Kurbli : Security

Microsoft Security Essentials

Kurbli — Tue, 23 Jun 2009 18:50:30 GMT

Letöltöttem innen a Microsoft új biztonsági programjának BETA változatát (antivirus és antispyware).

Gond nélkül felment a Windows 7 RC-re.

Most a tesztelése következik.

IE8 issues if immunization by Spybot-S&D is enabled

Kurbli — Sat, 21 Mar 2009 03:11:00 GMT

E-társak, gáz van!

There are reports that IE8 will not start fast if user’s system is immunized using Spybot S&D. I able to reproduce this in Vista and XP.

There is report of high-CPU usage when Spybot –S&D immunization is enabled. I able to reproduce this in XP.

There is also report that IE8 will not load fast or it will hang if restricted sites exists in IE Restricted Sites zone, e.g. using IE-SPYAD and I able to reproduce this also in XP and Vista.

Time for the authors to check their protection tools for IE8 compatibility. For now, users who want IE8… should disable the immunization and IE-SPYAD. For users who prefer the protection over IE8, stay first with IE7.

Discussion at http://www.calendarofupdates.com/updates/index.php?showtopic=17654

Related blog: http://blogs.msdn.com/ie/archive/2009/03/19/internet-explorer-8-final-available-now.aspx

IE8 issues if immunization by Spybot-S&D is enabled

2009.03.25:

Spybot S&D Team’s response on IE8 issues

2009.03.28:

Work-around by users on slow startup of IE with immunization

2009.04.08:

New MS KB

Automatic Scan for Virus When Plug in USB Flash Drive » Raymond.CC Blog

Kurbli — Sun, 13 Apr 2008 08:50:00 GMT

Since manually scanning USB flash drive is troublesome, I found a way to automatically scan the USB flash drive whenever it is inserted or plugged in to a Windows computer.
USBVirusScan is a small program that will launch any program you provide as a command line parameter each time a USB stick is inserted. The author use it to start a full virus scan on the inserted USB drive, hence the name.

Ragyogó megoldás az USB flash drive-okon tenyésző vírusok ellen!

Link: http://www.raymond.cc/blog/archives/2008/04/13/automatic-scan-for-virus-when-plug-in-usb-flash-drive/

Virtualization Support for ISA and RRAS (A frustrated reader gets a response from Microsoft)

Kurbli — Thu, 27 Sep 2007 09:21:47 GMT

Rendkívül érdekes történet. A biztonsággal és virtualizálással foglalkozóknak el kell olvasni.

Over the past few months, I've been doing a lot of traveling and I've neglected this blog. (If for some reason, anybody is interested in how I spent my summer, see the end of this post for my quick summary. It feels odd to be writing about myself, but I guess that's what people do in blogs.) Anyway, I'm back now and have a million things to write about. Microsoft has been incredibly busy!
I'll start by sharing a letter from a reader, Jeff Vandervoort, who asked me to get a response from Microsoft. At the end of Jeff's letter, you'll see the response Microsoft gave me. I'll be eager to hear what you think.
...

Virtualization Support for ISA and RRAS

Security Update for the 2007 Microsoft Office System (KB936960)

Kurbli — Tue, 14 Aug 2007 19:39:22 GMT

WindowsUpdate.log:

2007-08-14 20:26:59:486 912 bf0 Report REPORT EVENT: {EBD00822-A710-49F6-81C1-5AEA5E368FC0} 2007-08-14 20:26:54:469+0200 1 182 101 {9FF36D09-9505-46AF-8B21-5EBEB95AE7D4} 100 80070643 MicrosoftUpdate Failure Content Install Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for the 2007 Microsoft Office System (KB936960).

Direct download KB936960 and install failed.
officeupdate.microsoft.com -> officeupdate success.

Újabban csak én szaladok bele a Microsoft Update hibáiba?

És még mindig nem tudom miért keletkezett a hiba. A fenti workaround megoldotta.

Preventing an internal spammer - E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Kurbli — Mon, 13 Aug 2007 11:08:12 GMT

Avagy: a spammerek már a spájzban vannak.

So what can you do to proactively prevent a client's workstation to be turned into a spam spewing beast?
Les Connor and ISA Server 2004 once again to the rescue:
He builds a rule to deny any port 25 transmissions from anything other than the server itself and an internal scanner.
Action: Deny, log requests
Protocols: Selected : SMTP
From: The lan (defined IP address range)
Exceptions: SBS, Printer and Scanner IP's, which are defined specific IP
addresses.
To: Anywhere (pre-existing destination)
Users: All
Schedule: Always

Caveat, this blocks the use of telnet <external host> 25 from any local
machine for troubleshooting purposes, so beware of this if you use it on
your *own* network for testing SMTP.
You might also want to build an alert rule when this deny rule kicks in as it would be a sign of infestation.

Preventing an internal spammer - E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Most Computer Attacks Originate in U.S.

Kurbli — Mon, 19 Mar 2007 08:39:53 GMT

A spájzban lévő ruszkik műve.

The United States generates more malicious computer activity than any other country, and sophisticated hackers worldwide are banding together in highly efficient crime rings, according to a new report. Researchers at Cupertino-based Symantec Corp. also found that fierce competition in the criminal underworld is driving down prices for stolen financial information. Criminals may purchase verified credit card numbers for as little as $1, and they can buy a complete identity _ a date of birth and U.S....(read more)

Source: Most Computer Attacks Originate in U.S.

Tools to scan for missing patches and insecure versions - Calendar Of Updates

Kurbli — Sat, 17 Mar 2007 16:17:26 GMT

Donna összeírta a használható eszközöket:

1. Microsoft Update or Windows Update and Office Update
2. Microsoft Baseline Security Analyzer
3. Secunia Software Inspector
4. Belarc Advisor
5. SecurityExpressions
6. RadarSync 2007

Tools to scan for missing patches and insecure versions
One of the important tasks to help protect our computers from exploits and bugs is to update the applications. An up-to-date antivirus and anti-spyware will not always protect a user from attacks and infection if the system is not fully patched.
Even antivirus vendors recommend to user to always keep a patched systems and applications.

Source: Tools to scan for missing patches and insecure versions - Calendar Of Updates

I'm rocking out to Whisky In The Jar by Thin Lizzy from the album Greatest Hits

Microsoft allows bypass of Vista activation

Kurbli — Fri, 16 Mar 2007 11:20:26 GMT

Rossz fiúk! Nóta, vidámság!

In its TechNet documents, Microsoft recommends the repeated use of SkipRearm. How many times is "multiple times"? My testing revealed that the answer is, well, indefinite.
• On a copy of Vista Ultimate that Microsoft released in New York City on Jan. 29, I found that changing SkipRearm from 0 to 1 allowed the command slmgr -rearm to postpone Vista's activation deadline eight separate times. After that, changing the 0 to 1 had no effect, preventing slmgr -rearm from moving the deadline. The use of slmgr -rearm 3 times, plus using SkipRearm 8 times would eliminate Vista's activation nag screens for about one year (12 periods of 30 days).
• On a copy of the upgrade version of Vista Home Premium that I bought in a retail store on Jan. 30, slmgr -rearm also worked 3 times and SkipRearm worked 8 times before losing their effect. This combination would, as with Vista Ultimate, permit a one-year use of Vista without nag screens appearing.
• On a copy of the full version of Vista Home Premium that I bought in a retail store on Mar. 14, SkipRearm had no effect on extending the use of slmgr -rearm at all. This suggests that Microsoft has slipstreamed a new version into stores, eliminating the SkipRearm feature in Vista Home. That could mean that changing the key from 0 to 1 will now work only in the business editions of Vista — Business, Enterprise, and Ultimate — so corporations can use the loophole.

Source: Microsoft allows bypass of Vista activation

Security attacks you can’t stop: browser patch delays

Kurbli — Wed, 14 Mar 2007 08:54:19 GMT

És mint tudjuk, a legtöbb nyavalyát a webről szedhetjük össze. Nem kéne egy picit igyekezni MS, a nagy tömeggyűlések közti szünetekben?

“Delays in updating browsers can leave users vulnerable to attack.
But, in updating browsers–especially when a zero-day attack was in progress–Microsoft trailed Apple, Mozilla and Opera in providing fixes. On average, IE patches appeared ten days after the flaw was reported, while Opera, Mozilla and Safari browsers were patched, on average, in two, three, and five days, respectively.”

Source: Security attacks you can’t stop: browser patch delays

No Microsoft security patches today, but two Vista fixes released

Kurbli — Wed, 14 Mar 2007 08:32:06 GMT

Nincs nagy peccs, csak ki peccsek.

The rare no-patch Tuesday caught some security analysts and professionals trying to figure out how to spend their free time. "Relax, take a breath," suggested Minoo Hamilton, senior security researcher with patch management vendor nCircle Network Security Inc.

Source: No Microsoft security patches today, but two Vista fixes released

Unpatched Vulnerabilities page

Kurbli — Thu, 15 Feb 2007 10:27:41 GMT

Ha egy ilyen To Do List-em lenne, elmennék nyaralni, mert vagy elintéződik magától, vagy bedől az oldala, de a vége nem látszik.

The Not So Real Time Monitoring of Reported Unpatched Vulnerabilities page here in CoU has been updated today.
Changes
Adjustment on number of unpatched advisories for the following products:

Windows Vista - 1 out of 0 to 1 out of 2
Windows XP Pro - 32 out of 170 to 32 out of 177
Windows XP Home - 29 out of 155 to 29 out of 161
Windows 2000 - 24 out of 146 to 24 out of 151
Outlook 2003 - 1 out of 12 to 1 out of 14
IE 7 - 3 out of 4 to 4 out of 6
IE 6 - 19 out of 110 to 19 out of 111
Firefox 2 - 1 out of 2 to 2 out of 3
Office 2003 Pro - 8 out of 31 to 5 out of 32
Office XP - 6 out of 35 to 3 out of 35
Windows Defender - 0 out of 1 (added in the list)
Live OneCare - 0 out of 1 (added in the list)
Trend Micro Anti-spyware - 0 out of 1 (added in the list)

Single Day Event On: 2/14/2007

Source: Unpatched Vulnerabilities page

IBM announces sHype

Kurbli — Tue, 13 Feb 2007 00:20:59 GMT

Vesd össze:
Robert McMillan, IDG News Service
Friday, February 09, 2007 12:00 PM PST
http://www.pcworld.com/article/id,128888-c,vistalonghorn/article.html elképzeléseivel az IBM announcement-et. A vágy és a tett esete.

"We're going to look at a fundamental piece of enabling technology. Maybe its hypervisors, I don't know what it is," he said. "Maybe it's a new user interface paradigm for consumers."

"It's too early for me to talk about it," he added. "But over the next few months I think you're going to start hearing more and more."

Quoting from the IBM official announcement:

The IBM secure hypervisor architecture, or "sHype," is a Research technology designed to run in conjunction with commercial and open source hypervisors that control servers and data in a shared environment. sHype aims to provide a security "wrapper" around distributed workloads in the data center, extending mainframe-like security to pooled data and resources across multiple IBM and non-IBM systems.
sHype is designed to bring stronger security guarantees to popular x86 and blade servers. As is increasingly common, IBM Research developed the sHype technology not just in its own labs, but implementing early versions of sHype with customers to test and evaluate the code. Additionally, portions of sHype have been contributed to the Open Source community and are being used, for example, as part of the open source Xen hypervisor kernel.
...
sHype works in conjunction with hypervisors by establishing a virtual machine to act as a data center "security foreman." The foreman uses preset configurations, business policies and exceptions set by the customer to lock down all content of the data center. It then automatically sets policies that evaluate, rank and code workloads as well as the physical and virtual resources needed to run each workload. Once workloads and resources are locked together, the integrity of the data and resources is assured and can be better managed by hypervisors accordingly...

Source: IBM announces sHype

Mennyibe kerül?

Kurbli — Sun, 11 Feb 2007 10:22:59 GMT

Derekas méretű hosts file-ok (pl.: a hpHOSTS 59,279 host nevet tartalmaz). w2k és xp esetében, ha nem tesszük disable állapotba a DNS client service-t, akkor jelentős lassulást okozhat a nagyméretű host file. w9x és home esetében nem. Vista esetében csak administrator-i joggal lehet a hosts file-t módosítani.
Ezeket az host neveket számos szűrőprogram is vizsgálja, szűri (AD Muncher, SpywareBlaster, stb.).
Külön mise, hogy a hazai gané oldalak nem szerepelnek a listában.
Lassacskán felmerülhet a kérdés, mennyiért védekezünk és mi ellen?

MVPS - http://mvps.org/winhelp2002/hosts.htm
McRae - http://pgl.yoyo.org/as/
Mike Skallas - http://everythingisnt.com/hosts.html
Stuart Hanzlik - http://accs-net.com/hosts/ (last updated August 2003)
hpHOSTS - http://www.hosts-file.net/

Source: Calendar Of Updates Calendar

ie7 Developer Toolbar 1.0.1517 error?

Kurbli — Mon, 29 Jan 2007 16:33:38 GMT

Ilyenekkel örvendeztet meg a legfrissebb verzió. Úgyhogy uninstall...

Mindentudás Egyeteme

Kurbli — Sun, 28 Jan 2007 01:07:47 GMT

Lovász akadémikus - általam önkényesen kiemelt - megjegyzése elgodolkodtató. Nem úgy vagyunk-e mi is (informatikusok), hogy elhisszük a marketingeseknek egy-egy termék milyen nagyszerűen biztonságos? Miért nem követeljük a matematikai bizonyítást? Esetleg nem tudjuk a matematika nyelvén megfogalmazni kérdéseinket? Netán tudjuk-e modellezni egy program részeit, vagy egy adott protokollt?

...
IV. A bizonyítás új fogalma
A bizonyítás a matematika lelke, a görög tudomány talán legfontosabb alkotása. Mégis, az iskolai matematikatanításból sokszor kimarad. Még egyetemi hallgatók is gyakran nem értik, miért van rá szükség: "Elhisszük mi a tanár úrnak, minek azt bizonygatni.'' (Remélem, ez csak amerikai tapasztalatom.)
A Pitagorasz-tételre már nagyon-nagyon sok bizonyítást talált az emberiség, és világos, hogy a bizonyításon nem azért kell végigmenni, hogy a tétel helyességéről még jobban meg legyünk győzve, hanem azért, hogy a bizonyításban szereplő matematikai módszereket elsajátítsuk. A programok helyessége, a kommunikációs protokollok biztonsága azonban nap mint nap bizonyítást igényel(ne). (kiemelés tőlem, Kurbli)
...

Source: Mindentudás Egyeteme

IT's Showtime - Advanced Malware Cleaning

Kurbli — Sat, 23 Dec 2006 20:27:27 GMT

Mark Russinovich kitűnő előadása. Ajánlom.

Advanced Malware Cleaning

...
Today's IT administrator needs to be prepared to identify, analyze, and remediate malware that slips through layered defences since most anti-malware solutions depend on signatures of known threats. This session takes you on a tour of malware infection and persistence technologies, including rootkits, and shows you on real malware infections how to use sophisticated tools like Sysinternals.com freeware tools Process Explorer, Autoruns, and RootkitRevealer to clean malware.

Source: IT's Showtime

Titkos kérdésem: Ezt a bemutató technológiát lehetne-e használni a magyar webcast-ok, TechNet előadások publikálására?

P.S.: A Sysinternals nevet de jó lenne pontosan leírni! (ld.: Freeware Sisinternals)

Hiding .exe inside a .jpg file is possible

Kurbli — Wed, 20 Dec 2006 21:56:25 GMT

Olvasd el, hogyan lehetséges (ki is próbálhatod) és ettől kezdve tudatosan scannelj minden .jpg file-t, vagy ráfázol.

Forum: Cryptography, Steganography, etc. Posted By: haxor500 Post Time: 12-20-2006 at 04:04 PM

Source: Hiding .exe inside a .jpg file is possible

Demonstrating the consequences of XSS vulnerabilities

Kurbli — Wed, 20 Dec 2006 16:25:33 GMT

A Link a http://www.oreillynet.com -on található, amely oldal egy csomó érdekes, tanulságos dolgat tartalmaz. E blogpost éppen a BeEf tool -t. (BeEF is the browser exploitation framework.)

High risk vulnerabilities such as SQL Injection can be easily demonstrated by security analysts to developers or business executives. For example, a xp_cmdshell request injected into an application vulnerable to SQL Injection can be used to demonstrate how an attacker can abuse SQL injection to obtain a command prompt from the host running the (Microsoft) SQL server. Such demonstrations have major visual impact and the consequences of the vulnerabilities are clear.
Link

Source: Demonstrating the consequences of XSS vulnerabilities

Dear Santa Bill and Santa Ozzie

Kurbli — Wed, 20 Dec 2006 14:57:07 GMT

Felőlem hozhatná Bill Haley (vagy Ozzy Osbourne) is, csak a http://www.microsoft.com/downloads/ -ról legyen letölthető minden decemberben az összes lokalizált változaté tárgyévi összes patch-e egy ISO file-ban.
Cherry Coke is lesz egy kartonnal.

Susan,

I have just installed WXP Pro SP2 on my newly rebuilt machine. Do you have any words of wisdom with regard to how I can make sure that I have all of the critical patches up to date without going through everything that has been released over the past 3 or 4 years? I don’t want to spend two weeks of work time installing patches.
Dear Santa Bill (or Ozzie):
I know what you'd like me to answer that with... "Buy Vista!" but the reality is that Vista isn't out for the retail marketplace yet. Now hopefully the inlaws will be over during Christmas so it will give this person an excuse to be in their home office and take the eons of time to go from XP sp2 to final patched up versions. The reality is that you haven't made it easy for the home user to take a XP sp2 machine up to full patch status for one machines. Oh sure, you've given us admins things like WSUS and what not..but for the one machines that we have to deal with, or that hopefully you'll have to deal with over your Christmas vacations with your families..... how about reconsidering once again a roll up cdrom.
http://www.incidents.org/diary.php?storyid=1939&isc=83521d98ca25d669c73156778eb3e00e While that gives us some idea.... What I'd really like from Santa Bill or Santa Ozzie is an official Microsoft ISO available in December of each year of "fill in the blank" supported consumer operating systems so that we as sons and daughters of folks that use us a tech support at home can do it easily, or, as in the case of the person who asked, someone trying to get one business system up to full patch state quickly.
P.S. I'll even leave cookies and milk under the tree for you.
...

Source: Dear Santa Bill and Santa Ozzie