Harry Waldron - Microsoft MVP Blog

New DSN Exploits are being developed - Patch your servers now

2008-07-24T08:15:00Z

Below are resources for corporate users related to the developments associated with the new DNS vulnerabilities. The CERT advisory has an excellent list of vendors and their current status for this issue. It is important to apply applicable security patches for DNS servers as quickly as possible due to active exploit development.

So far, two versions of exploit code have been developed for this vulnerability. While the first exploit affects DNS caching, security researcher, H.D. Moore has developed a more potent second exploit that can replace nameserver entries with the potential to redirect traffice to malicious sites (e.g., malware downloading, phishing attacks, etc).

In some ways, this new security exposure is reminiscent of the Code Red Worm and Blaster attacks during the earlier part of this decade. While security patches were available, many companies did not have the time or insight to patch all of their potential exposures. While there's time, security administrators should PATCH NOW.

ARTICLES: Major DNS vulnerability now public
http://cwflyris.computerworld.com/t/3374560/1676699/127883/2/
http://isc.sans.org/diary.html?storyid=4765
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://cwflyris.computerworld.com/t/3374560/1676699/127883/2/
http://blog.trendmicro.com/major-dns-cache-poisoning-vulnerability-patch-now/
http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=209401195
http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html

QUOTE: "Patch. Today. Now. Yes, stay late." - That's the word from security researcher Dan Kaminsky, who recently presided over an unprecedented effort to coordinate a fix for a DNS vulnerability across more than 80 software and hardware vendors

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity Inc. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The attack can be used to redirect victims to malicious servers on the Internet by targeting the DNS servers that serve as signposts for all of the Internet's traffic. By tricking an ISP's servers into accepting bad information, attackers could redirect that company's customers to malicious Web sites without their knowledge.

Although a software fix is now available for most users of DNS software, it can take time for these updates to work their way through the testing process and actually get installed on the network. "Most people have not patched yet," Vixie said. "That's a gigantic problem for the world."

EXPLOIT DEVELOPMENTS: Second more critical exploit in the wild
http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html

QUOTE: We just added a second exploit which replaces the nameservers of the target domain. This is the bug people should actually care about, since it doesn't matter if anything is already cached. Regarding the cache situation (of the first exploit) -- it's not possible to do cache overwrites, but it is possibe to look up the cache timeout, wait for it, and then replace it. With the new exploit module, we just change the DNS server for the entire domain (regardless of what is cached), so it's much more effective for wide-scale hijacking.

Microsoft DNS Patch should be applied ASAP
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

CERT Advisory - Provides a detailed status report by vendor
http://www.kb.cert.org/vuls/id/800113

Vendor Status - Date Last Updated (see CERT advisory above for more recent updates)

3com, Inc. Unknown 10-Jul-2008
Alcatel-Lucent Unknown 23-Jul-2008
Apple Computer, Inc. Unknown 5-May-2008
AT&T Unknown 21-Apr-2008
Avaya, Inc. Vulnerable 16-Jul-2008
Avici Systems, Inc. Unknown 21-Apr-2008
Belkin, Inc. Unknown 13-Jul-2008
Blue Coat Systems Vulnerable 22-Jul-2008
BlueCat Networks, Inc. Vulnerable 22-Jul-2008
Check Point Software Technologies Not Vulnerable 23-Jul-2008
Cisco Systems, Inc. Vulnerable 10-Jul-2008
Conectiva Inc. Unknown 5-May-2008
Cray Inc. Unknown 5-May-2008
D-Link Systems, Inc. Unknown 2-May-2008
Data Connection, Ltd. Unknown 21-Apr-2008
Debian GNU/Linux Vulnerable 9-Jul-2008
djbdns Not Vulnerable 10-Jul-2008
dnsmasq Vulnerable 11-Jul-2008
DragonFly BSD Project Unknown 3-Jul-2008
EMC Corporation Unknown 21-Apr-2008
Engarde Secure Linux Unknown 5-May-2008
Ericsson Unknown 21-Apr-2008
Extreme Networks Unknown 21-Apr-2008
F5 Networks, Inc. Vulnerable 14-Jul-2008
Fedora Project Unknown 5-May-2008
Force10 Networks, Inc. Not Vulnerable 11-Jul-2008
Foundry Networks, Inc. Not Vulnerable 10-Jul-2008
FreeBSD, Inc. Vulnerable 14-Jul-2008
Fujitsu Vulnerable 18-Jul-2008
Gentoo Linux Vulnerable 12-Jul-2008
Gnu ADNS Unknown 5-May-2008
GNU glibc Unknown 5-May-2008
Hewlett-Packard Company Vulnerable 16-Jul-2008
Hitachi Unknown 21-Apr-2008
Honeywell Unknown 21-Apr-2008
IBM Corporation Vulnerable 12-Jul-2008
IBM Corporation (zseries) Unknown 5-May-2008
IBM eServer Unknown 21-Apr-2008
Infoblox Vulnerable 21-Jul-2008
Ingrian Networks, Inc. Unknown 5-May-2008
Intel Corporation Unknown 21-Apr-2008
Internet Systems Consortium Vulnerable 14-Jul-2008
JH Software Not Vulnerable 10-Jul-2008
Juniper Networks, Inc. Vulnerable 10-Jul-2008
Linux Kernel Archives Unknown 3-Jun-2008
Lucent Technologies Unknown 21-Apr-2008
Luminous Networks Unknown 21-Apr-2008
Mandriva, Inc. Vulnerable 22-Jul-2008
MaraDNS Not Vulnerable 10-Jul-2008
Men & Mice Unknown 5-May-2008
Metasolv Software, Inc. Unknown 5-May-2008
Microsoft Corporation Vulnerable 8-Jul-2008
MontaVista Software, Inc. Unknown 5-May-2008
Motorola, Inc. Unknown 21-Apr-2008
Multinet (owned Process Software Corporation) Unknown 21-Apr-2008
Multitech, Inc. Unknown 21-Apr-2008
NEC Corporation Not Vulnerable 18-Jul-2008
NetApp Unknown 3-Jul-2008
NetBSD Unknown 5-May-2008
Netgear, Inc. Unknown 21-Apr-2008
Network Appliance, Inc. Unknown 21-Apr-2008
Nixu Vulnerable 9-Jul-2008
NLnet Labs Not Vulnerable 10-Jul-2008
Nokia Unknown 21-Apr-2008
Nominum Vulnerable 10-Jul-2008
Nortel Networks, Inc. Unknown 21-Apr-2008
Novell, Inc. Vulnerable 14-Jul-2008
OpenBSD Vulnerable 24-Jul-2008
OpenDNS Not Vulnerable 10-Jul-2008
Openwall GNU/*/Linux Vulnerable 17-Jul-2008
PePLink Not Vulnerable 10-Jul-2008
Posadis project Unknown 14-Jul-2008
PowerDNS Not Vulnerable 10-Jul-2008
QNX, Software Systems, Inc. Unknown 5-May-2008
Red Hat, Inc. Vulnerable 10-Jul-2008
Redback Networks, Inc. Unknown 21-Apr-2008
Secure Computing Network Security Division Vulnerable 17-Jul-2008
Shadowsupport Unknown 5-May-2008
Siemens Unknown 8-Jul-2008
Silicon Graphics, Inc. Unknown 5-May-2008
Slackware Linux Inc. Vulnerable 12-Jul-2008
Sony Corporation Unknown 21-Apr-2008
Sun Microsystems, Inc. Vulnerable 10-Jul-2008
SUSE Linux Vulnerable 11-Jul-2008
The SCO Group Unknown 5-May-2008
Trustix Secure Linux Unknown 5-May-2008
Turbolinux Unknown 5-May-2008
Ubuntu Vulnerable 10-Jul-2008
Wind River Systems, Inc. Vulnerable 9-Jul-2008
ZyXEL Unknown 21-Apr-2008

Email threat - Avoid free Windows Malicious Software Removal Tool

2008-07-18T20:47:00Z

This new malware threat is well done from an HTML and social engineering perspective. Microsoft automatically includes MSRT with it's monthly Windows Update process, and never sends tools like this out using email. These messages should be deleted.

Windows Malicious Software Removal Tool Free Today
http://sunbeltblog.blogspot.com/2008/07/another-fake-ms-spam.html

QUOTE: As we all know, for quite some time now, spam has stopped just being a nuisance, and became a serious potential security threat. It used to be that one wouldn’t get too upset if the occasional Viagra email got through a spam filter. That’s no longer the case: Spam is a significant vector for malware infection through malicious links and social engineering, and if something gets through a spam filter — and then makes it past endpoint protection — one can have all kinds of nasty headaches.

EXAMPLE OF EMAIL MESSAGE CURRENTLY CIRCULATING

Subject: Windows Malicious Software Removal Tool Free Today.

The content in text format.

Click Here! *** Malicious link removed ***

About this mailing:

You are receiving this e-mail because you subscribed to MSN Featured Offers.
Microsoft respects your privacy. If you do not wish to receive this MSN
Featured Offers e-mail, please click the "Unsubscribe" link below. This will
not unsubscribe you from e-mail communications from third-party advertisers
that may appear in MSN Feature Offers. This shall not constitute an offer by
MSN. MSN shall not be responsible or liable for the advertisers' content nor
any of the goods or service advertised. Prices and item availability subject
to change without notice.

2008 Microsoft | Unsubscribe <http://www.msn.com> | More Newsletters
<http://www.msn.com> | Privacy <http://www.msn.com>

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

United Parcel Service - Fake email for package non-delivery

2008-07-16T14:59:00Z

McAfee and other AV vendors are highlighting this latest social engineering attack. A well disquised email message appears to come from UPS. It claims that a package cannot be delivered unless the fake waybill attachment is selected.

Users selecting these attachments will be infected with malicious code from a downloader that originates from a Russian website

United Parcel Service - Fake email for package non-delivery
http://vil.mcafeesecurity.com/vil/content/v_132901.htm
http://wcco.com/techcenter/ups.email.virus.2.771489.html
http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm
http://www.startribune.com/local/25464324.html
http://www.ups.com/content/us/en/about/news/service_updates/virus_us.html

QUOTE: United Parcel Service is warning of a computer virus circulating under the guise of an e-mail from UPS. According to a release from UPS, the virus is attached to an e-mail that warns readers they have a shipment that couldn't be delivered unless they click on the attachment. The e-mail claims the attachment contains a waybill that will allow the undelivered package to be picked up.

COPY OF EMAIL MESSAGE: (spoofed to appear from UPS)

"Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.

Your UPS"

The attached file is an executable which downloads files from the following server:

hxxp: //fixaserver (dot) ru / ldr / [Removed]

Oracle Security Update for July 2008 - 45 updates for all products

2008-07-16T13:05:00Z

As applicable for their environment, corporate DBAs and system administrations should download, pilot test, and then install these critical security updates to better protect Oracle based applications.

QUOTE: The Critical Patch Update for July 2008 was released on July 15, 2008. Oracle strongly recommends applying the patches as soon as possible.

Oracle Security Update for July 2008
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Music Files - New Codec injection attacks add danger for Multi-media files

2008-07-15T20:55:00Z

Sometimes one bad apple can spoil the entire bunch. A new injection based codec attack has surfaced which can infect all multi-media files on the hard drive. For example, a malicious MP3 file can be downloaded and if the special fake codec routine is accepted, it will inject malicious code into every multi-media file that is processed. Folks should continue to only use trusted sources for music or video.

Infectious Music, Malware-Style
http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files
http://blog.trendmicro.com/infectious-music-malware-style/

QUOTE: A malware that infects multimedia files, modifying them to require the download of a fake codec when played had recently been discovered. It infects widely used multimedia file formats such as MP3, WMA and WMV video files by injecting a malicious code. The said malware is also capable of converting files such as MP2 and MP3 into Windows Media Audio (WMA) format. When a user tries to play an infected file, a pop-up message is displayed, asking the user to download a certain codec in order to play the file. The downloaded codec is of course, nothing else but malware.

But this malware takes it to a new, and more dangerous level; it manipulates a person’s multimedia files and uses it against them. People normally keep thousands of multimedia files on their systems, especially MP3s. If each file is infected by the malware then shared through a P2P network, then the user unknowingly turns into a malware host.

Malicious PDF files - Death of the Internet in 2012

2008-07-15T15:02:00Z

There are dangerous PDF files being circulated by spammers. The new PDF based attacks typically use Javascript attacks within the document to infect vulnerable systems. Users should always avoid opening any unexpected document or link in email messages. Also, it is important to stay up-to-date on all security updates available from Adobe and other software vendors.

Malicious PDF files - Death of the Internet in 2012
http://blog.trendmicro.com/death-of-the-internet-foretold/

The malware involved in this spam run is detected by Trend Micro as TROJ_PIDIEF.JT, a Trojan that arrives as a PDF file named DOC.PDF. This file promises more information regarding the alleged Internet death.

PIDIEF Trojans are known malware droppers or downloaders, so once users click on the attached PDF file — and whether or not they believe the theory — another malware is already up and running on their systems and doing malicious routines. The death of the Internet is going to be the least of their problems after that …

Internet Storm Center - PDF Javascript based exploits
http://isc.sans.org/diary.html?storyid=4726

Storm Worm - Avoid Tabloid headlines in Spam messages

2008-07-15T11:44:00Z

The social engineering tactices used by the Storm worm continue to be well engineered. These deceptive messages attempt to trick folks into selecting malicious links that automatically download malware to vulnerable systems.

Storm Worm - Avoid Tabloid headlines in Spam messages
http://redtape.msnbc.com/2008/07/no-presidential.html

QUOTE: No, spammers haven’t hired a bunch of former supermarket tabloid writers. They’re just doing what they do best – exploiting human nature.

The Storm worm is the Internet's version of Broadway’s “Phantom of the Opera” -- the longest running hit show around. Storm first appeared in January 2007, teasing users with a headline about deadly storms that hit Europe -- "230 dead as storm batters Europe," it said, offering a link to a full story. Clickers found themselves infected with the Storm worm.

Storm was an immediate hit for the hackers, who managed to trick hundreds of thousands of recipients into clicking on the booby-trapped link. That enabled them to build an enormous network of hijacked computers, called a botnet, which they use to send out more spam or commit other Internet crimes.

There have been hundreds of Storm variants since the first one, sent by a loosely affiliated gang of computer criminals. Some estimates say that up to 10 million PCs have been infected with Storm at one time or another.

But in April, Microsoft updated its malicious software removal tool, much to the chagrin of the hackers. About four-fifths of the vast Storm network was cut off, said Paul Wood, a security researcher at MessageLabs.

Comprehensive list of dozens of headlines from Message Labs
http://www.msnbc.msn.com/id/25680334

Apple Macintosh computers - Keeping them secure in the corporate environment

2008-07-14T14:11:00Z

In the Sarbanes-Oxley forums, a good question was asked related to keeping Mac systems protected. Security is more of a "process" rather than being specifically hardware or software related. In other words, you should take the same precautionary protective measure for Apple workstations, just like Windows client PCs.

For the most part, Apple Mac computers have enjoyed a fairly good track record when it comes to security. There are a fewer in-the-wild threats and the Apple OS X operating system has a Linux-kernel based design, that is fairly secure.

Still, security is only as strong as it's weakest link. Thus you want a strong chainlinked fence to keep the fox out of the chicken coop.

Recommendations:

1. Keep all operating system, browser, and software products as up-to-date as possible on security patches.

2. Anti-virus software (anti-spyware might be beneficial also)

3. Firewall protection is always a must

4. Authentication to networks (with strong password settings, rotations, and other best practices)

5. Security policies that include the Mac environment (e.g., discouraging too much personal use, installation of non-business software, etc)

6. Use of Firefox 3 might be beneficial to look at as a complementary browser to Safari (which has suffered some recent security issues)

7. Tracking of Apple security exposures and risks as they develop (e.g., monitor Secunia, Internet Storm Center, Apple's security bulletins, FRSIRT, etc)

As noted, this list is fairly similar to keeping Windows client PCs secure. These additional links might help:

http://www.google.com/search?hl=en&q=corporate+macintosh+security+best+practices
https://security.berkeley.edu/mac.html
http://www.networkworld.com/news/2007/022707-mac-os-going-corporate.html

Microsoft Security Updates - July 2008 includes SQL-Server update

2008-07-14T12:43:00Z

Microsoft have released this month's patches as part of their usual Patch Tuesday monthly cycle. This months patches are:

MS08-037 - Vulnerabilities in DNS Could Allow Spoofing (953230)

Affects: Windows 2000, XP (inc x64), Server 2003 (inc x64), Server 2008 (inc x64)
LInk: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx

MS08-038 - Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)

Affects: Windows Vista and Windows 2008 Server
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx

MS08-039 - Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
Affects: Microsoft Exchance Server 2003 & 2007
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-039.mspx

MS08-040 - Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
Affects: SQL Server 7, 2000, 2005, MSDE 1.0, SQL 2000 Desktop Engine, SQL 2005 Express Edition, Windows 2000, Server 2003 & Server 2008
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-040.mspx

Additional Links:

Microsoft: http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
MS Blog: http://blogs.technet.com/msrc/archive/2008/07/08/july-2008-bulletin-monthly-release.aspx
ISC: http://isc.sans.org/diary.html?storyid=4684

So far, the July updates are working well on my XP SP3 PCs at home and work ...

IMPORTANT NOTE -- Don't forget to patch SQL-Server as applicable (after pilot testing your web or client/server based applications)

IT Project management - Excellent collection of resources

2008-07-09T13:40:00Z

The 100th edition of the ALLPM Today Newsletter shares some excellent resources as the most popular articles for each year are highlighted below:

Most Popular allPM Article (for all years) - Communication in the Workplace
By Kate McLeod, PMP
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1910

Most popular ALLPM articles for each year:

Most Popular 2002 Article - Project Management Best Practice #3 -"Strategic Planning for Project Management"
By Dr. Harold Kerzner
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1909

Most Popular 2003 Article - Understanding the PRINCE2 Processes - Part One
By David Whelbourn
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1908

Most Popular 2004 Article - The True Meaning of Teamwork
By Sloan Campbell MBA, PMP
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1907

Most Popular 2005 Article - Acceptance Criteria - Part I & II,
By Eoin Callan (MBA, PMP)
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1906

Most Popular 2006 Article - Why Does a Project Need a Project Manager and a Business Analyst
By Barbara Carkenord
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1905

Most Popular 2007 Article - The Essence of OPM3®
By Ralf Friedrich
http://allpm.com/modules.php?op=modload&name=News&file=article&sid=1904

Storm Worm - Avoid July 4th topics offering Fireworks display

2008-07-06T12:50:00Z

As noted in Gary warner's excellent blog post, please avoid the following email messages in your in-box:

Storm Worm - Avoid July 4th topics offering Fireworks display
http://isc.sans.org/diary.html?storyid=4669
http://garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html

QUOTE: The website, which seems to invite visitors to play a fireworks video, actually downloads the Storm malware in the form of an executable called "fireworks.exe".

Subjects
=================
Amazing firework 2008
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Birthday, America!
Happy Independence Day
Happy Independence Day!!
Independence Day firework broke all records *
Spectacular fireworks show
Stars and Strips forever
The best of 4th of July Salute
Time for Fireworks
Wish your friends a happy Independence Day

Bodies
=================
Amazing Independence Day show
America the Beautiful
Celebrating the Glory of our Nation
God bless America
Sparkling Celebration of Independence Day
Stars and Strips forever
Super 4th!
The best firework you've ever seen

Internet Explorer 8 Beta 2 - Will focus on security improvements

2008-07-06T12:38:00Z

Two recent ZDNet blog posts highlight forthcoming security improvements for the next beta release of IE 8. The release to testers is planned for August. These improvements will make IE8 a worthwhile upgrade when it is released in the future.

Internet Explorer 8 Beta 2 - Will focus on security improvements
http://blogs.zdnet.com/security/?p=1396
http://blogs.zdnet.com/Bott/?p=484

QUOTE: When Microsoft's Internet Explorer 8 hits the Beta 2 milestone in August, the browser makeover will feature a full-fledged anti-malware blocker and new protections against some forms of cross-site scripting attacks. The existing phishing filter IE 7 has been renamed SmartScreen Filter and will include blacklist-based blocking of known exploit sites. Also new in IE 8 Beta 2 is an XSS Filter to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft:

The new beta refresh will also include support for safer Web 2.0-type mashups, DEP (data execution protection) turned on by default in Windows Vista SP 1, domain highlighting to help flag phishing attacks and changes to the way ActiveX controls are handled.

Below are also an overview of security improvements found in the current beta version:

Internet Explorer 8 - Two New Security Improvements
http://www.itsecurity.com/features/ie8-security-features-032408/

QUOTE: IE 8's security environment benefits from the addition of two major enhancements: the Safety Filter tool and the Domain Highlighting feature. Here's a closer look at both of these new enhancements.

1. Safety Filter -- IE 8 ups the ante with a new Safety Filter that analyzes the entire URL string to search for carefully hidden signs that a Web site may be something other than it claims to be. In Microsoft's words, the Safety Filter provides "a more granular detection" capability, allowing the browser to protect users from more targeted and sophisticated attacks.

2. Domain Highlighting -- IE 8's other major new security feature is a technology that highlights the top-level domain in the browser's address bar. This enhancement might not sound like much, but it is designed to provide a hard-to-miss visual clue that will function like a traffic light. The idea is to enable users to quickly confirm that the Web site they are visiting is the site that they intended to visit.

Citibank ATM breach reveals PIN security problems

2008-07-02T15:19:00Z

In most cases, folks are safe to use ATMs for cash withdrawals, although this major security incident reported yesterday is alarming.

Citibank ATM breach reveals PIN security problems
http://news.yahoo.com/s/ap/20080701/ap_on_hi_te/tec_atm_breach

SAN JOSE, Calif. - Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.

That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others. A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

Windows Vista - Numerous Security Advantages over XP

2008-06-27T21:26:00Z

In searching early this morning, I ran across the link below which highlights numerous security advantages that Vista has over XP. In fact the improved security has caused some incompatibility issues with some applications written for Windows 2000 or XP. Still, if you have a new or relatively new system that's capable of running Vista and your applications are compatible, you will benefit from the improved security which is part of TWC.

MSDN - Technical document highlights Vista's security advantages
http://msdn.microsoft.com/en-us/library/bb188739.aspx

URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks

2008-06-27T12:30:00Z

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL injection attacks, that are currently circulating. This security tool can help spot weaknesses that should addressed by the web development tool (e.g., strengthening SQL-Server calls for improved security by using parameterized lists, ADO, stored procedures, and other secure techniques). URL Scan can detect or block many of the generic attacks by searching for special keywords.

URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks
http://blogs.iis.net/wadeh/archive/2008/06/05/urlscan-v3-0-beta-release.aspx

QUOTE: UrlScan installs as a filter on IIS and looks at incoming requests in real time. It can then screen requests based on a set of general request properties. For example, it can block overly long URLs or headers. It can block requests with unexpected HTTP verbs or strings in the URL.

Today, in 2008, we find ourselves in a similar situation. We are seeing a particularly nasty automated SQL Injection attack that is targeting our customers. This attack defaces web servers and sends their clients off to malicious servers that attempt to install malware. As before, the vulnerability does not exist in IIS - or any software from Microsoft. In this case, the attack is exploiting vulnerabilities in customer developed applications. And as before, the real fixes will need to come from the myriad developers of those applications.

The new set of features in version 3 are:

* Support for query string scanning, including an option to scan an unescaped version of the query string.
* Change notification for configuration (no more restarts for most settings.)
* UrlScan can be installed as a site filter. Different sites can have their own copy, with their own configuration.
* Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
* Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these. The rules can be applied based on the type of file requested.

We also have plans to update the IIS 7 request filter to add these features. In the interim, UrlScan 3 is fully supported on IIS 7.

IMPORTANT RECOMMENDATION: Finally, it cannot be overstated that these tools are just an interim measure to buy time to fix the affected applications. While they are effective against the current wave of automated attacks, they cannot protect against more directed attacks against a specific server. The category of SQL Injection vulnerabilities is so broad that there are no known filter strategies that can block a determined hacker against application vulnerabilities. There are many resources available for learning about SQL Injection attacks and prevention strategies.

ADDITIONAL RESOURCES - HOW TO PREVENT SQL-INJECTION ATTACKS

http://msmvps.com/blogs/harrywaldron/archive/2008/05/31/microsoft-best-practices-for-preventing-sql-injection-attacks.aspx

http://msmvps.com/blogs/harrywaldron/archive/2008/06/15/new-sql-injection-attacks-the-need-to-improve-legacy-web-applications.aspx

http://msmvps.com/blogs/harrywaldron/archive/2008/06/25/sql-injection-mitigation-tips-for-asp-development.aspx

SQL Injection mitigation tips for ASP development

2008-06-25T20:46:00Z

Microsoft, the Internet Storm Center, the SQL-Server Worldwide Users Group (SSWUG), and others are actively promoting the dangers associated with automated SQL injection attacks. While SQL Injection concerns have been around for several years, these attacks have growth substantially this year because of automation. There are also numerous vulnerable websites out there, which provide an opportunity for malware attacks. There is a need to fix these sites and promote secure web development.

SQL Injection mitigation tips for ASP development
http://isc.sans.org/diary.html?storyid=4610

QUOTE: With the recent SQL injection attacks on ASP pages. A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers Brian Erman has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection. from happening.

Brian Erman's SQL Injection filtering for ASP
http://paste-it.net/public/c3cb69a/

To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input. If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily.

In actual fact, such mechanism exists, it is called parameterized query. The user input are passed to the SQL server as an argument (sort of like calling a function in programming language), the SQL server during query execution have a way to identify what part of the statement is static control, and which part is user input.

Parameterized queries have been widely publicized. In classic ASP, parameterized query is possible if you use ADO command object, an example is here. Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

GOOD EXAMPLES OF PARAMETERIZED QUERIES
http://aspnet101.com/aspnet101/tutorials.aspx
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=6999
http://www.inrsolutions.com/blog/details.asp?id=5

Malware Automation - Trojan2Worm Toolkit

2008-06-25T12:30:00Z

While Malware authors continue to develop exploits to attack vulnerable systems, they are also creating automated toolsets. The new Trojan2Worm toolkit can take any executable and publish it rapidly as worm based malware that can quickly spread on USB, DVDs, CDs, network shares, and other media.

Malware Automation - Trojan2Worm Toolkit
http://vil.nai.com/vil/content/v_146248.htm
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

QUOTE: This Tool-Kit is used by an attacker to convert any executable into an autorun worm, which can spread through removable devices, by implementing an “AutoRun.inf” configuration file. "Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

Trojan2Worm (T2W) toolkit turns any executable file into a worm with auto-spreading capabilities. As such it provides the ability for Trojan infection agents to acquire worm-like spreading abilities.

The tool requires minimal skills to use, net security firm Panda Security reports. Features include the ability to compress infectious files or mutate their contents, tricks designed to make it easier to smuggle malware past anti-virus scanners. It's also possible to program malware so that it disables Task Manager, Windows Registry Editor or even selected browsers.

Latest Storm Worm - Uses Fictional Breaking News Alerts

2008-06-23T00:20:00Z

The latest storm worm variant sends false news alerts to trick individuals into selecting links and infecting their system. Avoid these messages and use major news sites as a source for alerts.

Storm Worm - Uses Fictional Breaking News Alerts
http://www.avertlabs.com/research/blog/index.php/2008/06/20/breaking-news-not/
http://www.f-secure.com/weblog/archives/00001459.html

QUOTE: Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

EXAMPLES
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

IT Security - The Essential Guide to Firewalls

2008-06-22T11:37:00Z

The IT Security website is an excellent resource for researching corporate security needs and best practices. The articles below describe options and best practices for corporate firewall implementations.

http://www.itsecurity.com/features/essential-guide-firewalls-061208/

QUOTE: Firewalls play a central role in IT security, standing between enterprise networks and the outside world to protect computers, applications and other resources from external attack.

Related Articles:

5 Firewall Tests and Supporting Tools

Firewall Comparison Guide

3 Tips For Deploying a Firewall

10 Tips to Make Sure Your Firewall is Really Secure

Windows Live Writer - New blog publishing application

2008-06-22T01:50:00Z

This new desktop publishing application for rich-text blogging, recently became available. It's free and I plan to learn how to use it in the coming weeks.

Windows Live Writer
http://get.live.com/writer/overview
http://get.live.com/writer/features
http://get.live.com/writer/sysreq

Wikipedia Information
http://en.wikipedia.org/wiki/Windows_Live_Writer

Windows Live Writer Blog
http://windowslivewriter.spaces.live.com/

QUOTE: Windows Live Writer is a desktop application that makes it easy to publish rich content to your blog. Key functions include:

1. Publish to most major blog services
2. Create a compelling blog easily
3. Preview before you post
4. Compose your entries offline