In most cases, folks are safe to use ATMs for cash withdrawals, although this major security incident reported yesterday is alarming. 

Citibank ATM breach reveals PIN security problems
http://news.yahoo.com/s/ap/20080701/ap_on_hi_te/tec_atm_breach

SAN JOSE, Calif. - Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.

That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others. A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

In searching early this morning, I ran across the link below which highlights numerous security advantages that Vista has over XP.  In fact the improved security has caused some incompatibility issues with some applications written for Windows 2000 or XP.   Still, if you have a new or relatively new system that's capable of running Vista and your applications are compatible, you will benefit from the improved security which is part of TWC. 

MSDN - Technical document highlights Vista's security advantages
http://msdn.microsoft.com/en-us/library/bb188739.aspx

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL injection attacks, that are currently circulating. This security tool can help spot weaknesses that should addressed by the web development tool (e.g., strengthening SQL-Server calls for improved security by using parameterized lists, ADO, stored procedures, and other secure techniques). URL Scan can detect or block many of the generic attacks by searching for special keywords.
 
 URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks
 http://blogs.iis.net/wadeh/archive/2008/06/05/urlscan-v3-0-beta-release.aspx 
 
 QUOTE: UrlScan installs as a filter on IIS and looks at incoming requests in real time. It can then screen requests based on a set of general request properties. For example, it can block overly long URLs or headers. It can block requests with unexpected HTTP verbs or strings in the URL.
 
 Today, in 2008, we find ourselves in a similar situation. We are seeing a particularly nasty automated SQL Injection attack that is targeting our customers. This attack defaces web servers and sends their clients off to malicious servers that attempt to install malware. As before, the vulnerability does not exist in IIS - or any software from Microsoft. In this case, the attack is exploiting vulnerabilities in customer developed applications. And as before, the real fixes will need to come from the myriad developers of those applications.
 
 The new set of features in version 3 are:
 
 * Support for query string scanning, including an option to scan an unescaped version of the query string.
 * Change notification for configuration (no more restarts for most settings.)
 * UrlScan can be installed as a site filter. Different sites can have their own copy, with their own configuration.
 * Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
 * Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these. The rules can be applied based on the type of file requested.
 
 We also have plans to update the IIS 7 request filter to add these features. In the interim, UrlScan 3 is fully supported on IIS 7.
 
 IMPORTANT RECOMMENDATION: Finally, it cannot be overstated that these tools are just an interim measure to buy time to fix the affected applications. While they are effective against the current wave of automated attacks, they cannot protect against more directed attacks against a specific server. The category of SQL Injection vulnerabilities is so broad that there are no known filter strategies that can block a determined hacker against application vulnerabilities. There are many resources available for learning about SQL Injection attacks and prevention strategies.
 
 ADDITIONAL RESOURCES - HOW TO PREVENT SQL-INJECTION ATTACKS
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/05/31/microsoft-best-practices-for-preventing-sql-injection-attacks.aspx 
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/06/15/new-sql-injection-attacks-the-need-to-improve-legacy-web-applications.aspx 
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/06/25/sql-injection-mitigation-tips-for-asp-development.aspx

Microsoft, the Internet Storm Center, the SQL-Server Worldwide Users Group (SSWUG), and others are actively promoting the dangers associated with automated SQL injection attacks.  While SQL Injection concerns have been around for several years, these attacks have growth substantially this year because of automation.  There are also numerous vulnerable websites out there, which provide an opportunity for malware attacks.  There is a need to fix these sites and promote secure web development. 

SQL Injection mitigation tips for ASP development
http://isc.sans.org/diary.html?storyid=4610

QUOTE: With the recent SQL injection attacks on ASP pages. A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers Brian Erman has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection. from happening.

Brian Erman's SQL Injection filtering for ASP
http://paste-it.net/public/c3cb69a/

To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input. If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily.

In actual fact, such mechanism exists, it is called parameterized query. The user input are passed to the SQL server as an argument (sort of like calling a function in programming language), the SQL server during query execution have a way to identify what part of the statement is static control, and which part is user input.

Parameterized queries have been widely publicized. In classic ASP, parameterized query is possible if you use ADO command object, an example is here. Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

GOOD EXAMPLES OF PARAMETERIZED QUERIES
http://aspnet101.com/aspnet101/tutorials.aspx
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=6999
http://www.inrsolutions.com/blog/details.asp?id=5

While Malware authors continue to develop exploits to attack vulnerable systems, they are also creating automated toolsets. The new Trojan2Worm toolkit can take any executable and publish it rapidly as worm based malware that can quickly spread on USB, DVDs, CDs, network shares, and other media.

Malware Automation - Trojan2Worm Toolkit
http://vil.nai.com/vil/content/v_146248.htm
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

QUOTE: This Tool-Kit is used by an attacker to convert any executable into an autorun worm, which can spread through removable devices, by implementing an “AutoRun.inf” configuration file. "Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

Trojan2Worm (T2W) toolkit turns any executable file into a worm with auto-spreading capabilities. As such it provides the ability for Trojan infection agents to acquire worm-like spreading abilities.

The tool requires minimal skills to use, net security firm Panda Security reports. Features include the ability to compress infectious files or mutate their contents, tricks designed to make it easier to smuggle malware past anti-virus scanners. It's also possible to program malware so that it disables Task Manager, Windows Registry Editor or even selected browsers.

The latest storm worm variant sends false news alerts to trick individuals into selecting links and infecting their system. Avoid these messages and use major news sites as a source for alerts.

Storm Worm - Uses Fictional Breaking News Alerts
http://www.avertlabs.com/research/blog/index.php/2008/06/20/breaking-news-not/
http://www.f-secure.com/weblog/archives/00001459.html

QUOTE: Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

EXAMPLES
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

The IT Security website is an excellent resource for researching corporate security needs and best practices. The articles below describe options and best practices for corporate firewall implementations.

http://www.itsecurity.com/features/essential-guide-firewalls-061208/

QUOTE: Firewalls play a central role in IT security, standing between enterprise networks and the outside world to protect computers, applications and other resources from external attack.

Related Articles:

5 Firewall Tests and Supporting Tools

Firewall Comparison Guide

3 Tips For Deploying a Firewall

10 Tips to Make Sure Your Firewall is Really Secure

This new desktop publishing application for rich-text blogging, recently became available. It's free and I plan to learn how to use it in the coming weeks.

Windows Live Writer
http://get.live.com/writer/overview
http://get.live.com/writer/features
http://get.live.com/writer/sysreq

Wikipedia Information
http://en.wikipedia.org/wiki/Windows_Live_Writer

Windows Live Writer Blog
http://windowslivewriter.spaces.live.com/

QUOTE: Windows Live Writer is a desktop application that makes it easy to publish rich content to your blog. Key functions include: 

1. Publish to most major blog services
2. Create a compelling blog easily
3. Preview before you post
4. Compose your entries offline

Windows Safari users should apply this release promptly, as it addresses the following security vulnerabilities: 

Windows Safari 3.12 - Addresses recent security concerns
http://isc.sans.org/diary.html?storyid=4601

QUOTE: Safari 3.1.2 for Windows was released to address the following security vulnerabilities:

CVE-ID: CVE-2008-1573
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted BMP or GIF image may lead to information disclosure

CVE-ID: CVE-2008-2540
Available for: Windows XP or Vista
Impact: Saving untrusted files to the Windows desktop may lead to the execution of arbitrary code

CVE-ID: CVE-2008-2306
Available for: Windows XP or Vista
Impact: Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code

Apple Safari for Windows - Release & Download Links
http://support.apple.com/kb/HT2092
http://www.apple.com/support/downloads/safari312forwindows.html

QUOTE: "This update is recommended for all Safari Windows users and includes stability improvements and the latest security updates".

Below are two articles from Computerworld that provide key communication guidelines on what should and should not be shared within a manager/employee relationship.

QUOTE: As an IT professional, you know the basic rules of office politics, the simple do's and don'ts that govern life at work. Adhering to these standards -- the ones that tell you to be proactive and a team player -- will help you keep your job. If you really want to advance, though, you need to know which types of information your boss relies on you to provide:

Article - Five things you should tell your manager
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9097738

1. The real story. "Sugarcoating problems, holding back information, overpromising and consistently underdelivering are all reasons why IT has a bad reputation.

2. Your ideas. "Bring me ideas to improve the business, even if they're outside of IT

3. What you want. Ted Maulucci, CIO at Tridel Corp., a condominium developer in Toronto, tries to shift his workers into the jobs that they enjoy most.

4. No. It takes courage to tell the boss that you don't agree, but it's better for all involved when you say no to suggested projects, timelines, budgets or technologies that just aren't going to work

5. Your successes. No one wants to spend each day hearing only about project setbacks, failed servers and unexpected downtime. Good news is welcome too. Yet IT workers seem reluctant to promote the positive

Five things you should never tell your manager
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9097818

1. All about the technology -- and nothing about the business. Acting like the business is terra incognita is a no-no. "Never tell me you don't know what the business wants but you'll build it when they decide,"

2. There's only one solution. "People can sometimes develop a fondness for a certain technology or programming language or manufacturer into almost a religion, but it's never the case that one type of solution is the proper one for all situations,"

3. Bad opinions about your colleagues. It's a simple rule that can get overlooked when your team is struggling with a missed deadline or a failing project, but think before you point a finger, because bosses generally don't want to hear about it -- especially if you haven't tried to work it out on your own.

4. There's no way. Robert Strickland, senior vice president and CIO of T-Mobile USA Inc. in Bellevue, Wash., makes his position very clear: Everything is possible.

5. A surprise. CIOs almost universally say they don't like surprises -- particularly unpleasant ones. Ian S. Patterson, CIO at Scottrade Inc., a St. Louis-based online brokerage firm, says he always prefers to hear news -- good and bad -- directly from his workers.

This new variant disquises itself as a news flash to tempt users into selecting a hostile URL with a .cn domain

The email tries to convince users to download a dangerous malware object called beijing.exe

McAfee Information (DAT 5321)
http://vil.nai.com/vil/content/v_140835.htm

New Storm Worm - China/Beijing Earthquake Theme
http://www.f-secure.com/weblog/archives/00001457.html
http://www.sophos.com/security/analyses/viruses-and-spyware/w32nuware.html
http://www.theregister.co.uk/2008/06/19/bogus_beijing_quake_malware_ruse/

QUOTE: One of the trademarks of the Storm gang's 18 month lifespan has been that they're very creative and current when it comes to their social engineering techniques, e.g. 1, 2, 3, et cetera. The latest variant is e-mail that arrives to your inbox reporting a violent earthquake in Beijing.

Samples of the bogus alert doing the rounds, featuring subject lines such as "Million dead in Chinese quake", link to a website on a .cn domain. This site claims a quake measured in at 9.0* on the Richter scale has caused millions of casualties while throwing preparations for the games into turmoil. The page contains links to a supposed video that actually downloads the Nuwar-E worm onto the Windows boxes of marks credulous enough to fall for the ruse.

The Mozilla foundation released version 3.0 of Firefox today, which contains improved security, performance, and functionality.  As many individuals use Firefox as a complementary browser, these improvements make version 3.0 a worthwhile upgrade. 

Firefox 3.0 - New Release provides improved security, performance, and functionality
http://isc.sans.org/diary.html?storyid=4580
http://www.mozilla.com/en-US/firefox/

Firefox 3.0 - Mozillazine KB
http://kb.mozillazine.org/Category:Firefox

Firefox 3.0 - English version Download
http://www.mozilla.com/en-US/products/download.html?product=firefox-3.0&os=win&lang=en-US

What’s New in Firefox 3
http://www.mozilla.com/en-US/firefox/3.0/releasenotes/

QUOTE: Firefox 3 is based on the Gecko 1.9 Web rendering platform, which has been under development for the past 34 months. This new platform includes more than 15,000 changes to improve performance, stability, rendering correctness, and code simplification and sustainability. Firefox 3 is built on top of this new platform resulting in a more secure, easier to use, more personal product with a lot more under the hood to offer website and Firefox add-on developers.

FIREFOX 3.0 - NEW SECURITY FEATURES

* One-click site info: Click the site favicon in the location bar to see who owns the site and to check if your connection is protected from eavesdropping. Identity verification is prominently displayed and easier to understand. When a site uses Extended Validation (EV) SSL certificates, the site favicon button will turn green and show the name of the company you're connected to. (Try it here!)

* Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. (Try it here!)

* New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. (Try it here!)

* New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid
SSL certificate. (Try it here!)

* Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.

* Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.

* Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

* Effective top-level domain (eTLD) service better restricts cookies and other restricted content to a single domain.

* Better protection against cross-site JSON data leaks.

ADDITIONAL LINKS
http://www.mozillazine.org/talkback.html?article=23936
http://www.dria.org/wordpress/archives/2008/06/12/655/
http://software.silicon.com/os/0,39024651,39246115,00.htm
http://www.mozilla.com/en-US/firefox/all-rc.html
http://mozillalinks.org/wp/2008/06/firefox-3-rc-2-review/
http://www.spreadfirefox.com/
http://www.mozilla.com/en-US/firefox/?from=getfirefox

SQL Injection attacks provide an easy way to add malicious redirecting scripts on web sites. Most mainstream Internet sites use secure coding conventions (e.g., ADO, parameterized lists to SQL call statement, well written stored procedures, etc.) 

Prior to these automated SQL infection attacks, some developers may not have been aware of the controls needed (e.g., lack of training or awareness on the need for filtering controls). It was also much easier to get the web pages developed without having to place the extra security logic in.

SQL injections have been around for years, (e.g., including several posts starting in 2004 contained in this blog).  The automation and popular use of SQL injection attacks have now changed the landscape, where the monitoring and prevention of automated SQL injection must be performed by everyone.

As the ISC documents another new attack is circulating, which now embeds the attack into a single SQL statement.  Three good controls were shared for legacy web applications as follows:

Internet Storm Center - New SQL Injection attacks
http://isc.sans.org/diary.html?storyid=4565

QUOTE: We continue to receive more reports of SQL injection attacks, using updated URLs. One of the "neat" features of this exploit is how it uses one single SQL statement which will pull all the necessary information from the database itself.

RECOMMENDATIONS: Finally: How to defend against this? The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:

* Limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables

* Monitor your webapplication for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges

* Keep a close eye on your data and your application. Look for new javascript in titles and other spots that shouldn't have any

SQL injection attacks and other automated techniques are now used to seed redirecting scripts and malicous objects on web sites. It is more important than ever to use safe practices, and some of these include:
 
 -- Avoid visiting sites suggested in email messages
 -- Avoid numeric IP sites only
 -- Stay with Mainstream websites (and enter them directly rather than from email messages)
 -- Stay up-to-date on AV protection
 -- Stay up-to-date on Microsoft security using Automatic Updates (e.g., Windows, Office, IE, etc.)
 -- Keep other products updated (e.g., Flash, Firefox, etc)
 -- Use IE 7 rather than IE 6 (if you have Windows XP)
 -- Look at the URL names carefully and avoid unusually named sites (a few seconds of caution may prevent hours of repair work)
 
 GNC - Malicious code makes Web surfing risky
 http://www.gcn.com/online/vol1_no1/46417-1.html
 
 McAfee's more detailed study
 http://www.mcafee.com/us/local_content/misc/mapping_the_mal_web_2008.pdf
 
 QUOTE: The chance of downloading malicious code from a Web site has increased 41 percent in the past year, according to a recent study of malignant sites by McAfee Inc. ... During the last three years, the exploitation of browser vulnerabilities through code hosted on Web sites has become the primary method for compromising computers. Some of the sites are set up for to host and distribute the code, although increasingly the malware is being placed surreptitiously on legitimate sites.

Another new attack approach in addition to "carpet bombing" is noted in this article. As a safer and more managable practice, users should never save files to the desktop for any browser.  Instead, setup a special folder called DOWNLOAD as a target for anything you save from email or web browsing.  This way you can remember where it's stored plus isolate and scan it for malware as well.

Safari on Windows - not looking good
http://isc.sans.org/diary.html?storyid=4562

QUOTE: Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).

Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file.

If you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at

http://www.microsoft.com/technet/security/advisory/953818.mspx

During the last half of 2007, many users were affected by an issue where Windows Update would lockup with the 100% CPU utilizaiton issue.  I also had difficulties at home in updating my oldest PC that used Windows 2000 SP4.  As I used it predominantly for work dial in purposes, I had not moved to XP to keep needed applications intact. 

As it is an older PC, I had tweeked most services so that they are started manually rather than automatically.  This included Windows Update where the Automatic Updates were turned off, (although I had always faithfully updated the system each "Patch Tuesday").

While the 100% update issue was not experienced on any of my XP based systems, the Windows 2000 system was affected.  A variety of things were tested in trying to fix this issue, including deleting all Windows Update web objects and technical settings.  Manually applying these updates (using IE's menu bar of TOOLS / WINDOWS UPDATE), still resulted in 100% CPU utilization.  A few updates were successful, but it locked up the PC environment, so that it could not be used until an update was completed (and this seemed to take much longer to accomplish as well).  

The better solution found was to TURN ON AUTOMATIC UPDATES and let updates stream across in a more transparent manner.  This allowed me to use the PC and get gradually updated throughout the day.  I'ved used this setting since probably February and it's working well so far.   

Windows Update - SVCHOST 100 Percent issue solved at home
http://www.google.com/search?hl=en&q=windows+update+100+percent

Key Microsoft Windows Update Fix - December 2007
http://support.microsoft.com/kb/916089

The MS08-031 bulletin in particular is rated as a "patch now" requirement, as details on how to exploit some of the vulnerabilities have been published publicly. These updates should be applied promptly to ensure the best levels of protection.


Internet Storm Center Analysis
http://isc.sans.org/diary.html?storyid=4552

Microsoft Security Bulletins - June 2008
http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx

Microsoft released the following security bulletins today:

• MS08-030 - Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376) - Critical
• MS08-031 - Cumulative Security Update for Internet Explorer (950759) - Critical
• MS08-032 - Cumulative Security Update of ActiveX Kill Bits (950760) - Important
• MS08-033- Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) - Critical
• MS08-034 - Vulnerability in WINS Could Allow Elevation of Privilege (948745) - Moderate
• MS08-035 - Vulnerability in Active Directory Could Allow Denial of Service (953235) - Moderate
• MS08-036 - Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762) - Moderate

As most IT security professionals are overly cautious, this light-hearted list of concerns from a fellow MVP and friend is excellent.

... and yes, I follow many of these "best practices" myself   

http://weblog.infoworld.com/securityadviser/archives/2008/06/are_you_a_compu.html

Microsoft (Canada) is offering a free book that highlights how to get more out of using Vista.  This promotional offer is good while quantites last and requires a Windows Live account, plus a brief questionaire. 

Windows Vista™ Step by Step book
https://www.microsoft.com/canada/windows/vistaready/default.aspx

QUOTE: Request your copy of the Windows Vista™ Step by Step book. It will help you learn how to:

* Personalize the way your computer works and looks
* Install programs and set up printers and other hardware
* Instantly search your computer and find exactly what you need
* Connect to the Internet and block unwanted content
* Fine-tune your PC’s performance and fix common problems

Apple has released some important security changes for Quick Time. Users should update their systems promptly for improved protection. 

Apple QT 7.5 - Overview of Security improvements
http://support.apple.com/kb/HT1991

Apple QT 7.5 Download site
http://www.apple.com/support/downloads/quicktime75forwindows.html

Apple Downloads
http://www.apple.com/support/downloads/

QUOTE: Apple's security improvements include fixes for:

CVE-2008-1581: PICT images can lead to an heap overflow and code execution
CVE-2008-1582: AAC coded media can lead to code execution
CVE-2008-1583: PICT images can lead to an heap overflow and code execution
CVE-2008-1584: Indeo video codec can lead to a stack buffer overflow and code execution - note the fix: "This update addresses the issue by not rendering Indeo video codec content."
CVE-2008-1585: handling of file: URLs in QuickTime files could lead to an attacker controlled application launch and code execution - note the fix: "This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them."

Trend Micro shares a comprehensive overview and history of one of the most prolific spyware attacks.  The reason for Vundo's success include:

* Vundo installs automatically and silently from visiting malicious websites. 

* More aggressive variants can lock down Windows and IE services in a manner that makes it difficult to both detect and remove

* Malware writes continue to adapt Vundo for new attacks, so that once AV or Anti-spyware detection is in place, a new variant is then launched (Trend reports that there are 2,165 unique variants they provide protection for).  
 

AVERT Labs - Almost always in Top 10 infectors in every category
http://myavert.avertlabs.com/myavert/default.aspx

Vundo - Aggressive malware still going strong after 4 years
http://blog.trendmicro.com/uncovering-vundo/

QUOTE: A piece of VUNDO history: the first variant we have seen in the wild was TROJ_VUNDO.A (Sept 6, 2004, almost 4 years ago). It is capable of monitoring IE activities such as visited Web sites and sending data to a remote Web site. These data are used for advertising and marketing activities. Nobody expected it to still be alive now and used as a component of chain infection.

Some known rogue antivirus products that could be automatically installed or advertised on an affected system are: Wintools, HuntBar, BargainBuddy, Toolbar888, Altnet, BrillantDigital, Points Manager, E2Give, AdawareDelete, AlfaCleaner, AdwareBazooka, Antivirus Pro, BreakSpyware, SpyCut, CurePcSolution, DriveCleaner 2006, ErrorSafe, PerfectCleaner, ExpertAntivirus, SpyAway, AdwareSheriff, SystemStable.

VUNDO variants have different payloads depending on the nature if infection:

Example 1:  The user visits a malicious Web site and gets infected by a DLL file VUNDO variant. This DLL then registers itself as a Browser Helper Object (BHO) to run every time Internet Explorer is opened. This will be used to redirect you to a rogue antivirus download page.

Example 2:   The dropped DLL VUNDO variant injects into WINLOGON.EXE and EXPLORER.EXE for memory residency and prevents easy detection and removal. Once injected into those 2 processes, it monitors running processes before downloading other possible malicious files in the affected system. The possible monitored processes are mostly antivirus-related processes.

  This link will redirect the user to a YouTube-like site, that will load exploits that try to infect your system.  If your browser doesn’t crash, you may ultimately get redirected to play a real YouTube video (which can hide the fact that the PC is now infected)   Always be careful with any URLs in email as they may be dangerous.

http://sunbeltblog.blogspot.com/2008/06/dangerous-youtube-spoof.html

http://www.sunbelt-software.com/ihs/alex/youtube234881238.PNG

Like many of the past attacks, avoid email messages with the theme of "Crazy Love" or a website that is titled "Love Riddles". These tactics are used by the latest version of the Storm Worm.

New Stormworm download site
http://isc.sans.org/diary.html?storyid=4516
http://sunbeltblog.blogspot.com/2008/06/new-storm-tactic.html

New "Love Riddles" site
http://www.sunbelt-software.com/ihs/alex/storming2231.PNG

QUOTE: DavidF brought a new storm worm download site to our attention, which is being spammed out with a message that states:

“Crazy in love with you” *** Malicious URL Removed ***

I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says “love riddles”. Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D (aka Stormworm).

Microsoft has recently published a series of best practices to help developers build SQL code that is not susceptible to SQL injection attacks.

SQL injection attacks occur in applications that are poorly programmed. They are not a result of failures in the data base or supporting products.  When applications do not properly filter and control input data, there is a chance inputs can be manipulated, so that dangerous redirecting scripts may end up on the website

Once a web site is infected, the newly embedded script will then direct users to another dangerous website, that can automatically download malware on the user's PC.  While these attacks have been around for years, malware authors are now using newly automated approaches to find susceptible servers automatically and infect thousands of websites in a single day.   

IT developers have an inherent responsibility to protect the privacy and integrity of customer information. These articles are "must reads" for any IT developer, for greater assurances in building secure applications.

Microsoft Best Practices for preventing SQL Injection Attacks

Microsoft Security Vulnerability Research & Defense Blog - SQL Injection Attack
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx  
 
Nazim's IIS Security Blog - Filtering SQL injection from Classic ASP
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx 
 
Neil Carpenter's Blog - SQL Injection Mitigation: Using Parameterized Queries
http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx 
http://blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx 
 
Michael Howard’s Blog -Giving SQL Injection the Respect it Deserves
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx 
 
MSDN Article - Preventing SQL Injections in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx 
 
Anti-Malware Engineering Team - When SQL Injections Go Awry, Incident Case Study
http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx 
 
A more general overview of SQL Injection attacks can also be here:
 
What are SQL Injection Attacks?
http://en.wikipedia.org/wiki/Sql_injection

During April, a hacking contest took place where Vista's security was compromised through Flash, rather than a weakness in it's own security controls.  As I don't have Flash installed on any of the complementary browsers I use (e.g., Firefox, Opera), I've been getting along without Flash in these environments fine.  I then reviewed the IE security options and found an easy way to easily disable or enable Flash as desired.  This specific approach doesn't work with IE 6 or earlier versions. 

Currently, a new massive attack has been launched where malicious SWF objects have been seeded on thousands of web sites (one estimate was that 250,000 web pages were infected).  Most of the current attacks can be stopped by moving to the latest version of Flash (9.0.124).  However AVERT and other AV vendors still investigating whether new exploits are being crafted that could possibly infect up-to-date systems.

The instructions below show how you can temporarily disable Flash until there's certainly all possible exploits have been patched.  As I like the setting to avoid Flash based advertising, I usually keep it set that way and turn it on occassionally when it's truly needed.

IE Settings - Disable/enable add-in services (e.g., Flash)

Tools >>> Internet Options >>> Program Tab >>> Manage add-on options button >>> Filters >>> Add-ons that run without requiring permission >>> Select Shockwave Object >>> Click Disable button at bottom

To re-enable Flash, all you need to do is follow the steps in green above and select Enable button in last step.  If desired, you can also disable Adobe PDF Reader and Windows Media Player from starting within IE.  They will still work properly in starting outside of IE if desired.  As the settings work like the Flash process noted in green above, these services can also be toggled back on if needed.

CAUTIONARY NOTES IN SETTINGS ABOVE:

1. Avoid making these changes unless you are familiar with IE settings and understand the technical steps noted in green.  

2. Avoid setting off other services as it could affect or break browser functions.

3. Flash might be used often in an email website or forum you might be posting frequently to, and the warning message could appear often.

4. The technical settings were specifically for IE 8 and they should work for IE 7. 

Hopefully, the tapes were misplaced rather than stolen for the purposes of identity theft or fraud.

Bank of New York Mellon loses tapes with data on 4.5M clients
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9091318&source=NLT_PM&nlid=8

QUOTE: May 30, 2008 (Computerworld) Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.

The bank informed the Connecticut State Attorney General's Office that the tapes belonging to its BNY Mellon Shareowner Services division were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal

Security sites are warning of increased dangers of malformed Shockwave Flash (SWF) objects. I've read reports of possibly 250,000 web pages hosting this new exploit.    It is important to move to the latest version of Flash if prompted or manually update if you are not on version 9.0.124.

Adobe test site which will show latest version (should be 9.0.124)
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507

How to manually update if needed (be sure to uncheck Google Toolbar)
http://www.adobe.com/products/flashplayer/ 

AVERT reports that recent sites affected by mass hacking attacks are being redirected to load malicious SWF files. These exploits are being programmed for specific versions of Flash to broaden the scope of attacks.  Finally, please see last AVERT link (05/28), as they are researching a new variant that might possibly exploit Flash where it is fully up-to-date (e.g., 9.0.124).

Adobe Flash Player Flaw - Massive Exploitation reported
http://www.frsirt.com/english/

QUOTE: Adobe Flash Player Flaw Massive Exploitation -- The Adobe Flash Player vulnerability which was disclosed this week by Symantec and believed to be unknown (zero-day) is a previously known issue that was patched with version 9.0.124.0. Multiple compromised web pages are currently exploiting this flaw and distributing malware.

ADDITIONAL LINKS
http://www.frsirt.com/english/advisories/2008/1158
http://isc.sans.org/diary.html?storyid=4474 
http://secunia.com/advisories/30404/
http://www.securityfocus.com/bid/29386
http://www.avertlabs.com/research/blog/index.php/2008/05/27/flash-player-exploit-update/

QUOTE: Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability. Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks. Hacked sites reference an external script, just as they have for quite some time. But, the external scripts now reference an SWF file.

New variants emerging - AVERT researching claims that currently patched systems may be vulnerable?
http://www.avertlabs.com/research/blog/index.php/2008/05/28/flash-player-exploit-update-2/ 

QUOTE: At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.

I listen often to Kim Komando's talk show and found today's Tip of the Day newsletter offered a lot of practical advice on buying a new PC, as well as an easy-to-understand overview of the latest micro-processor developments.    

 http://www.komando.com/

http://www.komando.com/tips/categories.aspx?cat=43

Picking a microprocessor

It's time to move up from my old Intel Pentium 4, 3GHz system. Where can I learn about what's out there? Dual Core? Dual Quad? I need a simple explanation about these processors.

A lot has happened since your microprocessor was introduced. The 3GHz Pentium 4 goes back about five years. That qualifies as an eon in computers.

For most people, that old Pentium 4 would still be adequate. Today's cutting edge chips are running far in front of consumer software. So, unless you're editing lots of video or playing the most demanding games, you don't need to worry about the chip. Today's chips are more advanced than your Pentium. As you point out, they have multiple cores. They are also 64-bit chips, while yours is 32-bit. The architecture of these things is just brilliant. But most of it is going unused.

Let's start with the cores, since you mentioned them. Each core is its own little processor. Both Intel and AMD are producing multi-core chips. The most advanced Intel chips have four cores.  AMD had the chip lead at one time. But it struggled with its quad core chips. It did finally get them out, well after Intel.  Quad-core chips work well on servers. But they are overkill in the consumer space. A quad core gives you one thing—bragging rights.

Windows is capable of running on multiple cores. So it can take advantage of these advances. But few consumer programs use more than one core. In fact, porting consumer programs to multiple cores is a huge concern.  The same type of thing applies to 64-bit chips. This number refers to the amount of data a core can crunch at once. AMD and Intel chips now are 64-bit. That's pretty meaningless, though. Practically everything else is 32-bit.

True, you can get a 64-bit version of Windows Vista. But I don't recommend that. You would probably discover that drivers are hard to find. That would mean that certain peripherals couldn't be used.  You could probably get by with Intel's Celeron, or AMD's Sempron. Both are budget microprocessors. But you can't be sure of what the future will bring. So I would go with an Intel Core 2 Duo or AMD Athlon X2. If future programs use dual-core technology, you'll be ready. You might see high-end computers with Intel Extreme or AMD Phenom chips. Those are very powerful. They should work well in gaming and video-editing situations. Otherwise, you can't use the power.

I assume you'll be buying Windows Vista. You will see one of four versions. I have a chart that explains them. There is a fifth version—Enterprise. You won't see that in stores.  Vista is more capable than its predecessor, XP. Consequently, its video requirements are pretty stiff. Get a minimum of 128 megabytes of video RAM. Go for 256MB, if you have room in your budget.  I prefer a separate video card. But integrated graphics will also work. I have a tip that explains this further.  Don't overload your system with random access memory. I recommend 2 gigabytes. If you need more, go up to 3GB. Over that, and you're probably just throwing your money away.

Windows Vista UAC Controls - Tame it without turning it off

 Vista User Access Controls (UAC) may be doing too good of job at times as it's designed to provide safety warnings.  This warning system is designed to prompt for an administrative password anytime icons or scripts containing the shield icon are invoked.  This article from Information Week is excellent and shares some techniques to tailor UAC so that it still properly warns but less often on the common day-to-day tasks.      

Information Week: How To Tame Microsoft Windows Vista's UAC
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207801611

QUOTE: Are all those Windows Vista User Account Control warnings driving you nuts? Here are seven ways to make Vista's UAC less intrusive, while keeping legitimate security threats at bay. It's tempting to just turn off UAC and be done with it, but I'm not convinced this is a worthwhile solution. There are times when you'll want the protection that UAC affords, and there are ways you can make UAC a lot friendlier and less intrusive. Work with it rather than against it, and you may be pleasantly surprised at how manageable it really is.

BRIEF SUMMARY OF SEVEN UAC RECOMMENDATIONS

1. Slow An Overzealous UAC (tailor the circumstances UAC dialogs should and should not show up)

2. Use Process Explorer (use of this optional tool from Systems Internal)
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

3. Schedule A Task To Run As Admin (set up common pre-existing applications to bypass UAC)
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207801611&pgno=3

4. Use UAC's "Quiet Mode (require advanced registry to set up common pre-existing applications for bypass) UAC)

5. Turn Off The Secure Desktop (The visual screen darkening and normalization after accepting may consume a few seconds. Turing this off on older equipment may make UAC more acceptable)

6. Tighten Up UAC's Control (It may also be desirable for Admins to supply passwords for UAC prompts)

7. Enforce Running Signed Code (Another strengthening measure is to ensure only signed code is run which can safeguard against malware; but as a caution there are many legitimate programs that execute unsigned code)

While the Storm worm botnet continues to spread using email techniques, SQL injection techniques are starting to be used as an approach to seed malware on vulnerable computers.  Folks should be careful with email in avoiding all attachments and website links, and stay up-to-date on security patches and AV protection.

Storm Worm - New Version uses SQL Injection Techniques
http://blogs.zdnet.com/security/?p=1131
http://ddanchev.blogspot.com/2008/05/all-you-need-is-storm-worms-love.html

QUOTE: What has changed compared to previous campaigns? Storm Worm is back in the SQL injection attack phrase, with a malicious iframe injected at a small of sites for the time being. Moreover, assessing the storm worm infected hosts can only be done if you spoof your browser UI, otherwise you will get no indication for any kind of malicious activity going on. Furthermore, despite that there are no exploits used at the infected hosts but, a heavily obfuscated HTML/Rce.Gen was detected in their injected domain which would load automatically upon someone visiting an already injected site.