Harry Waldron - IT Security

Office 2010 - Data Execution Prevention (DEP) by Default

Harry Waldron — Sun, 07 Feb 2010 16:30:00 GMT

PC Magazine reports on improved security in Office 2010, where it will integrate DEP protective controls that can prohibit certain malware attacks. This can improve malware protection, when malicious scripts are launched in early attacks and vendors may not have AV signatures available

Office 2010 - Data Execution Prevention (DEP) by Default
http://blogs.pcmag.com/securitywatch/2010/02/office_2010_opts_in_to_dep_by.php

Office 2010 - In Depth Article on DEP Protection
http://blogs.technet.com/office2010/archive/2010/02/04/data-excecution-prevention-in-office-2010.aspx

QUOTE: Microsoft Office 2010 will, by default, opt in to DEP (Data Execution Prevention), a feature of recent versions of Windows that helps to prevent vulnerability exploits. DEP causes a program to halt when an attempt is made to execute code in an area of memory marked as data. This is a common technique for exploits, including many that have used malicious Office documents over the years.

WHAT IS Data Execution Prevention (DEP)?
http://support.microsoft.com/default.aspx/kb/875352

QUOTE: Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP, DEP is enforced by hardware and by software.

Office 2010 Beta is available for testing at:

Microsoft Office 2010 - Home Page
http://www.microsoft.com/office/2010/en/default.aspx

Money Mules - Work at home scams to be prosecuted by FTC

Harry Waldron — Sun, 07 Feb 2010 15:53:00 GMT

The FTC has announced a crack down on fradulent employment at home scams.

Money Mules - Work at home scams to be prosecuted by FTC
http://sunbeltblog.blogspot.com/2010/02/major-us-crackdown-on-work-at-home.html
http://www.krebsonsecurity.com/2010/01/top-10-ways-to-get-fired-as-a-money-mule/

QUOTE: The U.S. Federal Trade Commission today announced that next Tuesday they will hold a news conference to make public details of “a law enforcement sweep cracking down on job and work-at-home fraud fueled by the economic downturn.”

People who sign on as work-at-home employees from Internet ads (also called “money mules”) often are used as conduits for stolen funds that are transferred from the bank accounts of victim individuals or companies who have been scammed by phishing or spear-phishing. The money mules set up bank accounts into which stolen funds are transferred. They are instructed to keep a portion of the funds and wire the remainder to the scammers, who are generally outside the U.S.

Microsoft Patch Tuesday - Huge Security Update on 02/09/2010

Harry Waldron — Sun, 07 Feb 2010 15:43:00 GMT

Please note that Microsoft will be releasing a number of critcal security updates on Patch Tuesday (02/11/10). Please take out to install these important updates and reboot as prompted. This is one of the most important things you can do to protect your PC.

http://isc.sans.org/diary.html?storyid=8155
http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx
http://blogs.technet.com/msrc/archive/2010/02/04/february-2010-bulletin-release-advance-notification.aspx

QUOTE: Microsoft announced that they will be releasing a total of 13 bulletins next Tuesday. These bulletins will fix 26 difference vulnerabilities. The bulletins affect all versions of Windows.

Pushdo Botnet - New DDOS attacks on major web sites

Harry Waldron — Tue, 02 Feb 2010 18:50:00 GMT

Fake SSL connection attacks are being flooded to several prominent websites. DDOS attacks are an attempt to deny or greatly slow down access for legitimate users. Hopefully these attacks and the botnet itself will be shutdown.

Pushdo Botnet - New DDOS attacks on major web sites
http://sunbeltblog.blogspot.com/2010/02/pushdocutwailpandex-botnet-attacking.html
http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=222600679
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129
http://isc.sans.org/diary.html?storyid=8131
http://isc.sans.org/diary.html?storyid=8125

MASTER LIST OF WEBSITES BEING ATTACKED
http://www.shadowserver.org/wiki/uploads/Calendar/pushdo_sites.txt

QUOTE: No one is sure why the Pushdo botnet is running a distributed denial-of-service-like attack against over 300 major web sites including the CIA, Mozilla labs, SANS and Twitter, according to the Shadowserver Foundation. Pushdo is also called Cutwail and Pandex.

The botnet has been spewing initial SSL connection requests, causing servers to return an SSL negotiation error. The attacks don’t appear to be of sufficient intensity to knock any of the target sites off line and possible could be a mechanism to mask the botnet’s other traffic. SecureWorks said Pushdo is sending the SSL packets to port 443. The botnet also uses that port for command-and-control traffic.

Last June, MessageLabs estimated that the Pushdo botnet, believed to be the world’s largest, was comprised of 1.5 to 2 million bots that pumped out 74 billion spam messages per day (51 million per minute.) They said 14 percent of the bots were in Brazil, 14 percent in South Korea and 10 percent in the U.S.

Office 2010 Beta available for testing

Harry Waldron — Tue, 02 Feb 2010 13:18:00 GMT

The Office 2010 Professional beta was successfully downloaded and installed on my primary PC at home. Users experienced with Office 2007 should be able to use new version right away. It is available after registering with Microsoft as the following site:

Microsoft Office 2010 - Home Page
http://www.microsoft.com/office/2010/en/default.aspx

Facebook - 35% of users checked privacy settings

Harry Waldron — Sun, 31 Jan 2010 16:38:00 GMT

Recently, Facebook launched a special security initiative encouraging all users to check and improve their PRIVACY settings. While a 35% compliancy is still low, the industry average is usually 5-10%. All Facebook users should periodically check their security settings to ensure personal information is well protected.

Facebook - Only 35% of users have checked privacy settings
http://sunbeltblog.blogspot.com/2010/01/facebook-privacy-settings-35-percent.html
http://www.mediabistro.com/baynewser/privacy/a_third_of_facebook_users_customized_their_privacy_settings_after_the_policy_changes_and_why_facebook_thinks_thats_a_good_thing_150409.asp

QUOTE: At a privacy roundtable sponsored by the U.S. Federal Trade Commission in San Francisco, Facebook Director of Public Policy Tim Sparapani said that 35 percent of the 350 million Facebook users (that's 122 million!) actually checked their privacy settings when Facebook suggested it in December. The BayNewser, a San Francisco media news site, said Sparapani told their reporter that “the industry average for users' actively engaging with their settings is actually between 5-10 percent.”

DECEMBER 2009 - FACEBOOK PRIVACY INITIATIVE
http://www.facebook.com/privacy/explanation.php

Sophos's - Best Practices for Facebook security
http://www.sophos.com/security/best-practice/facebook/

Apple iPad announcement

Harry Waldron — Sat, 30 Jan 2010 13:45:00 GMT

While tablet devices are mostly used for specialized purposes, the iPad has state-of-art hardware desgins. It will interesting to follow future security developments, as well as innovative uses in home or office environments. It can plug into a Mac or Windows PC via USB 2.0. For Windows, it requires XP or higher as the Operating System

Apple iPad - Home Page
http://www.apple.com/ipad/
http://www.apple.com/ipad/features/
http://www.apple.com/ipad/design/
http://www.apple.com/ipad/specs/

QUOTE: SPECIFICATIONS

LCD Display
9.7-inch (diagonal) LED-backlit
glossy widescreen Multi-Touch display with IPS technology
1024-by-768-pixel resolution at 132 pixels per inch (ppi)
Fingerprint-resistant oleophobic coating
Support for display of multiple languages and characters simultaneously

Capacity
16GB,
32GB,
64GB flash drive

Processor
1GHz Apple A4 custom-designed,
high-performance,
low-power
system-on-a-chip

Audio playback
Frequency response: 20Hz to 20,000Hz
Audio formats supported: AAC (16 to 320 Kbps)
User-configurable maximum volume limit
TV and video
Support for 1024 by 768 pixels
Dock Connector to VGA Adapter
H.264 video up to 720p, 30 frames per second,

Wireless and cellular
Wi-Fi model
Wi-Fi (802.11a/b/g/n)
Bluetooth 2.1 + EDR technology
Wi-Fi + 3G model
UMTS/HSDPA (850, 1900, 2100 MHz)
GSM/EDGE (850, 900, 1800, 1900 MHz)

Input and output
Dock connector
3.5-mm stereo headphone jack
Built-in speaker
Microphone
SIM card tray (Wi-Fi + 3G model only)

Environmental
Arsenic-free display glass
BFR-free
Mercury-free LCD display
PVC-free
Recyclable aluminum and glass enclosure

NMAP 5.21 PENTEST tool Release

Harry Waldron — Sat, 30 Jan 2010 13:26:00 GMT

Some minor issues surfaced with Nmap 5.20 and this release was quickly made to correct these problem areas.

NMAP 5.21 - HOME PAGE
http://nmap.org/

QUOTE: Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest.

New Version offers more than 150 significant improvements, including:

o   30+ new Nmap Scripting Engine scripts
o   enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o   a completely rewritten traceroute engine
o   massive OS and version detection DB updates (10,000+ signatures)

InfoWorld - Security Tests of four major browsers

Harry Waldron — Fri, 29 Jan 2010 16:56:00 GMT

A series of informative articles reflecting security controls in four popular Windows browsers:

Test Center: How secure is Internet Explorer?
[The world's most popular browser is also the most frequently attacked, but comes with controls and management capabilities other browsers can't match.]
http://www.infoworld.com/d/applications/test-center-how-secure-internet-explorer-343

Test Center: How secure is Google Chrome?
[Google's shiny new open source Web browser is a frustrating blend of excellent security model, questionable decisions, and a dearth of critical security controls.]
http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443

Test Center: How secure is Firefox?
[Mozilla's popular Web browser is long on user-friendly features and third-party extensions, and short on granular security controls.]
http://www.infoworld.com/d/security-central/test-center-how-secure-firefox-282

Test Center: How secure is Opera?
[Opera Software's underrated browser is rich in both features and granular security controls, but misses important Windows protections.]
http://www.infoworld.com/d/security-central/test-center-how-secure-opera-620

Windows Update - Reboot as soon as possible when prompted

Harry Waldron — Fri, 29 Jan 2010 14:33:00 GMT

I see this incident more as a "lessons learned", than a design flaw that millions of users are suffering with. In the original post the Microsoft Update (MU) icon had been flashing for a few hours. Maybe a reboot could have taken place while at lunch or when taking a break at work. Sometimes corporate group policies are indeed rigid and may not allow flexibilities for MU to just notify or download. Some "lessons learned" include:

Reboot ASAP - so that the new settings can take place immediately and avoid instability issues that rebooting the applied updates would resolve. Still, I've been in situations where I've had to delay reboots due to time sensitive work I had to accomplish. However, when possible always reboot right away.

When you see the Microsoft Update shield or prompts to reboot, SAVE all of your work right away to prevent any loss of information. I also start shutting down anything that's non-essential in preparation for a reboot.

How I got attacked by Windows Update - Tales from the Evil Empire
http://weblogs.asp.net/bleroy/archive/2010/01/22/how-i-got-attacked-by-windows-update.aspx

QUOTE: I was writing a wiki page when it happened. The system restart dialog from Windows Update had been blinking helplessly in the task bar for a few hours as I didn’t have time for a reboot yet. And then, right in the middle of a sentence, the effing dialog decides that I’ve been ignoring it for too long, puts itself in front and gives itself focus.

You can see what happened then. My fingers were continuing to type, not realizing that the wiki page had gone to the back. Now the thing is, space is a fairly common key to hit when you’re writing English. But in dialogs, that’s also the key that triggers the default button. Which, in the case of that particular Windows Update dialog, is “Restart”. So before I realized what was going on, I was seeing all my windows close, including of course the wiki page I was working on. No application should ever be allowed to steal the focus.

Kim Komando - You can't get rid of Internet Explorer

Harry Waldron — Thu, 28 Jan 2010 17:27:00 GMT

This "tip of the day" provides key reasons why IE cannot be completely removed from Windows. Internet Explorer is more than just a browser, as other alternative browsers may occasionally use IE APIs. As shared in the article, move to IE8 for better overall security, even when other browsers like Firefox, Opera, or Chrome are used exclusively.

Kim Komando - You can't get rid of Internet Explorer
http://www.komando.com/tips/index.aspx?id=8089

QUOTE: There are good reasons to leave Internet Explorer on your computer. And, in fact, you cannot remove it. It is an integral part of Windows. You can remove the icon if you want. But Internet Explorer will always be with you. So, it’s essential that you keep it updated. That’s actually easy. Just set Windows for the most automatic updates possible. Then, let Microsoft take care of it. Also, be sure you’re using Internet Explorer 8. That is the safest version. There is no value in maintaining old versions of Internet Explorer. They simply make you more vulnerable to attacks.

Corporate Policies, Processes and Procedures

Harry Waldron — Sun, 24 Jan 2010 14:22:00 GMT

The Internet Storm Center shares an excellent awareness on the need for companies to revisit their corporate policies to ensure they are up-to-date, relevant, and easy-to-understand. This is just important, as technological defenses. Both go hand-in-hand to protect the company. Revisiting your security policies is an excellent way to start the new decade.

Users need security rules and boundaries, so that acceptable behavior and a reduction of risk occurs in the workplace. Yes, there will some who march to the beat of a different drum and won't comply. Still, companies need to work with their users to promote the best in privacy, security, and information protection.

I've enjoyed authoring these guidelines in the past. Some ideas for success include:

Design in positive terms (minimize the "Thou shall not" statements, e.g., instead of "do not visit inappropriate sites" state as "users must visit business appropriate sites"). This promotes better best practices and eventual buy-in by the users.

Use reasonable controls rather than absolute restrictions (e.g., avoid saying "absolutely no personal use of IT resources" unless that is the desired policy and will be followed by all. Don't be too rigid or lenient in the design, so as to allow limited employee freedoms as long as there is a primary business use focus.

Use simplified language to promote understanding by all (avoid legalize, highly technical terms, complex and/or sentence structures, etc)

Monitor security policies and enforce them (educate first time violators rather than making examples of them)

Most importantly, publish them on your corporate Intranet where they can be kept up-to-date easily and so they are can be easily accessed by all

Publish company wide emails when policies change

Ensure senior management, HR, and Legal Counsel provide input, approve, and back these important guidelines

Internet Storm Center - The necessary evils: Policies, Processes and Procedures
http://isc.sans.org/diary.html?storyid=8071

QUOTE: It is one that you can't afford to overlook. I have found time and time again that having good policies, processes and procedures keep you out of trouble ... What ever the case, having good policies, processes and procedures will only make you and your organization better. So, since its the beginning of a new year, take some time and update your policies and look at your processes and procedures. Have they changed? Do they need updating? Are they even helpful? Writing something for the sake of saying you have it is a waste of time.

PC Magazine review of AVAST Antivirus 5.0

Harry Waldron — Sun, 24 Jan 2010 03:15:00 GMT

AVAST is a popular and free AV offering. The latest version has just been reviewed by PC Magazine:

PC Magazine Review of AVAST Antivirus 5.0
http://blogs.pcmag.com/securitywatch/2010/01/avast_free_antivirus_50.php
http://www.pcmag.com/article2/0,2817,2358288,00.asp

QUOTE: Bottom Line -- The new user interface of avast! free antivirus makes it easier to use, and its new technology eliminates more malware. This tool offers more control over settings and more detail in reporting than some of its free competitors.

Pros -- Improved user interface. New heuristic anti-malware engine. New code emulator technology. Powerful boot-time scan. Good malware removal. Effective malware blocking.

Cons -- Full scan and boot scan both take a long time. Some threats still present after supposed removal. Boot scan requires user interaction if threats found.

ALWIL Software
http://www.avast.com

Type: Personal
Free: Yes
OS Compatibility: Windows Vista, Windows XP, Windows 7
Tech Support: Online technical support, knowledge base and activity community forum
Notes: Free for non-commercial use

NMAP 5.20 PENTEST tool Released

Harry Waldron — Sun, 24 Jan 2010 01:37:00 GMT

Nmap is an excellent tool for corporate PENTEST analysis ... New release is now available.

NMAP 5.20 - HOME PAGE
http://nmap.org/

QUOTE: Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest.

New Version offers more than 150 significant improvements, including:

o   30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o   a completely rewritten traceroute engine
o   massive OS and version detection DB updates (10,000+ signatures)

SPECIAL FBI WARNING - Best practices to avoid fraudulent scams

Harry Waldron — Sat, 23 Jan 2010 13:17:00 GMT

This is excellent advice to ensure your donations are received by those who are in need.

SPECIAL FBI WARNING - Best practices to avoid scam attacks
http://www.fbi.gov/pressrel/pressrel10/haiti011810.htm

QUOTE: Therefore, before making a donation of any kind, consumers should adhere to certain guidelines, including the following:

Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.

Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.

Beware of organizations with copy-cat names similar to but not exactly the same as those of reputable charities.

Rather than following a purported link to a website, verify the legitimacy of non-profit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its non-profit status.

Be cautious of e-mails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Only open attachments from known senders.

To ensure contributions are received and used for intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf.

Do not be pressured into making contributions, as reputable charities do not use such tactics.

Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.

Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals

The FBI and the National Center for Disaster Fraud (NCDF) have established a telephone hotline to report suspected Haitian earthquake relief fraud. The number is (866) 720-5721. The phone line is staffed by a live operator 24 hours a day, seven days a week. You can also e-mail information directly to disaster@leo.gov

New Haiti Scam - Appears to be spoofed message from our President

Harry Waldron — Sat, 23 Jan 2010 13:07:00 GMT

AVERT Labs shares additional warnings related to spoofed email and websites regarding the tragedy in Haiti. Please only donate to trusted sources directly, so that we can properly help those in need.

Scams Take Advantage of Haiti Relief Efforts
http://www.avertlabs.com/research/blog/index.php/2010/01/22/scams-take-advantage-of-haiti-relief-efforts/

QUOTE: Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people of Haiti will never see. Spoofing legitimate relief organizations such as the Red Cross is a typical social engineering lure used by the bad guys to take your money. This morning, however, a particular scam caught my eye that I wanted to share with you. Its subject line was “Help for Haiti” and was sent by “b.obama@whitehouse.gov.”

ADDITIONAL SCAMS
http://www.avertlabs.com/research/blog/index.php/2010/01/19/investigating-a-possible-charity-scam/

Sunbelt report - Users need to select stronger web passwords

Harry Waldron — Sat, 23 Jan 2010 13:01:00 GMT

Please ensure web account use strong passwords, and especially for banking and e-commerce sites

Web users still don’t select good passwords
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
http://sunbeltblog.blogspot.com/2010/01/web-users-still-dont-select-good.html

QUOTE: Key findings:

» About 30% of users chose passwords whose length is equal or below six characters

» Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters

» Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”.

Microsoft offers an FREE online facility to check the strength of passwords

Microsoft Online Safety -- Check your password — is it strong?
https://www.microsoft.com/protect/fraud/passwords/checker.aspx

Sunbelt reports 95% of email is spam for users in Europe

Harry Waldron — Sat, 23 Jan 2010 12:52:00 GMT

Despite efforts to shutdown a few spammers recently, these email attacks continue to present challenges to users everywhere.

Report from Europe: 95 percent of email is spam
http://sunbeltblog.blogspot.com/2010/01/report-from-europe-95-percent-of-email.html
http://www.enisa.europa.eu/media/press-releases/spam-survey-2009-the-fight-against-spam

QUOTE: The European Network and Information Security Agency (ENISA) has released a report that says 95 percent of all email is now spam. The report was based on surveying last year of email traffic by about 100 service providers in 30 countries

MS10-002 Internet Explorer Security Update

Harry Waldron — Sat, 23 Jan 2010 12:46:00 GMT

Please apply this update expediently to better protect against malicious attacks and to fix 7 vulnerabilities in Internet Explorer. Users with automatic updates set to on, will be notified of this available update immediately (even though it is out-of-band with respect to the normal security updates offered on the 2nd Tuesday of the month, a.k.a., Patch Tuesday) So far, this is working well on IE8 at home and work.

Microsoft Security Bulletin MS10-002 - Critical
Cumulative Security Update for Internet Explorer (978207)
http://blogs.technet.com/msrc/archive/2010/01/21/bulletin-ms10-002-released.aspx
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

QUOTE: This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported releases of Internet Explorer

Adobe Flash Shockware security updates

Harry Waldron — Sat, 23 Jan 2010 12:34:00 GMT

Users should install the latest security updates to protect against malicious Shockwave objects circulating in websites. This process is usually invoked automatically and moving to latest version when prompted will better ensure safety when visiting websites. There is also a manual update process as noted in solution information below.

APSB10-02: Abobe PDF security updates
http://www.adobe.com/support/security/bulletins/apsb10-03.html

QUOTE: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided below.

Solution: Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606, available here:

http://get.adobe.com/shockwave/