Security News and Best Practices for corporate and home users
-
 The XP SP3 installation upgrades have worked well for me on three systems and they should for most users. A service pack represents a major upgrade of operating system or product binaries and should be performed in a cautious manner.
Some best practices for a successful installation of XP SP3 (or any major software install) include:
-- Read the Internet Explorer prerequisite information (e.g., IE 6 and IE 8 users are affected -- IE 8 must be uninstalled first and IE 6 users will return to IE 7 if they choose to uninstall XP SP3 later)
-- The "standalone" version for professionals is a huge download (312MB). I had 3 PCs to update and that made it beneficial to use the full version (plus I wanted to archive this as a future backup). For just a single PC, the Windows Update facility provides a more efficient download as it only retrieve only the SP components needed based on the PC configuration.
-- Once you're ready to install, reboot your system for a fresh start
-- Shutdown all possible applications that automatically start-up
-- Disable your Anti-virus software
-- Optional, you may want to temporarily disconnect from the Internet on home PCs to avoid any potential interruptions (only if you're using the standalone version)
-- XP SP3 requires considerable disk space (1GB or more of free space needs to be available). Make certain you have enough free temporary space. If your hard drive is almost full, use the disk clean-up tool and delete all unneeded items.
-- Start the XP SP3 install process and read/accept the various prompts offered
-- Do not use your system for any other activity while it's running
-- Be patient as the update process could require 30 to 60 minutes depending on system speed, free space, and other factors
-- Reboot your system as prompted
-- After the final settings have been made following the reboot, I usually perform an additional reboot to test out the change and to give the PC a fresh start after applying the service pack.
It's important to read and research all prerequisites prior to installing. For example, as I'm currently testing Internet Explorer 8 beta, I discovered it must uninstalled before you can apply the XP SP3 upgrade. After XP SP3 is installed IE 8 was reinstalled.
Internet Explorer Prerequisites - A must read for XP SP3
http://blogs.msdn.com/ie/archive/2008/05/05/ie-and-xpsp3.aspx
Excellent resource for Windows XP SP3 links and information
http://www.wilderssecurity.com/showthread.php?t=208460
Microsoft Forums - XP SP3 issues can be reviewed or reported here:
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=2010&SiteID=17
Other XP SP3 Issues - A few systems have experienced constant reboot issues
http://msinfluentials.com/blogs/jesper/archive/2008/05/08/does-your-amd-based-computer-boot-after-installing-xp-sp3.aspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9084418
|
-
 Spam email started circulating 30 years ago. Below is a good overview from the updated verson of templeton's 25th anniversary post. Spam remains a major problem with email today and folks should always be careful in avoiding taking any actions other than deleting it.
http://www.templetons.com/brad/spam/spam25.html
QUOTE: In fact, the earliest documented junk e-mailing I've uncovered was sent May 3, 1978 -- 25 years ago this month. (It was written May 1 but sent on May 3.) And in a surprising coincidence (*), just a month ago marked the 10th anniversary of March 31, 1993, the first time a USENET posting got named a spam
The DEC marketer, Gary Thuerk, identified only as "THUERK at DEC-MARLBORO" (There were no dots or dot-coms in those days, and the at-sign was often spelled out) decided to send a notice to everybody on the ARPANET on the west coast. In those days there was a printed directory of everybody on the Arpanet which they used as source for the list. The message trumpeted an open house to show off new models of the Dec-20 computer, a foray into larger, almost mainframe-sized systems.
This was a spam, though the term would not be used to refer to it for another 15 years. Thuerk had his technical associate, early DEC employee Carl Gartley, send the message from his account after several edits. Alas, at first he didn't do it right. The Tops-20 mail program would only take 320 addresses, so all the other addresses overflowed into the body of the message. When they found that some customers hadn't got it, they re-sent to the rest.
More on the History and Types of SPAM
http://en.wikipedia.org/wiki/E-mail_spam
|
-
-
A new series of these continuing attacks have been sent to company executives. While they appear to be authentic, the BBB, government agencies, or banks never perform official business via email (or when in doubt, always call the sender first to ensure it's from them)
BBB Case #947344536
http://www.f-secure.com/weblog/archives/00001431.html
QUOTE: We're seeing some new BBB trojan attacks going around. This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system. This would be fairly convincing to most recipients, especially since the real company and individual names are used.
Example of the new email scam
http://www.f-secure.com/weblog/archives/bbb0.png
|
-
 Microsoft recently introduced it's new SteadyState facility, which can capture all relevant configuration settings as of a specific point-in-time to create a "gold image" copy of the system. This facility can be helpful for libraries, colleges, and even certain work settings where a standardized and locked-down system image can rolled out in a consistant manner to several workstations.
It may be desirable for home users, (especially where multiple accounts are used by different members of the family). It is also useful as an recovery method, when problems occur where users can bring back the complete "gold image" in a much more comprehensive manner than the System Restore function currently permits.
Windows XP - SteadyState Facility
http://isc.sans.org/diary.html?storyid=4367
QUOTE: Ever wish your Windows XP computer could return the way it was when it worked correctly? That would be great, right? We can all recall some point when a particular system worked just right. Enter a utility from Microsoft that does just that, and more than a 'System Restore'. It is called SteadyState and it can retain a golden image and revert to that state at will. It is designed to lock down shared computers that do not have a full time sysadmin, however it can be used in a number of scenarios. VMs are not always the environment of choice for malware researchers for example.
Microsoft Windows -- SteadyState Information
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
http://www.microsoft.com/windows/products/winfamily/sharedaccess/whatis/default.mspx
QUOTE: Windows SteadyState, successor to the Shared Computer Toolkit, is designed to make life easier for people who set up and maintain shared computers.
An easy way to manage multiple users -- You can manage whole groups of users as single user accounts. The new Windows SteadyState console makes it easier than ever to create and modify user profiles.
A locked-down platform for stable shared computing -- Not every computer user should have access to every software capability. Your system can be more stable and consistent when you limit user access to control panel functions, network resources, and other sensitive areas.
Set it and forget it -- Once you have everything set up the way you want it, you can share the computer and rest easy. Any changes a user might make to the configuration or hard disk can be undone by simply restarting the machine.
|
-
Stephen Wynkoop, founder of SSWUG (SQL-Server World-wide Users Group) shares an interesting update in today's SSWUG Newsletter, related to the recent SQL Injection attacks. Over 500,000 web pages were infected with malware related scripts.
The attacks were due to web developers taking short-cuts (e.g., not fully editing input sent to the SQL-Server environment). While the website might work with normal input from the user, it's also important to have safeguards in for malicious injection attempts as well.
QUOTE: SQL Injection Hack Attack -- Poor Coding Techniques to Blame
There are SO many people writing about this whole IIS hack attack that I wrote about yesterday. What's odd is the very few of them that get it. I've seen the issues blamed on everything from SQL Server not having granular-enough permissions controls to flaws in the OS. I don't get it. This is just about coding techniques, nothing more. It's not a "feature" or "bug" being exploited.
When you accept input from a user and pass it blindly to the database engine, you are asking for trouble. When you don't control the input, don't control how it's presented to the engine for processing, you're asking for trouble. It really is that simple.
It's too easy for people to build sites with "dynamic SQL" - making changes to the SQL statements on the fly. "Select * from " + user_input is asking for trouble.
It's simple. if your applications accept input from users, you need to make sure you've taken steps to properly pass information from your application to the server and back again as you display it. If you're not doing this now, if you have not built this into your application design, review and development processes, you're asking for people to exploit your system. If you're not sure - find out. Learn what was built into the application. Consider using a tool to stay on top of new techniques and approaches.
Hacker Safe is one such tool - take a look at what they're doing and you'll get a great idea of the types of things to be aware of. (Not affiliated)
McAfee's "Hacker Safe" - Site Verification Tool
http://www.hackersafe.com/site/en/security/intro/
SQL-Server World-wide Users Group (SSWUG) - Home Page
http://www.sswug.org
|
-
Yesterday, Sunbelt issued a warning for several sites that are spelled closely like the true Microsoft related sites. Most of the URLs are plural (e.g., microsofts or microsoftes). Please do not attempt to go to these sites, as malware could be automatically and silently installed on vulnerable PCs.
These URLs could be used in future phishing or targeted attacks, as they closely ressemble the true Microsoft naming conventions. Always be careful of URLs and performing any actions as a result of email or visiting a website.
Sunbelt Blog - Fake Microsoft-like sites
http://sunbeltblog.blogspot.com/2008/04/microsoft-like-scam-sites.html
|
-
The e-Week cartoon above is excellent in illustrating the dangers of using a "good worm" to clean-up perhaps the top botnet infection in the world. While DV Labs might be able to accomplish this, there are always dangers that the bad guys might be able to manipulate this worm, plus if something were to go wrong with either individual PCs being cleaned there might be unintended consequences, even for a good deed.
A better idea is for DV Labs to work with MSRC and share the Kraken encyption techniques so that it may be included in a future version of MSRT ... And as previously shared, there is no such thing as a good worm 
http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration
QUOTE: We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship.
AVERT Labs notes that Kraken continues to improve it's ability to hide and evade AV detection:
http://www.avertlabs.com/research/blog/index.php/2008/04/29/mailbotf-aka-kraken-gets-stealthier-update/
|
-
A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents. 
A major wave of automated SQL Injection attacks are occurring. These have been designed and coded for the IIS and SQL-Server environments. There are no new vulnerabilities in these products.
Attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the web servers)
Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best practices for secure implementations of their website. Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.
Huge SQL Injection attacks infect 500,000 pages
http://www.f-secure.com/weblog/archives/00001427.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580
http://hackademix.net/2008/04/26/mass-attack-faq/
QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages. We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.
IIS Blog - SQL Injection Attacks on IIS Web Servers
http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx
QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.
MSRC Blog - Questions about Web Server Attacks
http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx
QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.
BEST PRACTICES - How to protect against SQL Injections
http://msdn2.microsoft.com/en-us/library/ms998271.aspx
-- Learn how SQL injection attacks work.
-- Constrain input to prevent SQL injection.
-- Use type safe SQL command parameters to prevent SQL injection.
-- Use a least privileged account to connect to the database.
-- Learn additional countermeasures to further reduce risk.
What are SQL Injection attacks?
http://en.wikipedia.org/wiki/SQL_injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
http://msdn2.microsoft.com/en-us/library/bb671351.aspx
QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
|
-
The most recent Government Computer newsletter is warning of a new well-designed IRS phishing scam. This attack appears to related to the upcoming IRS rebates that are part of the 2008 Government Stimulus Package. While the email looks official and the social engineering is well done, it is important to recognize that the IRS and banks do not use email as a method of contacting individuals. They usually will call or conduct official business by mail only. Please avoid these attacks, as entering your bank account information into the realistic but false website could mean real losses of money from these criminals. It could also take months to clean up activity after an individuals credit or bank account information has been compromised.
Phishing scam uses IRS rebate line to reel in victims
http://www.gcn.com/online/vol1_no1/46153-1.html
http://www.mxlogic.com/itsecurityblog/1/20...us-Payments.cfm
http://mxlogic.com/itsecurityblog/1/2008/0...shing-Twist.cfm
QUOTE: The tax filing season is past, the economic stimulus rebate season is upon us, and the phishers are changing their bait. The lure this time is the $600 rebate ($1,200 per household) that the Internal Revenue Service will begin sending to taxpayers in May and a supposed opportunity to speed up the process. E-mails purporting to be from the IRS are arriving in inboxes with instructions to recipients that if they visit the linked Web site and provide bank account and routing numbers their rebate can be deposited directly to the account more quickly. To add an element of urgency, the message includes a deadline — April 24 — for providing information, but that is likely to change.
Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.
EXAMPLE OF NEW PHISHING ATTACK:
TO: ***************
FROM: service@irs.gov
SUBJECT: 2008 Economic Stimulus Refund.
Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.
Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.
Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.
Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.
|
-
The IT Security website features a good categorized list of free security utilities. Some of these a trial versions, limited versions of the full product, or web based facilities. Even folks on a very tight budget can protect their systems well with many of these free tools.
IT Security website - 103 Free Security Utilities featured
http://www.itsecurity.com/features/103-best-free-security-utilities-041608/
QUOTE: Competition drives prices down, regardless of the industry. With a crowded field of vendors jockeying to be the trusted source of computer security for your home and office, prices for many of the essential elements of your security system have reached zero. Free downloads, free trials, free scans and freeware is everywhere. If you’re willing to go without premium features like phone support, you can have a simple version of powerful software that large companies pay big bucks for.
|
-
XSS scripting flaws are a common weakness in many websites. From a web development standpoint, secure designs and programming techniques are essential. It is always important to keep IE and all other browsers on the latest version and security patches. This is especially important, as phishing attacks are increasing and may even appear genuine at times.
Hackers use XSS flaw to attack Barack Obama's web site
http://blogs.pcmag.com/securitywatch/2008/04/a_hack_we_can_believe_in.php
http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html
QUOTE: A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.
The Obama hack used a cross-site scripting flaw in the site to redirect users from Obama's Community Blogs section to HillaryClinton.com. XSS bugs are getting far more attention lately than they had been in the past, perhaps because they are so widespread. And since the answer to them is good programming practices rather than running some security product, they can be difficult to snuff out.
Good overview of XSS redirect issues
http://en.wikipedia.org/wiki/Cross-site_scripting
QUOTE: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.
|
More Posts Next page »
|
|
|