Harry Waldron - IT Security

Windows 7 and Server 2008 R2 - SMB denial of service attack exploit

2009-11-14T15:16:00Z

A denial-of-service creates an endless loop where PCs or servers become unresponsive. The Windows 7 security system will prevent malware infections to the system itself for this specific attack. An infected system could lock up and require rebooting if an attack were successful.

These attacks may spike to 100% CPU utilitzation or be overwhelmed with intense network traffic. Windows 7 and Server 2008 R2 and users should keep autoupdates enabled and monitor developments for a forthcoming patch. Keeping your firewall enabled and AV protection in place also provides protection for current unpatched systems.

Windows 7 and Server 2008 R2 - SMB denial of service attack exploit
http://www.microsoft.com/technet/security/advisory/977544.mspx
http://blogs.technet.com/msrc/archive/2009/11/13/microsoft-security-advisory-977544-released.aspx
http://isc.sans.org/diary.html?storyid=7597
http://isc.sans.org/diary.html?storyid=7573

QUOTE: this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted.

MSRC - Excellent site to monitor further developments
http://blogs.technet.com/msrc/

MaCatte Antivirus - New Rogue copies McAfee AV interface

2009-11-12T13:24:00Z

Rogue security products are popular methods of attack as evident by AntiVirus 2009. These Fake AV scams are designed to steal money from users by tricking them into thinking they are installing legitimate software.

These Fake AV products will present users with constant pop-ups and request that they pay around $39 to register their product so the PC can be cleaned. These Fake AV products are actually malware and are to be avoided. Any user infected should search for a cleaning tool to remove Fake AV products. To avoid infections, users should be careful in the websites they visit and stay patched up on every product (esp. Windows and Adobe Flash). Moving to the latest version of Internet Explorer, Firefox, Opera, etc. are also good ways to help prevent infections.

Rogue Security Product Copies McAfee’s Look and Feel
http://www.avertlabs.com/research/blog/index.php/2009/11/10/rogue-security-product-copies-mcafees-look-and-feel/

QUOTE: Recently we have seen the rapid growth of rogue anti-virus/spyware programs. This one is especially interesting. Why? Because it mimics McAfee’s security product. This rogue software displays the same user interface as McAfee Security Center. It also offers a web page that looks similar to McAfee’s legitimate site.

The idea behind fake AV software is to trick unsuspecting users into thinking their machines are infected. The malware will display a window that shows many innocent files detected arbitrarily as compromised. These fake security alerts are baseless–they exist to trick victims into pressing the panic button. In this case agreeing to “Remove all threats now” will lead to purchasing the MaCatte Antivirus 2009 product. The rogue software offers several “features”:

• It displays fake warning messages and “Safety Center Alert” pop-ups
• It flashes icons that appear in the system tray
• It hijacks the browser’s homepage to a site that mimics McAfee’s site

Oracle Quarterly Security Updates - October 2009

2009-11-11T13:27:00Z

Oracle highly recommends that DBAs and System Administrators apply these patches across a wide range of products promptly.

Oracle Critical Patch Update Advisory - October 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 38 new security fixes across all products.

Microsoft Security Updates - November 2009

2009-11-11T12:47:00Z

Very important security updates are available for Windows and Office. These should be promptly applied to protect from exploits and malicious code that could be reversed engineered in the near future.

Microsoft Security Updates - November 2009
https://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx

ISC - Excellent Summary of this month's Patch Tuesday updates
http://isc.sans.org/diary.html?storyid=7564

SANS - Summary of 31 tips for better PORT security

2009-11-11T12:08:00Z

Each year the Internet Storm Center picks a theme for improved security awareness and publishes an article per day during Cybersecurity awareness month (October). These are excellent resources for any professional in the IT Security profession:

SANS - Summary of 31 tips for better PORT security
http://isc.sans.org/diary.html?storyid=7504

QUOTE: This year we examined 31 different ports/services/protocols/applications and discussed some of the major security issues. Many readers submitted comments, tips, and tricks for securing them.

1 - Port 445 - SMB over tcp
2 - Port 0
3 - Port 5900 - VNC
4 - Port 20/21 - FTP-data/FTP
5 - Port 31337 - trojan horses
6 - Ports 67&68 udp - bootp and dhcp
7 - Port 6667/8/9/7000 - IRC
8 - Port 25 - SMTP
9 - Port 3389 -RDP
10 - The Questionable Ports
11 - Port 111 - RPCBind aka Portmapper
12 - Ports 161/162 - Simple Network Management Protocol (SNMP)
13 - Ports 3128, 8080 & .... - Proxies
14 - Port 514 - syslog
15 - Ports 995, 465, and 993 - Secure Email
16 - Port 1521 - Oracle TNS Listener
17 - Port 22 - SSH
18 - Port 23 - Telnet
19 - ICMP
20 - Ports 5060 & 5061 - SIP (VoIP)
21 - Port 135 - MS DCE locator
22 - Port 502 - Modbus
23 - Port 179 - Border Gateway Protocol
24 - Ports 1-20 and 37 - The Small Services
25 - Port 80 and 443 - Web services
26 - Ports 1433/1434 - MS SQL
27 - Ports 135, 137, 138, 139, ... - MS Active Directory Ports
28 - Port 123 - ntp
29 - Port 53 - dns
30 - Ports 47, 50, 500, 1723, 4500, ... - The "Common" IPSEC VPN Protocols
31 - Port 113 - ident

Below are links to prior years sharing best practices by the Internet Storm Center during Cybersecurity awareness month:

SANS - 2008 Security Incident Handling tips
http://isc.sans.org/diary.html?storyid=5279

SANS - 2007 Cybersecurity Awareness tips
http://isc.sans.org/diary.html?storyid=3597

McAfee - New Corporate and Home Support Forums

2009-11-08T12:27:00Z

In 1997, our company adopted McAfee as an AV standard for all PCs and servers. Even durng these early years for the Internet, they were one of the 1st AV Vendors to use public forums to leverage support costs. I've been a member of these forums for over a dozen years, primarily sharing security news and safe practices. In November 2009, McAfee implemented a state-of-the-art community forum environment, which includes home and corporate product support forums, security awareness forums, and other resources.

NOW LIVE! McAfee Online Support Community
http://www.avertlabs.com/research/blog/index.php/2009/11/04/now-live-mcafee-online-support-community/

QUOTE: The McAfee Online Support Community gives you a way to interact with other McAfee business users to ask questions and share best practices. Additionally, you’ll be able to talk with McAfee professionals about McAfee products, security awareness issues, and emerging trends — plus give us feedback on product and service enhancements.

McAfee - Home Page for New Community Forums
http://community.mcafee.com/

Kim Komando - Windows 7 and Security

2009-11-04T13:00:00Z

I've been a fan of Kim's talk radio show for years. On Saturday, I can listen on my walkman while working outdoors and catch on some of the latest developments. Computers are complex and she shares developments and best practices in an easy-to-understand approach for the public. Below is a great write-up on how security is improved in Windows 7.

Kim Komando - Windows 7 and Security
http://www.komando.com/tips/index.aspx?id=7584

QUOTE: QUESTION -- I’ve read a lot about the new features in Windows 7. But, I haven’t heard much about Windows 7 and security. What new security features are in Windows 7? Is it safer than Vista? — Mike in Boston, listening on WBZ 1030 AM (Higlights noted below)

First, Microsoft has taken steps to protect the Windows 7 kernel. Windows 7 does not allow unauthorized access to the kernel.

They include a firewall and anti-spyware. You can also download Windows Security Essentials, a free antivirus program.

Windows 7’s firewall has been improved. As with the firewall in earlier versions of Windows, it isn’t perfect. But, advanced firewall options can be accessed through the Action Center. That makes it easier to control what programs are allowed to communicate through the firewall.

In Windows 7, UAC has been tweaked and is much more user-friendly. You can select the UAC settings you prefer. If a page tries to install software or change settings, you’ll see the alerts. Obviously, UAC isn’t a new feature. But, it has finally become useful for most users.

You probably saw Vista machines with fingerprint scanners. These relied on third-party software. With, Windows 7, biometric security is baked in. You can use it to allow access to the machine. The Biometric Devices applet is available in Control Panel. This lets you configure your fingerprint reader.

You may have noticed that the Security Center is missing from Windows 7. In its place, you get the Action Center. This is where the computer’s security is configured. You’ll can also specify your Windows Update preferences.

There are also a bevy of new security features in Internet Explorer 8. This is the browser included with Windows 7. First, there’s domain highlighting. This helps you see the relevant part of the URL. ActiveX security has also been improved. IE 8 also features the XSS Filter. This is designed to protect you from cross-site scripting attacks.

Anti-phishing tools have also been beefed up. The SmartScreen Filter has a new look and improved performance. It can also add anti-malware support. It will block you from downloading known malware.

Milestone dates ahead - Affecting future computers

2009-11-01T18:13:00Z

SANS has highlighted future dates that may impact computing. New standards would most likely address these design issues:

Milestone dates ahead - Affecting future computers
http://blogs.sans.org/appsecstreetfighter/2009/10/29/the-day-the-world-will-end/

QUOTE: With a new movie coming out about how the world will end with the (supposed) end of the Mayan calender, I figured it would be nice to get a list of software related “end of calender” issues:

Dec. 31st 1999, 23:59:59 GMT -- The famous Y2k issue. We made it… (so far)

Dec. 21, 2012 -- end of Mayan calendar. Just listed here because everybody is talking about it. Should not affect software (other then the fact that the world will end that day).

Jan. 19th 2038, 03:14:07 GMT -- The end of the Unix epoch. Unix uses a 32 it signed number to express time. The last date that can be expressed using unix time is Jan 19th 2038. After that… who knows? This can already be a problem. Imagine you are a bank and handing out 30 year mortgages?

Dec. 31st 9999, 23:59:59 GMT -- The end of 4 digit years. Well, we got a while until that will happen.

Threats to avoid during Halloween

2009-10-31T12:56:00Z

Trend labs shares key concerns to avoid while online:

This Halloween, Enjoy the Treats but Be Wary of Online Tricks
http://blog.trendmicro.com/this-halloween-enjoy-the-treats-but-be-wary-of-online-tricks/

QUOTE: We often associate Halloween with pumpkins and costumes but for cybercriminals it’s merely another avenue to exploit, steal, and trick users into giving away their personal identities. Treats are fun but we all need to be on the lookout for the sneaky and tricky ways cybercriminals slither into our computers.

Below are the TrendLabs, top 7 scariest threats that might be knocking on your door:

1. Tailor-made ZBOT spam makes its way to employees’ mailboxes
2. Vulnerabilities hit critical mass: Patch me if you can
3. FAKEAV: Surrender hard-earned money for fake security
4. Expand your circle of friends but beware of KOOBFACE malware
5. More sophisticated attacks = More victims
6. No system is immune from security attacks
7. Baited Search Engine attacks climb the charts

Dangerous Malware - 2009 Analysis by Trend Mirco

2009-10-31T12:35:00Z

Numerous malicious websites, rogue AV products, botnets, and phishing attacks continue to circulate. Users should stay up-to-date on technical protection and use safe practices.

Dangerous Malware - 2009 Analysis by Trend Mirco
http://blog.trendmicro.com/trick-or-threat/

QUOTE: 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theft—Koobface, ZeuS, and Ilomo. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.

WHY IT'S IMPORTANT TO STAY PATCHED UP -- Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.

Halloween Malicious Spam Circulating

2009-10-31T01:22:00Z

When holidays or major news events occur, always be careful when presented with these topics in email

Halloween Malicious Spam Circulating
http://www.avertlabs.com/research/blog/index.php/2009/10/29/trick-or-treat-with-spam-and-malicious-screensavers/

QUOTE: some of the most common techniques scammers and cybercriminals use are news events and holidays. Balloon Boy and the Windows 7 Launch are good examples. My colleague Sam Masiello’s blog on President Barack Obama’s Nobel Prize is another excellent example. With Halloween approaching rapidly, the tricks are already knocking on your inbox and at your browser’s window.

2010 Census - Better Business Bureau Safety Tips

2009-10-29T20:30:00Z

This warning was shared with me recently and shares some excellent tips on avoiding any related scams that may materialize. It is important to know your rights and what to expect in this process. During March 2010, questionaires will be mailed to every household in the USA. If these are completed and returned promptly, census takers will not need to visit your residence to collect this information.

2010 Census - Better Business Bureau Safety Tips
http://vawest.bbb.org/article/bbb-offers-advice-on-how-to-identify-legitimate-census-workers-12923

US Census Home Page
http://www.census.gov/

US Census - How it works and what to expect
http://2010.census.gov/2010census/how/index.php

QUOTE: Over the next 18 months, 1.4 million U.S. Census workers will be surveying the population of the country to gather demographic information about everyone living here. As the 2010 census process begins, the Better Business Bureau (BBB) advises citizens to cooperate carefully in order to avoid becoming a victim of census-related scams. Citizens are required by law to respond to the U.S. Census Bureau’s requests for information. Census data will be used in allocation of more than $300 billion in federal funds as well as in determining the number of Congressional representatives that each state is allowed.

The BBB offers the following advice to help distinguish between bona fide Census workers and con artists:

•U.S. Census workers will have identification, a handheld device and a confidentiality notice. Caution: never invite strangers into your home.
•U.S. Census workers will not ask for your Social Security number or any information about bank or credit card accounts.
•U.S. Census workers will not ask you for money or say that you owe money.
•U.S. Census workers will not harass or intimidate you.
•U.S. Census workers will not contact you by email – only by phone, by mail or in person.

Major arrests made for Nigerian 419 email scams

2009-10-23T18:46:00Z

While over 99% of users ignored these scams, perhaps 1 in a thousand would believe the email letter and start participating. Often the victim would be robbed online of hundreds if not thousands of dollars. Major arrests have been made to shut down most of these operations, which should result in fewer emails.

Nigeria - Major arrests made for 419 scams
http://news.bbc.co.uk/2/hi/africa/8322316.stm
http://en.wikipedia.org/wiki/Nigerian_419_scammer

Nigeria's anti-corruption agency says it has shut down some 800 fraudster e-mailers and arrested those behind 18 high-profile "cyber crime syndicates". The Economic and Financial Crimes Commission said it has been working with the computer giant Microsoft to crack down on the scammers. The con tricks - known as "419 scams" after the penal code that outlaws them in Nigeria - are often run by well-organised gangs.

Windows 7 Security Features

2009-10-23T18:20:00Z

This TechNet article offers a great overview of the key security improvements found in Windows 7

TECH NET - An Introduction to Security in Windows 7
http://technet.microsoft.com/en-us/magazine/2009.05.win7.aspx

Table of Contents
* Windows Biometric Framework
* Extending Authentication Protocols
* BitLocker Core Enhancements
* BitLocker To Go
* UAC Improvements
* AppLocker
* Global SACLs and Granular Auditing
* Wrapping Up

Windows 7 - offers improved security for corporate users

2009-10-23T15:25:00Z

Like Vista, Windows 7 continues to improve on security controls. In a corporate setting, Windows 7 offers much improved security over Windows XP especially for mobile users with laptops (who may be outside the umbrella of corporate protective controls as they travel).

Windows 7 - offers improved security for corporate users
http://www.eweek.com/c/a/Security/Windows-7-Security-Story-May-Appeal-to-Enterprises-549002/

QUOTE: Microsoft Windows 7 has a number of new security features designed to appeal to enterprises. But will they do the trick? The Windows 7 security story has three main chapters that have received a fair amount of attention: DirectAccess, BitLocker To Go and AppLocker. With these, as well as features such as BranchCache and enhancements to UAC (user account control), officials at Microsoft have said they feel they are pushing out their most secure operating system yet.

Windows 7 is built upon the security foundations in Windows Vista and retains all of the core technologies, such as Firewall, Windows Defender and User Account Control," Paul Cooke, director of Windows Client Enterprise Security, told eWEEK. "In addition to enhancing those security features, we listened to customer feedback and [wove] it closely into the development process of Windows 7 to deliver innovative new security features.

Enterprises looking to upgrade or switch to Windows 7 can also count AppLocker as a key security feature. AppLocker allows administrators to use Group Policy to specify what applications, installation programs and scripts users can execute. With the Audit Only Enforcement Mode setting, administrators can determine what applications are used in an organization and test rules before deploying them, Cooke said.

Rounding all this out is BitLocker To Go, which encrypts removable storage devices such as USB drives. With BitLocker To Go, users can restrict access to the data with a pass code, as well as set a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. The feature also provides configurable read-only support for removable devices on older versions of Windows so BitLocker-protected files can be shared.

Microsoft Security Essentials – Status after First Week

2009-10-23T12:08:00Z

Microsoft's Malware Protection Center (MMPC) has provided an informative update related to the 1st week for MSE going live. As an original beta tester and current user on our family PC, MSE continues to offer good basic performance and has had a couple of good reviews on it's capability to detect malware using a signature based approach.

Microsoft Security Essentials – Week One
http://blogs.technet.com/mmpc/archive/2009/10/15/microsoft-security-essentials-week-one.aspx

QUOTE: Now that Microsoft Security Essentials is generally available to consumers in 19 countries, we've had a chance to go over the data, and there are some very interesting results. Just in the first week we saw well over 1.5 million downloads of Microsoft Security Essentials, but the price (free to Windows users) is hard to beat!

Computers reporting detections up to October 6: almost four million detections on 535,752 distinct machines. The detections are eight times the machine count because many computers are infected with multiple threats.

Microsoft Security Essentials is available in 8 languages and 19 markets at RTM, which covers a lot of the PC using world. The geographic distribution of detections so far still closely follows the Microsoft Security Essentials Beta countries, and is ramping up in other countries that use the 8 languages.

Numerous links can be found here:

http://msmvps.com/blogs/harrywaldron/archive/2009/09/30/microsoft-security-essentials-new-free-av-product-for-home-users.aspx

http://msmvps.com/blogs/harrywaldron/archive/2009/10/01/mse-rated-as-very-good-in-finding-malware-by-av-test-org.aspx

Windows 7 based spam with malicious links circulating

2009-10-21T21:06:00Z

Please be careful with Windows 7 email messages you may receive. AVERT Labs has noted extensive spamming to deceive folks. Usually with email, if it appears too good to be true, it's too good to be true ...

Windows 7 Spam and Malicious links circulating
http://www.avertlabs.com/research/blog/index.php/2009/10/21/windows-7-beaten-to-the-punch-by-spam/

QUOTE: The release of Microsoft’s next major operating system, Windows 7, is at hand. It’s timely to remind everyone that we have seen Windows 7 spam for a few months. Anything on this scale from Microsoft is too big a lure for spammers and cybercriminals to ignore. (I would be stunned if they didn’t take advantage.) We’ve seen subjects that include:

Microsoft Windows 7 special offers
Windows 7 SP 2
Windows 7 FAQ on release
Today’s Special Gateway Laptop + NEW Windows 7 & More Electronics Deals
Windows7 ultimate 86% off
Windows7 ultimate 57% off

We at McAfee Labs have noticed these throughout both September and October–with spikes as high as 1.88 percent of total spam. That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant.

TechFlash Survey - 50% of businesses implement Windows 7 in one year

2009-10-21T00:06:00Z

I like the security and reliabilty found in Vista and I'm now looking forward to the release of Windows 7 on Thursday. It will offer further improvements and efficiencies, plus an XP compatibility mode where needed.

TechFlash Survey - 50% of businesses implement Windows 7 in one year
http://sunbeltblog.blogspot.com/2009/10/half-of-businesses-surveyed-will-go.html
http://www.techflash.com/seattle/2009/10/survey_50_of_businesses_to_deploy_windows_7_in_first_year.html

QUOTE: Nearly half of 1,200 companies surveyed by a veteran technology analyst plan to deploy Windows 7 in its first year of availability, and another 11 percent say they will make the shift as soon as Microsoft releases the first service pack update for the new operating system.

Microsoft Security Essentials - How to manually update

2009-10-20T23:47:00Z

This link is handy for manually updating PCs with MSE installed, esp. if there is no Internet connectivity. After updating MSE signatures, it's beneficial to perform a QUICK or FULL SCAN with these latest definitions to ensure your system is malware free. It's a very easy process in downloading the applicable file, clicking on it, and it installs in about one minute.

http://support.microsoft.com/default.aspx/kb/971606

University email quota scam

2009-10-20T23:44:00Z

College students should avoid this new phishing attack which is currently circulating in spam attacks

Internet Storm Center - University email quota scam
http://isc.sans.org/diary.html?storyid=7402

QUOTE: New week, new scams. One seems directed at universities, and is informing students that their email quota is exhausted and asks them to connect to a malicious web site to re-enable their account. The site includes an iframe and doesn't even TRY to look like the web site of an university. It still asks for your userid and password, though ...