March 2010 - Posts
Some interesting statistics from a recent survey.
4.4 percent in China have no AV – that might not be too bad
QUOTE: The number for the rest of the world might be 26 percent. There is a story making headlines on the computer security news sources today about estimates that 4.4 percent of Chinese Internet users have no anti-virus software, up from 3.9 percent last year. That’s about 17 million machines. CNNIC said it estimated that 384 million people in China use the Internet
The version matrix in first link below provides a visual illustration that IE8 is safer than IE6 or IE7
MS10-018: Version Matrix illustrates IE8 is safer than past versions
FULL MSRC BLOG ENTRY - MS10-018 Released
QUOTE: MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April.
Microsoft issued an out-of-band special security update for all versions of Internet Explorer. While the most critical update applies to IE 6 and 7, there are also some critical updates for version 8. The planned IE cumulative update for April 13, 2010 was released for all users two weeks early.
MS10-018 - Critical Internet Explorer Update
MSRC - MS10-018 Detailed analysis
QUOTE: MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April.
SANS - Internet Storm Center analysis
QUOTE: This update resolves 10 different vulnerabilities in Internet Explorer, of which the most severe impact can be execution of arbitrary code. All versions of IE from 5.01 to 8.0 are affected to varying degrees. Both servers and workstations should be updated. The update replaces MS10-002, and addresses the MS Advisory 981374 vulnerability. Time to patch
Apple patched a record number of vulnerabilities in it's latest security release. Mac users should apply these patches promptly to improve their safety.
Apple Mac OSX version 10 - Critical Security update
QUOTE: Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems. Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple's largest patched 67 vulnerabilities.
APPLE SUPPORT DOWNLOADS
Microsoft will be releasing a special security update tomorrow for versions 6 and 7 of Internet Explorer. This early release will better protect IE users from current threats circulating in the wild. Please apply these changes as prompted tomorrow to protect your PC. Better yet, move to IE8 if you use Windows XP or Vista.
Internet Explorer - Out of Band Security Update on March 30, 2010
Internet Explorer - Out of Band Security Update Details
Key vulnerability patched described in Microsoft Security Advisory 981374
QUOTE: This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on March 30, 2010. The bulletin is being released to address attacks against customers of Internet Explorer 6 and Internet Explorer 7. Users of Internet Explorer 8 and Windows 7 are not vulnerable to these attacks.
MSRC BLOG: Additionally, because Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer that were planned for release on April 13. (Other supported versions of IE could be potentially updated tomorrow)
This new attack should be avoided, as there is an embedded EXE inside the RTF based document. Most lawsuits are filed using certified mail
New Email Attack - Copyright Lawsuit filed against you
QUOTE: An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to:
March 24, 2010
Crosby & Higgins
350 Broadway, Suite 300
New York, NY 10013
To Whom It May Concern:
On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement. Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
Mark R. Crosby
Crosby & Higgins LLP
The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms. If a user clicks on the link and opens the document it will attempt to download additional payload. Currently only a few AV solutions detect the initial document
Getting the EXE out of the RTF again
QUOTE: Since we got some mails from readers who had trouble getting the malware extraction technique to work on yesterday's malicious "copyright lawsuit" sample , here's a quick walk-through again on how to carve an EXE out of a DOC or RTF file.
In recent problem solving for a couple of old Windows 2000 PCs, I discovered that they had not been updated for a considerable period of time. In manually invoking Windows Update, an error was encountered and the return code was searched on the Internet. The solution that worked for corporate McAfee VSE (versions 7 and 8) was to locate the Windows "SoftwareDistribution" folder and create an exclusion. McAfee locks up when the data base object is accessed preventing Windows Update.
To exclude the Software Distribution folder from McAfee VSE scanning:
1. Launch McAfee VSE Console from start menu
2. Select On-Access Scan and double-click (or select properties)
3. Select All Processes
4. Select Detection tab
5. Select Exclusions button
6. Select Add New button
7. Browse for location of Windows "SoftwareDistribution" folder
8. Check also exclude Subfolders
9. Select OK button
10. Select APPLY button
11. Reboot PC so that exclusion changes will properly take place
12. Launch Windows Update manually (and move to Microsoft Update so that Office is also included)
Related Microsoft KB article
QUOTE: You receive error code 0xC80001FE when try to connect to the Windows Update Web site or to the Microsoft Update Web site to install updates. This issue may occur if the Windows Update database is corrupted. Or, it may occur if the McAfee antivirus application is configured to scan the %Windir%\SoftwareDistribution directory. When the McAfee antivirus application scans the .edb file, the antivirus application locks the file. Therefore, Windows Update or Microsoft Update cannot access the file.
This series of Computerworld articles can be helpful in designing security and efficiences for the WLAN environment
QUOTE: 3. Excessive SSIDs: Here's the issue with running multiple SSIDs - each radio beacons approximately 10 times per second, per SSID. Therefore, if you have 5 SSIDs in your environment, you have 50 beacons per second, per radio. All of these beacons chew into the available free air time, and thereby lower the amount of available bandwidth
QUOTE: 2. "Hiding" the broadcast of the SSID: SSID stands for Service Set Identifier. It is the network name that you see when you scan for wireless networks on your computer. There is an option on most access points to "hide" the SSID so its value is absent from beacon frames. In basic supplicant software such as the one that comes embedded in Windows, these networks do not show up as available connection options. Proponents say that disabling the broadcast of the SSID thereby protects the wireless LAN from attack because it adds a layer of defense.
QUOTE: 1. Time slicing wireless intrusion detection: There are two main ways to conduct wireless intrusion detection - one is through a dedicated sensor and the other is through time slicing. Access points that use time slicing take a sliver of time when not servicing stations (laptops, etc.) and scan off channel to provide intrusion detection functionality. One major wireless manufacture defaults to scanning off channel for 50 milliseconds every 15 seconds. Upon first hearing this statistic, I thought it sounded like a reasonable interval. However, when I extrapolated this information, I realized that comes out to approximately 4.5 minutes of scanning every 24 hour period. That's right, less than 5 minutes of scanning per day! What's the alternative, you ask? Instead of time slicing, you can use dedicated sensors. These sensors scan the network 24 hours a day, 7 days a week, 365 days a year. There are two types of dedicated sensors, embedded or overlay sensors.
The IRS, Census, and many other government agencies do not use email for official contact purposes. These new threats should be avoided.
New Fake IRS Email Notice Leads to ZBOT
QUOTE: TrendLabs senior advance threat researcher Ivan Macalintal found spammed messages claiming to come from the Internal Revenue Service (IRS). The email message warns recipients of either under-reporting, or not reporting, their incomes in line with the tax season (April). It asks users to click the embedded link to correct the supposed errors.
Please be careful of malicious email or websites related to the college basketball playoffs.
March Madness Malware Spreading via Search Results
QUOTE: This is the time of year when basketball fans go online to fill out their bracket selections. While fans are playing with their brackets, hackers are also playing their own game of spamdexing -– manipulating search results to promote, in this case, malware-infected sites. At the time of this posting, top search results for terms such as ncaa bracket and march madness predictions are already poisoned. Five out of the first ten hot searches on Google Trends, with ncaa+bracket+blank taking second place, are being promoted by a network of legitimate sites that were hacked to serve malware.
ECMC Data theft impacts 3 million with student loans
ECMC has promptly issued notifications, as noted below. Anyone impacted should watch for any suspicious activities. Information on portable media was stolen which contains name, address, and social security numbers. However no financial information was compromised.
ECMC Notification to Borrowers of Data Loss
Data theft targets 3.3 million with student loans
QUOTE: ECMC, a guarantor of federal student loans, had a theft occur from its headquarters involving portable media with personally identifiable information. The stolen data contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and social security numbers. No bank account or other financial account information was included in the data. ECMC released this information as soon as it received approval from law enforcement authorities.
These testers are top notch in their knowledge of the Windows 7 architecture and it's memory management. They used fuzzers, which are automated testing tools, to find vulnerable code that might be subject to crashing Windows security layers.
Hacker busts IE8 on Windows 7 in 2 minutes
QUOTE: Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities. Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.
Nils also sidestepped DEP and ASLR in Windows 7 when he exploited the newest version of Firefox later in the day. Like Vreugdenhil, Nils also was awarded the notebook and $10,000. This was Nils' second Pwn2Own victory; last year he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8. "As usual, Nils' exploit was very thorough," said TippingPoint's Portnoy, who is the organizer of the Pwn2Own contest.
This release was originally slated for 3/30/2010.
Firefox version 3.6.2 released early to correct critical bug
QUOTE: Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6
* Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
* Fixed several additional security issues.
* Fixed several stability issues.
It is important to stay up-to-date with product versions, especially the free upgrades Microsoft provides to it's browser, media player, and other key components. In fact IE9 is starting to emerge for the Vista and Windows 7 platforms. Companies that don't stay up to date could be locked into legacy application requirements that could prohibit them from enjoying the best in security and functional capabilities.
IE6 - Ten reasons companies should upgrade to IE8
QUOTE: Internet Explorer 6 needs to be laid to rest and forgotten. Here's why:
1. It's brutally ugly - The interface is extremely difficult to maneuver around and the basic design leaves much to be desired. Granted, it was designed at a time when looks didn't mean as much as they do today, but let's be honest, Internet Explorer 6 was never good-looking.
2. It's underpowered - Internet Explorer 6 is extremely underpowered. In fact, it's one of the slowest browsers on the market currently in wide use. Simply put, Internet Explorer 6 lacks the power and functionality to make it relevant today.
3. Security, anyone? - Security is where the major issue with Internet Explorer 6 resides. Unlike so many other versions of the browser, Internet Explorer 6 was overrun with security issues.
4. Reputation matters - After Internet Explorer 6, the company's reputation was diminished as more and more users saw the browser for what it was: a lost cause.
5. Compatibility - Chances are, several of those sites won't work, thanks to the browser's inability to accommodate so many of the Web's new technologies.
6. Google says goodbye - So, when it announced that it would no longer support Internet Explorer 6 in Google Docs or with YouTube, the company sent a clear message: Internet Explorer 6 is dead. When will the rest of the world realize that?
7. The world hates it - the majority of folks can't stand Internet Explorer 6. It makes sense. As mentioned, the browser has been the culprit behind far too many security attacks.
8. Even Microsoft wants to forget about it - Microsoft has suggested on numerous occasions that it wants users to switch from Internet Explorer 6 to a new version of its browser.
9. It moves users to other browsers - Internet Explorer 6 has been a blessing in disguise for Mozilla's Firefox browser, as well as other competitors like Opera and Google Chrome.
10. It's obsolete - Internet Explorer 6 is obsolete. First and foremost, the browser is old. Secondly, it has been improved upon by Internet Explorer 7 and Internet Explorer 8. Worst of all, it can't compete on any level with the competition.
A malicious attack is circulating in email that claims to be a password reset from Facebook. This email should be avoided as Facebook doesn't conduct security changes in this manner. This attack is designed to compromise your true password and Facebook account.
Facebook - Fake Password Reset email circulating
QUOTE: Facebook Security -- There's another spoofed email going around that claims to be from Facebook and asks you to open an attachment to receive a new password. This email is fake. Delete it from your inbox, and warn your friends. Remember that Facebook will never send you a new password in an attachment. For more information on how to stay safe on Facebook and across the Internet, check out the "Threats" and "Tips" tabs.
Below are updated instructions for MSE installation for 32 bit or 64 bit versions of Windows:
1. Uninstall any previous Anti-virus products (esp. the 60 day trial AV products that may have come with your system)
2. Reboot your system to ensure a clean start
3. Go the WINDOWS UPDATE site to install all updates for improved protection. There is a Malicious Software Removal Tool which will clean up major virus or spyware infections that could be present on your system.
: You must also be under SP3 for XP (right mouse on My Computer and look at Properties to confirm)
4. In order to download MSE, your system must be WGA compliant. At this site Click on VALIDATE BUTTON to ensure your system is WGA compliant
5. Then visit Microsoft Security Essentials (MSE) site and click DOWNLOAD Button
TIP: there is also an Installation Video to guide in this process you can watch 1st if desired using Media Player
6. Manually Download latest virus definitions For older 32 Bit systems (XP, Vista)
For brand new 64 Bit systems (Vista, Windows 7)
7. After downloading, click on MPAM-FE.EX (32 bit) or MPAM-FEX64.EXE (64 bit). It will automatically install lastest definitions in a couple of minutes. If you have PCs that never connect to the Internet, steps 6/y are a good way of keep them updated with MSE.
8. Reboot system to ensure MSE starts automatically
9. Launch Microsoft Security Essentials from Start Menu and select FULL SCAN to ensure your system is malware free. This may take an hour or two depending on the size of system. You can let it run unattended.
10. Ensure your system is set for AUTOMATIC UPDATES (the WIndows Update process in step 1 above allows you to select this option
: Microsoft Security Essentials is a free download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple
The preview version is primarily targeted for developers to get an early start in supporting this new framework. This very early build is not fully functional yet and it is only applicable for Vista SP2 or Windows 7 test PCs.
IE 9 - Platform Preview Version
QUOTE: Microsoft yesterday unveiled a very early edition of its next-generation browser, IE9. So early, in fact, that it's more "pre" than pre-release, pre-beta or even pre-alpha. Can I run the preview in Windows XP? No - IE9's graphics processor powered-acceleration requires Direct2D and DirectWrite, APIs created for Windows 7, then back-ported last October to Vista Service Pack 2 (SP2).
Official Download site
If you want to avoid a personal visit by a US Census representative at your residence, it is important to comply with all instructions. Please complete the form accurately and mail it back within a day or two, so that you don't forget it. I just received my forms yesterday and have almost completed them for a family of four. It takes about 5 minutes per person, as I'm trying to write neatly as well.
Please avoid any emails or websites that claim you can complete the Census there. Even in 2010, the US Census strictly operates by US mail or through official census takers only. Below are some excellent tips on avoiding any related scams that may materialize. It is important to know your rights and what to expect in this process. Questionnaires have been mailed to every registered addressed in the United States. If these are completed accurately and returned promptly, census takers will not need to visit your residence to collect this information.
2010 Census - Better Business Bureau Safety Tips
US Census Home Page
US Census - How it works and what to expect
QUOTE: Over the next 18 months, 1.4 million U.S. Census workers will be surveying the population of the country to gather demographic information about everyone living here. As the 2010 census process begins, the Better Business Bureau (BBB) advises citizens to cooperate carefully in order to avoid becoming a victim of census-related scams. Citizens are required by law to respond to the U.S. Census Bureau’s requests for information. Census data will be used in allocation of more than $300 billion in federal funds as well as in determining the number of Congressional representatives that each state is allowed.
The BBB offers the following advice to help distinguish between bona fide Census workers and con artists:
•U.S. Census workers will have identification, a handheld device and a confidentiality notice. Caution: never invite strangers into your home.
•U.S. Census workers will not ask for your Social Security number or any information about bank or credit card accounts.
•U.S. Census workers will not ask you for money or say that you owe money.
•U.S. Census workers will not harass or intimidate you.
•U.S. Census workers will not contact you by email – only by phone, by mail or in person.
US Census 2010 - Be careful of online Fraud
QUOTE: The Census Bureau will not be the only ones trying to get our attention and encouraging us to help them collect data. Cybercriminals will be doing the same thing. But they’ll be trying to fool us into thinking they are the Census Bureau. And the data they’ll be collecting will be a little different. It will be personal information they can use to rip us off.
The IC3 reports that the number of online criminal acts grew by 22%, while the amount of loss almost doubled from 2008 to 2009.
IC3 2009 Annual Report on Internet Crime Released
IC3 Annual Reports - Home Page
The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), released the 2009 Annual Report about fraudulent activity on the Internet today.
2009: 336,655 complaints - $559 million
2008: 275,284 complaints - $265 million
2007: 206,884 complaints - $239 million
2006: 207,492 complaints - $198 million
2005: 231,493 complaints - $183 million
What is the IC3? - The Internet Crime Complaint Center (IC3) was established as a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) to serve as a means to receive Internet related criminal complaints
This 4 page detailed flowchart is comprehensive in exploring strategies, tactics, and helpful solutions for installing Windows 7 client in the corporate environment. You must be a Tech Republic member to download and view this resource and joining is free to anyone interested.
Windows 7 - Corporate Installation Flowchart
More Posts Next page »