by AntiVirus 2009. These Fake AV scams are designed to steal money from users by tricking them into thinking they are installing legitimate software.
These Fake AV products will present users with constant pop-ups and request that they pay around $39 to register their product so the PC can be cleaned. These Fake AV products are actually malware and are to be avoided. Any user infected should search for a cleaning tool to remove Fake AV products. To avoid infections, users should be careful in the websites they visit and stay patched up on every product (esp. Windows and Adobe Flash). Moving to the latest version of Internet Explorer, Firefox, Opera, etc. are also good ways to help prevent infections.
Rogue Security Product Copies McAfee’s Look and Feel
http://www.avertlabs.com/research/blog/index.php/2009/11/10/rogue-security-product-copies-mcafees-look-and-feel/
QUOTE: Recently we have seen the rapid growth of rogue anti-virus/spyware programs. This one is especially interesting. Why? Because it mimics McAfee’s security product. This rogue software displays the same user interface as McAfee Security Center. It also offers a web page that looks similar to McAfee’s legitimate site.
The idea behind fake AV software is to trick unsuspecting users into thinking their machines are infected. The malware will display a window that shows many innocent files detected arbitrarily as compromised. These fake security alerts are baseless–they exist to trick victims into pressing the panic button. In this case agreeing to “Remove all threats now” will lead to purchasing the MaCatte Antivirus 2009 product. The rogue software offers several “features”:
• It displays fake warning messages and “Safety Center Alert” pop-ups
• It flashes icons that appear in the system tray
• It hijacks the browser’s homepage to a site that mimics McAfee’s site
Oracle highly recommends that DBAs and System Administrators apply these patches across a wide range of products promptly.
Oracle Critical Patch Update Advisory - October 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 38 new security fixes across all products.
Very important security updates are available for Windows and Office. These should be promptly applied to protect from exploits and malicious code that could be reversed engineered in the near future.
Microsoft Security Updates - November 2009
https://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
ISC - Excellent Summary of this month's Patch Tuesday updates
http://isc.sans.org/diary.html?storyid=7564
Each year the Internet Storm Center picks a theme for improved security awareness and publishes an article per day during Cybersecurity awareness month (October). These are excellent resources for any professional in the IT Security profession:
SANS - Summary of 31 tips for better PORT security
http://isc.sans.org/diary.html?storyid=7504
QUOTE: This year we examined 31 different ports/services/protocols/applications and discussed some of the major security issues. Many readers submitted comments, tips, and tricks for securing them.
1 - Port 445 - SMB over tcp
2 - Port 0
3 - Port 5900 - VNC
4 - Port 20/21 - FTP-data/FTP
5 - Port 31337 - trojan horses
6 - Ports 67&68 udp - bootp and dhcp
7 - Port 6667/8/9/7000 - IRC
8 - Port 25 - SMTP
9 - Port 3389 -RDP
10 - The Questionable Ports
11 - Port 111 - RPCBind aka Portmapper
12 - Ports 161/162 - Simple Network Management Protocol (SNMP)
13 - Ports 3128, 8080 & .... - Proxies
14 - Port 514 - syslog
15 - Ports 995, 465, and 993 - Secure Email
16 - Port 1521 - Oracle TNS Listener
17 - Port 22 - SSH
18 - Port 23 - Telnet
19 - ICMP
20 - Ports 5060 & 5061 - SIP (VoIP)
21 - Port 135 - MS DCE locator
22 - Port 502 - Modbus
23 - Port 179 - Border Gateway Protocol
24 - Ports 1-20 and 37 - The Small Services
25 - Port 80 and 443 - Web services
26 - Ports 1433/1434 - MS SQL
27 - Ports 135, 137, 138, 139, ... - MS Active Directory Ports
28 - Port 123 - ntp
29 - Port 53 - dns
30 - Ports 47, 50, 500, 1723, 4500, ... - The "Common" IPSEC VPN Protocols
31 - Port 113 - ident
Below are links to prior years sharing best practices by the Internet Storm Center during Cybersecurity awareness month:
SANS - 2008 Security Incident Handling tips
http://isc.sans.org/diary.html?storyid=5279
SANS - 2007 Cybersecurity Awareness tips
http://isc.sans.org/diary.html?storyid=3597
In 1997, our company adopted McAfee as an AV standard for all PCs and servers. Even durng these early years for the Internet, they were one of the 1st AV Vendors to use public forums to leverage support costs. I've been a member of these forums for over a dozen years, primarily sharing security news and safe practices. In November 2009, McAfee implemented a state-of-the-art community forum environment, which includes home and corporate product support forums, security awareness forums, and other resources.
NOW LIVE! McAfee Online Support Community
http://www.avertlabs.com/research/blog/index.php/2009/11/04/now-live-mcafee-online-support-community/
QUOTE: The McAfee Online Support Community gives you a way to interact with other McAfee business users to ask questions and share best practices. Additionally, you’ll be able to talk with McAfee professionals about McAfee products, security awareness issues, and emerging trends — plus give us feedback on product and service enhancements.
McAfee - Home Page for New Community Forums
http://community.mcafee.com/
I've been a fan of Kim's talk radio show for years. On Saturday, I can listen on my walkman while working outdoors and catch on some of the latest developments. Computers are complex and she shares developments and best practices in an easy-to-understand approach for the public. Below is a great write-up on how security is improved in Windows 7.
Kim Komando - Windows 7 and Security
http://www.komando.com/tips/index.aspx?id=7584
QUOTE: QUESTION -- I’ve read a lot about the new features in Windows 7. But, I haven’t heard much about Windows 7 and security. What new security features are in Windows 7? Is it safer than Vista? — Mike in Boston, listening on WBZ 1030 AM (Higlights noted below)
First, Microsoft has taken steps to protect the Windows 7 kernel. Windows 7 does not allow unauthorized access to the kernel.
They include a firewall and anti-spyware. You can also download Windows Security Essentials, a free antivirus program.
Windows 7’s firewall has been improved. As with the firewall in earlier versions of Windows, it isn’t perfect. But, advanced firewall options can be accessed through the Action Center. That makes it easier to control what programs are allowed to communicate through the firewall.
In Windows 7, UAC has been tweaked and is much more user-friendly. You can select the UAC settings you prefer. If a page tries to install software or change settings, you’ll see the alerts. Obviously, UAC isn’t a new feature. But, it has finally become useful for most users.
You probably saw Vista machines with fingerprint scanners. These relied on third-party software. With, Windows 7, biometric security is baked in. You can use it to allow access to the machine. The Biometric Devices applet is available in Control Panel. This lets you configure your fingerprint reader.
You may have noticed that the Security Center is missing from Windows 7. In its place, you get the Action Center. This is where the computer’s security is configured. You’ll can also specify your Windows Update preferences.
There are also a bevy of new security features in Internet Explorer 8. This is the browser included with Windows 7. First, there’s domain highlighting. This helps you see the relevant part of the URL. ActiveX security has also been improved. IE 8 also features the XSS Filter. This is designed to protect you from cross-site scripting attacks.
Anti-phishing tools have also been beefed up. The SmartScreen Filter has a new look and improved performance. It can also add anti-malware support. It will block you from downloading known malware.
More Posts
Next page »