May 2010 - Posts
In addition to improvements in the Office interface, security is improved also in the latest version of Office. Like Windows 7, the Office 2010 interface was well designed with the user in mind.
Office 2010 - New Security Features
Office 2010 - Technet Security Home (numerous links)
Office 2010 - Security Overview
QUOTE: Four of the new controls help harden and reduce the attack surface and help mitigate exploits. These new controls include the following:
1. Data Execution Prevention (DEP) support for Office applications A hardware and software technology that helps harden the attack surface by preventing viruses and worms that exploit buffer overflow vulnerabilities from running.
2. Office File Validation A software component that helps reduce the attack surface by identifying files that do not follow a valid file format definition.
3. Expanded file block settings Settings managed in the Trust Center and through Group Policy that help reduce the attack surface by providing more specific control over the file types that an application can access.
4. Protected View A feature that helps mitigate attacks by enabling users to preview untrusted or potentially harmful files in a sandbox environment.
Checkpoint has improved the user interface to avoid some of the technical terminologies that users may not be familiar with. The approach is to reduce warnings for the user and to only pinpoint needed actions they should better pay attention to.
Free ZoneAlarm Firewall Gets Smart
ZoneAlarm 9.2 - Free version of Firewall improved
QUOTE: It's true that the free firewall hasn't gotten a lot of love in the last few years as the company focused more on top-tier products like their ZoneAlarm Extreme Security 2010 mega-suite. That's not to say the free firewall was anything but effective. It's just that users are no longer so accepting of a firewall that pops up dozens of cryptic questions. "Hey boss! Something called 'Generic Host Process for Win32 Services' wants to access.
Hooray! The new ZoneAlarm Free Firewall 9.2 ditches popup overload by relying on the same SmartDefense Advisor technology used by the paid editions. On those rare occasions when it does ask you what to do, pay attention! It doesn't ask unless there's something weird about the program.
ZoneAlarm Extreme Security 2010 Review
Several links can be found in this article describing new features for the Office 2010 suite.
Weighing Microsoft Office 2010
QUOTE: Microsoft Office 2010 offers a slew of new features for both end users and IT pros, including Web-based versions of Word, PowerPoint, Excel and OneNote, and online collaboration and document sharing capabilities that previously users could only get from the competition. The suite was released to enterprises May 12, 2010. The consumer version will be released June 15, 2010.
New Features in Outlook 2010?
New Features in Word 2010?
New Features in Excel 2010?
New Features in Powerpoint 2010?
All browsers flag invalid trusted certificates required for the highly trusted security mode (https). The latest version of Chrome attempts to improve visible warnings for users, so they avoid visiting potentially forged sites. While IE8 also flags these issues well, users may still ignore these special warnings and visit potentially dangerous sites during phishing attacks.
Arrgh! Yer Certificate Be Broken Matey!
QUOTE: The latest development version of Google's Chrome web browser adds a skull and crossbones to the address bar when an error in an SSL certificate is detected. Previous versions just put a red slash through the "https". Getting users to notice certificate errors and take them seriously is an important web security issue, as users have become too accustomed to ignoring errors.
IE8 offers a more secure browsing experience for users with several safety defenses built in, as well as improved functionality. Still, IE6 remains the second most popular in use on the Internet today. All home and corporate users would benefit in moving to this more secure and better supported browser version.
Microsoft really wants to eradicate IE6
QUOTE: Microsoft actually has someone in charge of moving millions of Internet Explorer 6 users to a version of the browser that is safer. Ryan Gavin, the head of Microsoft’s Internet Explorer business group told PCPro "Part of my job is to get IE6 share down to zero as soon as possible."
NetMarketShare lists the top browsers
IE 8 = 25%
IE 6 = 18%
FF 3.6 = 15%
IE 7 = 12%
FF 3.5 = 6%
Chrome 4 = 5%
Safari 4 = 4%
Move away from IE6 for better Internet safety
Rootkits are very advanced malware attacks that are highly stealth and difficult for AV products to detect. TDSS is one of the most advanced Windows rootkits circulating and it is difficult to clean (usually a rebuild is recommended). The latest Mebroot variant uses an installation process that is similar to TDSS. Malware authors often re-engineer advanced malware techniques that are successful for new variants.
Mebroot Variant Behaves Like TDSS
QUOTE: The TDSS malware family in itself is already a big threat to users. Known for its rootkit capabilities, TDSS constantly evolves to include more sophisticated means in order to hide its presence in an affected system. The Mebroot malware family, on the other hand, is noted for inflicting master boot record (MBR) infections. The move to acquire other malware shows that Mebroot variants are becoming more creative in crafting techniques to infect users’ systems and to hide their routines. As such, it is possible for new variants and other malware families to team up in the future.
Additional links related to TDSS include:
Trend: TDSS Research Report
Infected TDSS users experience BSOD issues with MS10-015 update in FEB 2010
Trend Micro offers an insightful review of how Koobface (Facebook spelled backwards) continues to survive despite efforts by all security firms to stop these attacks. Several research reports are available from Trend in the links below.
The Evolution of KOOBFACE: A Web 2.0 Botnet
QUOTE: The KOOBFACE botnet continuously evolves to keep on generating profit for its perpetrators. The fact that the botnet is still alive shows that the cybercriminals behind it are making a fortune off it. Some of the major changes the botnet has undergone from when we started unmasking it include the following:
1. Using proxy command-and-control (C&C) servers
2. Encrypting the gang members’ C&C communications
3. Banning IP addresses from repeatedly accessing KOOBFACE-controlled sites
4. Introducing new binary components
5. Employing several layers of binary protection with the use of more complex packers
RESEARCH REPORTS AVAILABLE ON KOOBFACE ATTACKS
Google celebrated the 30th anniversary of Pacman by featuring it on their website. Some corporate and home users unintentionally triggered the game, which includes sound and created a few minor few issues when it was featured on Google's home page.
It now resides at the link noted below. There is also a version of just the game only available from the Huffington post link as noted below. The downloaded version allows you to play while offline. It was interesting to explore the underlying code and how the game is triggered.
Google has now made the game permanently available
Google Pacman - Available for download
QUOTE: Several sites say they have Google Pacman for download, but be careful because some sites aren't reliable. However, this download on MediaFire appears to work. It provides a ZIP file, a folder called GooglePacman with everything you need, complete with a ReadMe file and simple HTML page you can open to play the game.
The Google Pacman doodle commemorated Pacman's 30th anniversary on May 22, and it was up on the Google site from Friday until this morning. You play the game simply by clicking "Insert Coin" and if you insert a second coin you can play with Ms. Pacman too.
As a Chartered Property and Casualty Underwriter (CPCU) since 1992, ethics are an essential part of this professional designation. Our local chapter won a national award during March for uniquely presenting to all members through a series of weekly articles. Links are noted below:
CPCU Home Page
2010 CPCU Chapter activities
2010 Chapter Ethics Award Winner – Blue Ridge Chapter
Facebook users can now specifically define computers they want to login with. Controls were also added to block unauthorized attempts to unusual devices as noted below.
Facebook Strengthens Logon Security
QUOTE: Login Notifications - Over the last few weeks, we’ve been testing a new feature that allows you to approve the devices you commonly use to log in and then to be notified whenever your account is accessed from a device you haven’t approved. This feature is now available to everyone. Facebook has also done some tuning/magic on their side to block bogus or questionable logon attempts. If they see logons from unusual devices, they will prompt those users with additional verification questions, in essence, making them prove they are who they say they are.
In Mozilla forums, the root cause to many Firefox issues appears to be an extension, rather the Firefox itself. Vulnerable extensions allow the game to run without permission. If a user had their speakers on, game sounds would occur even though they had not started the game. CoolPreviews and CoolIris were sited as two contributing add-ons, and there may be more. This may help explain why some FF users are not affected.
Google Pacman - Firefox browser extensions may allow it to run without permission
Below are instructions on how to play game while it's present on Googles home page if desired:
-- Press INSERT COIN (insert 2 coins for 2 player Ms. Pacman version)
-- Use ARROW Keys to manuever
-- Must blank out all dots to go to next level and avoid attackers
-- Blinking large dots allow PACMAN to temporarily devour attackers
IBM accidentally distributed some infected USB sticks that contained a Keylogger agent (which can infect via USB flash drives). IBM may have contracted these drives with their logo to another manufacturer and may not be even be responsible. The key point is that even with media from highly reputable companies, there is a need for AV protection at all times and also users who were up-to-date on Microsoft Security patches would also be well protected. Accidents can always happen in addition to direct attacks.
Conficker Worm - IBM accidentally includes on USB drive at AusCERT2010
QUOTE: "At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth," IBM Australia chief technologist Glenn Wightwick wrote in an email to delegates this afternoon. "Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected."
IBM said in a statement that a "small number of IBM-branded USB sticks distributed to delegates at the recent AusCERT2010 conference were found to contain malware". "IBM has immediately contacted delegates with remedial advice, and regrets any inconvenience that may have been caused," an IBM spokesman said.
An excellent best practices article on how to use bitlocker to protect Windows 7 mobile devices
Dan Griffith - Microsoft Security MVP for month of May 2010
Recommendations for Using BitLocker
QUOTE: Do a Bing search for "stolen hard drive" and you'll get a reminder of how at-risk your data is, and how visible and embarrassing the loss or theft of sensitive data can be, especially if the event is covered by the press. The loss of corporate data can also cause damage to your brand and confer an advantage to your competitors if trade secrets are revealed.
With BitLocker you can help protect your company from these threats. In this article, I'll discuss:
Additional resources include:
Technet: Bitlocker Drive Encryption
Technet: Bitlocker FAQ
What is Bitlocker?
QUOTE: Bitlocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. It is designed to protect data by providing encryption for entire volumes.
Some users have reported hearing unexpected pacman like sounds at Googles home page. In testing this morning with several browsers, I believe I've discovered the mystery. You can also actually play the game. Use your arrow keys to start the game. Even though it's been many years, I've enjoyed a few rounds.
Sound comes on when the game starts if you have your speakers on and for perhaps your default browser (IE8 for me). Pacman sounds are present using IE8 for me. The sound did not come on in latest version of Firefox or other browsers tested.
The sound will not start unless you move one of your arrow keys when resting on the home page of Google. I just bought some nice speakers for our family PC.
As I used to travel extensively early in my career, it's almost "deja vu" to the arcade room at the Charlotte airport years ago. The game actually works great on either browser.
Now, back to game, as this virus has truly infected me
Google - Pacman 30th anniversary game
This decade old vulnerability is now enhanced by an algorithm that can process 30,000 sites per second, in comparing browser history verses a list of specific web sites. While I had every browser set to zero days history, that's still not enough. The online DEMO link at bottom is a neat test and certainly made me a little more aware.
It's always beneficial to modify settings in your browser to improve privacy. Some techniques include: keep zero days of history and to clear history on exit. There are also new features like IE8's inPrivate browsing mode or the special security extenstions in Firefox 3.
On the Web, your browser history is an open book
QUOTE: They wrote: “We present a web-based system capable of effectively detecting clients' browsing histories and categorizing detected information. We analyze and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76% of Internet users are vulnerable to history detection; for a test of most popular Internet websites we were able to detect, on average, 62 visited locations. We also demonstrate the potential for detecting private data such as zip codes or search queries typed into online forms. Our results confirm the feasibility of conducting attacks on user privacy using CSS-based history detection and demonstrate that such attacks are realizable with minimal resources.”
Most browsers silently expose intimate viewing habits
QUOTE: While the underlying browser history disclosure vulnerability was disclosed a decade ago, researchers on Thursday disclosed a variety of techniques that make attacks much more efficient. Among other things, the researchers described an algorithm that can scan as many as 30,000 links per second. To exploit the history-pilfering weakness, webmasters must compare a victim's HTTP response code against a list of specific web addresses, a requirement many have long said limited the effectiveness of practical attacks.
CSS History Probing, or: "I know where you went last week"
CSS History Sniffer - ONLINE DEMO
WAYS TO IMPROVE PRIVACY: Use your browser's privacy features. If you set your browser history to Clear-on-Exit, or your history to expire regularly (see Tools / Options / Browsing History), you can scope down the duration that Visited Links are retained. Better still, IE8's InPrivate Browsing feature blocks CSS visited link detection (Firefox 3.5's Private Browsing feature and Chrome 2's Incognito feature do the same). For Firefox users, there is also the SafeHistory extension which offers enhanced privacy.
Building a second user account with NON-ADMINISTRATIVE access is one of the best ways to protect your home or corporate PC. This is called a limited account in Windows XP. It's also referred to as a standard account in later versions of Windows. This is a great safe technique for browsing, email, or for routine work. Most latest versions of sofware products will run fine in limited mode. You can always can use the ADMINSTRATIVE account mainly to install or update software when needed.
Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts
QUOTE: Key summary points on the percentage of flaws mitigated:
• 90% of Critical Windows 7 operating system vulnerabilities are mitigated by having users log in as standard users
• 100% of Microsoft Office vulnerabilities reported in 2009
• 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
• 64% of all Microsoft vulnerabilities reported in 2009
• 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights
90% of Critical Microsoft Windows 7 Vulnerabilities are Mitigated by Eliminating Admin Rights
QUOTE: This BeyondTrust report investigates all vulnerabilities published in Microsoft’s 2009 Security Bulletins, as well as all of the published Windows 7 vulnerabilities to date. It reports on vulnerabilities that are mitigated by configuring users to operate without administrator rights and examines the latest major Microsoft releases, including Windows 7 and Internet Explorer 8. The results show that despite unpredictable and evolving attacks companies can greatly reduce risk, experience greater protection from zero-day threats and reduce the threat from vulnerabilities by removing administrator rights.
WINDOWS - GENERAL RESOURCES TO BUILD A LIMITED ACCOUNT
WINDOWS 7 - RESOURCES TO BUILD A STANDARD ACCOUNT
Trend Labs documents the danger in for searching popular news or security events. Search Engine Optimization (SEO) poisoning attacks are a technique used to cause a malicious site to appear as the most popular and among the first in the list returned. FAKEAV malware is currently one of the most popular attacks circulating as authors can automatically download these agents to unprotected PCs. FAKEAV malware simulate anti-virus software, with aggressive false detection popups and requests for users to purchase cleaning capabilities for this fake product.
Cybercriminals Ride on the Back of Security Woes with FAKEAV
QUOTE: We regularly blog about how cybercriminals misuse newsworthy events in order to gain profit for themselves. In the past 24 hours, TrendLabs has tracked multiple FAKEAV attacks that try and trick users searching for help following the recent McAfee update 5958 incident. This determination by cybercriminals to cause further problems and inconvenience to innocent end users and businesses is, in many respects, not surprising. Users should, by now, be aware that trusting results from search engines is no longer as safe as previously thought. The clues we mentioned above can help users weed out legitimate results from suspicious ones.
What is an 'SEO poisoning attack'?
Microsoft will be centering much of their key support around forums rather than newsgroups which have been used in the past. Forums offer improved capabilities related to discussion and more individualized assistance, as users and forum moderators interact together.
Microsoft Support - Moving from Newsgroups to Forum Communities
QUOTE: Beginning in June 2010, Microsoft will begin closing newsgroups and migrating users to Microsoft forums that include Microsoft Answers, TechNet and MSDN. This move will centralize content, make it easier for contributors to retain their influence, reduce redundancies and make content easier to find. Overall, forums offer a better spam management platform that will improve customer satisfaction by encouraging a healthy discussion space.
Microsoft Forums Home Page - Please Bookmark this site
While May 2010 only featured a couple of updates, users should apply these to ensure protection for Windows and Office mail vulnerabilities as noted below:
Microsoft Security Bulletins - May 2010
Microsoft Security Bulletins - ISC Analysis
MS10-030 - Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542) This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
MS10-031 - Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213) This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime.
More Posts Next page »