August 2011 - Posts
Numerous links and information are available at ISACA's home page for Corporate users
Sarbanes-Oxley - COBIT version 5 standards emerge for IT controls
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-5-Initiative-Status-Update.aspx
Mozilla Firefox and other products have been revised to remove the hacked DigiNotar Certificate Authority,
Mozilla Firefox 6 - Security release for hacked Certificate Authority
http://securitywatch.pcmag.com/apple/287116-firefox-and-other-mozilla-apps-rev-to-blacklist-hacked-ca
QUOTE: Mozilla has released several new versions of programs in order to remove support for a root certificate from a hacked certificate authority. We reported yesterday about how this root certificate had been used to create a fake google.com certificate, but it turns out that the hack occurred weeks ago and had been used many times. DigiNotar, the hacked certificate authority, is in a desperate struggle to retain their credibility. The newly-updated programs are:
- Firefox 6.0.1
- Firefox Mobile 6.0.1
- Firefox 3.6.21
- Thunderbird 6.0.1
- Thunderbird 3.1.13
- SeaMonkey 2.3.2
Trend Labs shares good awareness for a variety of threats affecting Facebook and other social networking environments.
Social Networking Threats - Trend Labs report
http://blog.trendmicro.com/the-geography-of-social-media-threats-infographic/
QUOTE: KOOBFACE is not the only threat that hounds social media. These social networking sites also have features that can become threat vectors. A seemingly harmless wall post from a friend, a video shared by an online contact, or an instant message from a colleague can potentially lead to an attack. These features are meant to make socializing effective and meaningful. However, they have also been used by cybercriminals in their attacks. In Facebook, the wall is the riskiest region of the user interface. Cybercriminals have concocted several threats leveraging popular news items
For tips on how to arm yourself against social media threats, check out our e-book, “.
e-Book - A Guide to Threats on Social Media
http://about-threats.trendmicro.com/ebooks/socialmedia-101
Symantec documents an advanced and highly stealth File Infector that can setup a botnet client on an infected PC
Xpaj Botnet Intercepts up to 87 Million Searches per Year
http://www.symantec.com/connect/blogs/xpaj-botnet-intercepts-87-million-searches-year
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_xpaj_b.pdf
http://www.symantec.com/security_response/writeup.jsp?docid=2009-091613-1844-99
QUOTE: W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm.
The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure revealed more than just the data sent from the server to infected clients. The servers contained encrypted binary data, encryption keys, databases, and Web applications. These were all elements of what transpired to be a fraud operation spread over multiple computers hosted in several countries.
As Adobe has improved their automated security updates, please promptly apply changes when prompted to ensure the best levels of protection.
Adobe - Flash and other products patched during August 2011
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://securitywatch.pcmag.com/apple/286074-massive-adobe-patch-release-fixes-flash-player-media-server-shockwave-photoshop-and-robohelp
QUOTE: Adobe released updates to 5 products today fixing a total of 23 vulnerabilities, mostly in Flash Player. At least some of the 13 vulnerabilities fixed in Flash Player affect all versions of it: Windows, Mac, Linux, Solaris and Android. All are critical vulnerabilities which can result in remote code execution. None of the vulnerabilities are being exploited in the wild, according to Adobe. These changes also affect Adobe AIR for Windows, Mac and Android.
As always, you can get the most current version of Flash Player (10.3.181.36) at http://get.adobe.com/flashplayer. Don't go anywhere else for it, as fake Flash installers are a common method of malware distribution
Webmasters should ensure they apply the forthcoming security patch to protect their web server environments:
Apache Web Server - New DoS Attack Vulnerability
http://blog.eset.com/2011/08/26/dos-apache-killer
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/thread
QUOTE: Amidst a lack of fanfare this past weekend on a mailing list, a memory exhaustion hack popped up for the Apache webserver that may result in a Denial-of-Service (DoS) style attack. Since the Apache application serves up north of 65% of the websites on the internet, a plausible attack becomes quite an issue, especially if it gets much traction before a patch can be released.
Still, some Apache web servers have been humming along untouched for years without much oversight, and may not receive patches as quickly as the hack spreads, representing a potentially widespread attack surface in the meantime. The posting says “An attack tool is circulating in the wild. Active use of this tools has been observed.” The nice thing is how proactive the Apache Foundation has been since it was brought to their attention.
The FBI warns users to be careful with charitable donations, news reports, and web searches
FBI - Electronic Scam warnings updated for Hurricane Irene
http://www.fbi.gov/scams-safety/e-scams
QUOTE: 08/26/11—In light of Hurricane Irene, the public is reminded to beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts.
Tips on Avoiding Fraudulent Charitable Contribution Schemes
http://www.ic3.gov/media/2011/110311.aspx.
Reports can be made to:
http://www.ic3.gov/complaint/default.aspx
F-Secure documents a recent attack for one of the most secure authentication products, which was quickly corrected to resolve security issues
RSA - How SecurID was compromised
http://www.f-secure.com/weblog/archives/00002226.html
http://t2.fi/schedule/2011/#speech7
QUOTE: RSA was hacked in March. This was one of the biggest hacks in history. The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn't do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.
A new scam is circulating on Facebook:
Facebook - Hurricane Irene Scam circulating
http://blog.trendmicro.com/hurricane-irene-scam-hits-facebook/
QUOTE: Hurricane Irene surely turned New York City to “city that never sleeps” as it brought flood waters, knocked out power to more than 4 million people and was even responsible for at least 15 deaths in six states. What’s worse is that cybercriminals are taking advantage of the incident by spamming a fake video on Facebook. The page, which contains the alarming title “VIDEO SHOCK – Hurricane Irene New York” displays a clickable image of a fake video player on the page.
Please be careful when accepting certificate updates as noted in the following security warning
http://securitywatch.pcmag.com/google/287010-fraudulent-google-com-certificate-in-wild
QUOTE: In early July, Dutch certificate authority DigiNotar issued a fraudulent SSL certificate for '*.google.com'. This certificate could allow a malicious web site, in conjunction with certain other techniques, to spoof any domain on google.com including mail.google.com.
A new RDP worm is circulating on vulnerable systems with weak passwords:
Morto - New RDP Internet Worm manipulates weak passwords
http://www.f-secure.com/weblog/archives/00002227.html
http://www.eweek.com/c/a/Security/Morto-Worm-Infects-Windows-Systems-With-Weak-Passwords-815241/
http://isc.sans.org/diary/Internet+Worm+in+the+Wild/11470
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.gen!A
http://www.theregister.co.uk/2011/08/28/morto_worm_spreading/
http://blogs.computerworld.com/18870/morto_worm_spreading_fast_via_rdp
QUOTE: A new worm, called "Morto," has been infecting machines via Remote Desktop Protocol on Windows machines, according to security researchers. Morto is the first Internet worm to use RDP as an infection vector. Morto "appears to simply attempt to compromise systems by trying 30 common passwords for the Windows Administrator account over RDP," This particular worm highlights the importance of setting strong system passwords," said Microsoft's Gradascevic. "The ability of attackers to exploit weak passwords shouldn't be underestimated."
SYMPTOMS OF AN INFECTION: This creates a lot of traffic for port 3389/TCP, which is the RDP port.
As shared below, security firms are warning users to be cautious in visiting potentially fake websites where malware could be potentially lurking
Hurricane Irene - Beware of Fake sites that may lead to malware
http://blog.eset.com/2011/08/26/irene-is-that-you-or-a-fake
QUOTE: Folks will still visit high-ranking fake websites through traditional search engine queries during the Hurricane Irene coverage. One way to increase a malicious site’s rankings is to make it “seem” popular among social networking rating systems, which is simplified by using fake or hacked Twitter/Facebook accounts, so the scam works both ways, tricking users into visiting fake tweeted links, and also raising popularity to similar links on the search engines. Considering how a sudden spike in search engine term popularity can vault websites to the top of the rankings, expect to see this kind of activity continue surrounding Hurricane Irene (and whatever the next major event will be).
Twitter now provides the more secure SSL option by default as noted below:
Twitter - now offers SSL by default
http://securitywatch.pcmag.com/privacy/286880-twitter-starts-turning-on-https-by-default
QUOTE: Twitter has begun setting users to use HTTPS for all connections by default. Twitter PR announced this in a tweet recently which linked to a support document which explains more. HTTPS, also known as SSL, authenticates the web site and encrypts all communications between the client and server. When used with plain-text HTTP, traffic from sites like Twitter can be monitored, even modified, by other users on the network.
Several critical and important security updates should be applied expediently to enjoy greater protection
Microsoft Security Updates - August 2011
http://isc.sans.edu/diary.html?storyid=11341
https://www.microsoft.com/technet/security/bulletin/ms11-aug.mspx
ESET provides an excellent analysis of how the Conficker worm has survived after 3 years:
Conficker Worm - 1,000 Days Old and still active
http://blog.eset.com/2011/08/17/1000-days-of-conficker
QUOTE: It has been 1,000 days since the Conficker worm first appeared on November 21, 2008. For the first two months after its initial appearance we received a trickle of reports through our ThreatSense.NET telemetry system. By January of 2009 that had become a flood, and then a deluge, as this “super worm” rose to meteoric infection levels. Since then, Conficker has consistently shown up as one of the top ten infections in our monthly Global Threat Reports, usually in the number one or number two slot.
So what will it take to finally kill Conficker? That’s a difficult question to answer. Clearly, anti-malware software and other technical solutions and prescriptive guidance are not enough, nor is the prospect of being fined for violating industry-specific regulations. Some of the most successful actions against botnets have been taken by US authorities acting in conjunction with Microsoft, to shut down such botnets such as Waledac, Coreflood and, most recently, Rustock. These botnets relied on accessing specific domains or computers for their Command and Control servers and began to vanish as soon as these were seized by the authorities. While the earliest version of Conficker accessed a single domain, later versions switched to access hundreds and then tens of thousands of random domains on a daily basis, making the worm highly resistant to this type of infrastructural attack.
Below are excellent guidelines to ensuring good security checks and balances are present in the system
http://isc.sans.org/diary/Putting+all+of+Your+Eggs+in+One+Basket+-+or+How+NOT+to+do+Layoffs/11395
QUOTE: This diary isn't about the particulars of this case, it's much more of a common occurrence than you might think. We'll talk a bit about what to do, a bit about what NOT to do ... First of all, my perspective ...
1. Separation of duties is super-critical.
2. Hardening your infrastructure is also important.
3. HR processes need to be integrated with IT.
4. Backups are important.
5. Don't give away the keys.
FireCAT is a special security tool kit for the Mozilla Firefox environment
FireCAT 2.0 Released
http://isc.sans.edu/diary.html?storyid=11365
FireCAT: Firefox Catalog of Auditing exTensions version 2.0 has just been released. It contains 90 addons divided in 7 categories further subdivided in 19 sub-categories. A new Protection subcategory (in Misc) has been added to protect Navigation with TrackMeNot, NoScript, cookieSafe, TrackerBlock and Adblock Plus.
The graph showing the list of extensions can be viewed here and mindmap can be downloaded here
[1] http://www.firecat.fr/news.html
[2] https://addons.mozilla.org/en-US/firefox/addon/trackmenot/
[3] https://addons.mozilla.org/en-US/firefox/addon/noscript/
[4] https://addons.mozilla.org/en-US/firefox/addon/cookiesafe/
[5] https://addons.mozilla.org/en-US/firefox/addon/trackerblock/
[6] https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
MoonSols - Releases FREE Dumpit utility
http://isc.sans.edu/diary/MoonSols+Dumpit+released+for+free+/11362
QUOTE: The people over at MoonSols have made their amazing one-click memory dump tool Dumpit available for free download. Dumpit vastly simplifies memory acquisition. Effectively Dumpit combines win32dd and win64dd into one tool and is so simple to use even a non-technical user could do acquisition from a USB key. The dump can then be analyzed using conventional tools such as Redline or Volatility.
MoonSols - Home
http://www.moonsols.com/
QUOTE: MoonSols is a young security consulting company, specialized in software security assessment, and live incident response. MoonSols is delivering high technical level trainings for physical memory acquisition and analysis, and is a software editor of forensic and virtualization products.
I've been using a PC on a daily basis for almost 30 years. I remember the original product launch and was invited to our local IBM branch office to participate. Our IBM branch then placed a few of these in our office. I took in interest and powered them up after hours. Soon I was helping our company launch them to all professionals. I started using this technology around September 1981 and by October 1981 was providing training classes in this promising technology.
30th Anniversary of the IBM PC - What was your first?
http://isc.sans.edu/diary.html?storyid=11359
QUOTE: Yesterday was the 30th Anniversary of the release of the IBM PC. It was an interesting walk down memory lane going back and reading some of the reviews of the PC. Over at the ISC this started the discussion of "What was your first computer?" The ISC Handlers vary widely in age, so the answers predictably were quite variable. Oddly enough, although some of us worked with the IBM PC, none of us actually owned one, Timex Sinclair, TRS-80, IBM XT, 286 PC clone, Vic-20, Commodore-64, Amiga and Apple II were some of the answers.
More Posts
Next page »