|
Sharing Security Developments, and Best Practices for corporate and home users
November 2006 - Posts
-
Symantec has published a removal tool for the new Spybot.ACYR worm which manipulates the SYM06-010 vulnerability within the Norton or Symantec anti-virus product itself, (along with several popular Windows exploits). Symantec users should apply the AV updates offered by the vendor during Spring 2006, if they have not done so yet. The removal tool is beneficial as Spybot embeds itself within the Windows registry and it is tough to remove manually.
W32.Spybot.ACYR - New Symantec Removal Tool
|
-
Microsoft has released an improved version of their WGA anti-piracy facility and encourages all users to move to this latest version. Adjustments have been made based on customer feedback and issues with prior releases (e.g., false positives, etc).
I've applied the new version successfully with no issues so far. This control applies primarily to the Windows XP environment and allows users to upgrade to IE 7, Media Player 11, and other new software releases.
Microsoft releases new WGA version
Microsoft WGA Knowledge Base information
Microsoft WGA Home Page
Computer World Article on New WGA version
QUOTE: This is the most current release of Windows Genuine Advantage Notifications. We encourage you to upgrade to this version. This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft’s continually improving anti-piracy technology.
Specific features of this version include:
* Improved Setup – A new installation wizard provides an overview of the tool, and shows validation results immediately at the end of the installation process. No reboot is required following installation.
* Redesigned User Interface - The system tray notifications have been redesigned to make them more visually appealing with clear links to full details of each message and further options for resolving any problems.
* Improved User Assistance – Improved messaging for users who are unable to complete validation, along with links to more and better self-help tools.
|
-
I'm thankful WOODB didn't materialize. If they had exploitable code ready to publish, maybe the
vendor took a proactive stance? I firmly believe all POC exploits should always be shared with the vendor in a private manner
Week of Oracle Data Base Bugs (WOODB) Project Cancelled
http://www.incidents.org/diary.php?storyid=1897
http://www.argeniss.com/woodb.html
QUOTE: Argeniss has cancelled the week of Oracle bugs due to "many problems".
|
-
The key point I took from the article is that even with the overlapping standards, you can't rely on SAS 70 meeting SOX 404 compliancy needs completely (and vise-versa). Additionally, companies that take Information Security seriously shouldn't have too much difficulty with SOX 404. Most likely you're satisifying both sufficiently where there are unique items that aren't in common with both.
http://www.cfo.com/article.cfm/8344746/c_8317584?f=home_todayinfinance
QUOTE: To be sure, it's clear that SAS 70 calls for a comprehensive report detailing the design, assessment, and effectiveness of a vendor’s internal controls and how they affect financial reporting for clients of the outsourcing services vendor.
But there are widespread misperceptions about the standard's purpose, particularly about what an audit covers in terms of technology activities, some say. "A SAS 70 is intended to be a service-auditor-to-client auditor communication tool. But some [information technology] people think it affirms privacy and security. It doesn’t," says Everett Johnson, president of the Information Systems Audit and Control Association.
|
-
-
-
-
The 2006 edition of this list is available at the following site:
http://sectools.org/
QUOTE: After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.
|
-
-
http://secunia.com/advisories/23139/
QUOTE: Symantec has acknowledged a vulnerability in NetBackup Puredisk, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
|
-
-
I'm seeing significant increases in SPAM activity in both corporate and personal email accounts. Here's hoping some of the proposed actions help.
SPAM Email - EU taking action for major increase at year-end
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005418
QUOTE: November 27, 2006 (IDG News Service) -- The European Commission has urged its member states to beef up their efforts to cut spam, spyware and malicious software, after research showed that up to 85 percent of all e-mail received in the European Union is unsolicited.
Better cooperation with enforcement authorities from other countries, including countries outside the Union, is essential to defeat the spammers, the Commission said, noting that the The U.S. and the E.U. have agreed to tackle spam through joint enforcement initiatives.
|
-
-
http://iase.disa.mil/stigs/checklist/index.html
Documents Date Size
Active Directory Checklist Version 1, Release 1.3 Updated! (posted Nov 21, 2006) Oct 05, 2006
379KB
Application Security Checklist Version 2, Release 1.9 Updated! (posted Nov 21, 2006) Nov 24, 2006
1443KB
Application Services Checklist Version 1, Release 1.1
Sep 21, 2006
448KB
Biometrics Checklist
Oct 31, 2005
843KB
Cisco Router Checklist (Supplement to the Network Checklist V6R4)
Dec 2, 2005
110KB
Database Security Checklist, Version 7, Release 2.2 Oct 29, 2006
749KB
Defense Switched Network Checklist Version 2, Release 3.2
Nov 24, 2006
2622KB
Desktop Applications Checklist, Version 2, Release 1.6 Updated! (posted Nov 21, 2006)
Nov 24, 2006
817KB
Domain Name System (DNS) Checklist Version 2, Release 2
May 16, 2006
1077KB
Enclave Checklist Version 3, Release 1.6
July 2006
289KB
ERP STIG Security Application Checklist Jun 2006
1590KB
Draft Joint Information Assurance Officer Checklist Jan 11, 2006
78KB
Joint System Administrator Checklist
Joint System Administrator Checklog Jan 11, 2006
Jan 11, 2006
43KB
43KB
Draft Joint Wireless Administrator Checklist
Draft Joint Wireless Administrator Checklog Jan 11, 2006
Oct 18, 2005
60KB
96KB
Juniper Router Checklist (Supplement to the Network Checklist V6R4)
Dec 2, 2005
124KB
Keyboard, Video, and Mouse (KVM) Switch Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006
642KB
Macintosh OS X Checklist V1R13
April 2006
528KB
Multi-Function Device (MFD) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006
471KB
.NET Framework Security Checklist V1R2
.NET Framework Security Memo
.NET Framework Security Comment Matrix May 2006
Oct 19, 2005
Oct 19, 2005
627KB
27KB
21KB
NetOps Checklist
Sept 20,2005
1926KB
Network Checklist Version 6, Release 4.4 Jul 21, 2006
2,453KB
Open VMS Security Checklist April 2006
310KB
OS/390 Logical Partition Checklist
April 2006
688KB
OS/390 RACF Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006)
Nov 2006
2508KB
OS/390 ACF2 Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006)
Nov 2006
2877KB
OS/390 Self Assessment Checklist April 2006
853KB
OS/390 TSS Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006)
Nov 2006
2596KB
Storage Area Network (SAN) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.3 May 2006
955KB
Tandem Checklist V2R1.2
April 2006
2,670KB
Traditional Basic Checklist
May 2006
1438KB
Traditional Common Compliance Validation Checklist
May 2006
534KB
Traditional DISA Checklist
May 2006
549KB
Traditional NIPRNET Compliance Validation Checklist
May 2006
137KB
Traditional SIPRNET Compliance Validation Checklist May 2006
1607KB
Unisys Checklist Version 7, Release 2
Nov 24, 2006
1236KB
Universal Serial Bus (USB) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006
352KB
UNIX Security Checklist Version 5, Release 1
Nov 15, 2006
936KB
Virtual Machine (VM) Checklist
April 2006
559KB
VMS 6.0 Vulnerability ID to STIG ID Cross Reference April 2006
500KB
Voice Over Internet Protocol (VOIP) Checklist V2R2.2
May 19, 2006
1729KB
Web Server Security Checklist April 2006
1579KB
Windows 2000 Security Checklist Version 5, Release 1.7 Updated! (posted Nov 21, 2006 Nov 24, 2006
1717KB
Windows 2003 Checklist Version 5, Release 1.7 Updated! (posted Nov 21, 2006 Nov 24, 2006
1,388KB
Windows NT Security Checklist Version 4, Release 1.21 Jul 28, 2006
995KB
Windows XP Security Checklist Version 5, Release 1.7 Updated! (posted Sep 19, 2006 Nov 24, 2006
1,442KB
Wireless Security Checklist Version 4, Release 2.1 Just added(posted Sep 07, 2006) Aug 25, 2006
412KB
Wireless Blackberry Security Checklist Version 4, Release 2.1 New! (posted Sep 07, 2006) Aug 25, 2006
554KB
|
-
Kaspersky Labs documents how folks can pay malicious individuals in the Internet underworld a fee to attack their sites. Alternatively, Internet sites can be held hostage by DDoS attackers, until a ransom payment is made
November 25, 2006 "Saturday Morning Specials"
http://www.viruslist.com/en/weblog?calendar=2006-11
QUOTE: If you are wondering, the cost to DDoS a website can range between $100 and several thousand US Dollars. For www.viruslist.com it would be around $3000 per day.
Apparently, there are even special discounts for "DDoS multiple sites" packs - "buy two, DDoS the third for free!". They even offer different methods to DDoS a website - for instance, syn flood or heavy traffic. This is because some ISPs charge by traffic, and several hundred GBs of extra traffic can cost the website owner a lot more than the DDoS attack.
Faced with a massive DDoS attack, many companies simply remove their websites from the net until is attack is over. Others pay up the ransom, if there is one. The best thing to do is to work with the ISP and companies specializing in blocking DDoS attacks. Please don't pay the ransom, it only encourages the bad guys to carry on.
|
-
-
-
F-Secure notes a significant number of new variants spammed to avoid AV detection. Be careful with all SPAM and unsolicited email messages:
http://www.f-secure.com/weblog/archives/archive-112006.html#00001032
QUOTE: We've been busy with the latest spam runs of the Warezov family over the last hours. We've added detection for the following variants, and there are probably more on the way:
W32/Warezov.HB
W32/Warezov.HC
W32/Warezov.HD
W32/Warezov.HE
W32/Warezov.HF
W32/Warezov.HG
W32/Warezov.HH
W32/Warezov.HI
W32/Warezov.HJ
|
-
This update will allow for the Windows XP, 2000, and 2003 versions to include the recently passed DST changes. These changes appear to be included in Vista Gold. This special update must be manually downloaded and applied (as it's not included in Windows Update). If users don't apply these changes, they'll have to manually change times to accommodate for the new DST rules.
Windows Time Zone Update - New Daylight Savings Time Rules
http://support.microsoft.com/kb/928388
QUOTE: Starting in the spring of 2007, daylight saving time (DST) start and end dates for the United States will transition to comply with the Energy Policy Act of 2005. DST dates in the United States will start three weeks earlier (2:00 A.M. on the second Sunday in March) and will end one week later (2:00 A.M. on the first Sunday in November).
The update that this article describes changes the time zone data to account for the United States DST change. This time zone update will also include changes for other related DST changes, time zone behavior, and settings. Some of these changes will occur in 2007, and some have occurred since these versions of Windows were originally released.
|
-
-
This morning I had several new messages with file attachments containing a brand new variant of Stration (aka Warezov). Even though I'm up-to-date on McAfee protection, these new viruses would have infected by system had I selected the file attachments.
1. Mail server report. Tue Nov 21, 2006 32k
2. Status Tue Nov 21, 2006 33k
3. Mail server report. Tue Nov 21, 2006 32k
4. picture Tue Nov 21, 2006 45k
5. Mail server report ....
F-Secure also reports increased activity
http://www.f-secure.com/weblog/archives/archive-112006.html#00001029
http://www.f-secure.com/weblog/archives/archive-112006.html#00001028
http://www.f-secure.com/weblog/archives/archive-112006.html#00001027
----- VIRUS TOTAL ANALYSIS ------
Subject: [VirusTotal] Server notification
Complete scanning result of "Update-KB5290-x86.zip", processed in VirusTotal at 11/22/2006 16:15:21 (CET).
[ file data ]
* name: Update-KB5290-x86.zip
* size: 22972
* md5.: 674a6a5c631abc5f5d745d851f988166
* sha1: 778bada5df8c3ea2452073d774e2e754e14157cb
[ scan result ]
AntiVir 7.2.0.44/20061122 found [TR/Dldr.Stration.G]
Authentium 4.93.8/20061122 found [Possibly a new variant of W32/Tricky-Malware-based!Maximus]
Avast 4.7.892.0/20061122 found [Win32:Warezov-QI]
AVG 386/20061120 found nothing
BitDefender 7.2/20061122 found [Win32.Warezov.GK@mm]
CAT-QuickHeal 8.00/20061122 found nothing
ClamAV devel-20060426/20061122 found [Worm.Stration.PR]
DrWeb 4.33/20061122 found [Win32.HLLM.Limar.based]
eSafe 7.0.14.0/20061120 found [suspicious Trojan/Worm]
eTrust-InoculateIT 23.73.63/20061122 found [Win32/Stration!ZIP!Worm]
eTrust-Vet 30.3.3205/20061121 found [Win32/Stration!ZIP!generic]
Ewido 4.0/20061122 found [Worm.Warezov.gj]
F-Prot 3.16f/20061122 found [Possibly a new variant of W32/Tricky-Malware-based!Maximus]
F-Prot4 4.2.1.29/20061122 found [W32/Tricky-Malware-based!Maximus]
Fortinet 2.82.0.0/20061122 found [W32/Stration.GK@mm]
Ikarus 0.2.65.0/20061122 found [Email-Worm.Win32.Warezov.dr]
Kaspersky 4.0.2.24/20061122 found [Email-Worm.Win32.Warezov.gj]
McAfee 4901/20061121 found nothing
Microsoft 1.1804 /20061122 found nothing
NOD32v2 1877/20061122 found [Win32/Stration.PP]
Norman 5.80.02/20061122 found [W32/Stration.CEP]
Panda 9.0.0.4/20061121 found nothing
Prevx1 V2/20061122 found [Trojan.Update-KB]
Sophos 4.11.0/20061116 found [W32/Stratio-Zip]
TheHacker 6.0.3.122/20061121 found nothing
UNA 1.83/20061121 found nothing
VBA32 3.11.1/20061122 found [Email-Worm.Win32.Warezov.gj]
VirusBuster 4.3.15:9/20061122 found [Trojan.Opnis.Gen.28]
[ notes ]
packers: UPX
packers: UPX
|
-
-
Secunia rates this new vulnerability and POC exploit code as highly critical. Throughout the month, POCs have been developed on a daily basis with many of these pertinent to unpatched Linux 2.6 and Apple vulnerabilities
MOKB: Apple Mac OS X Critical Memory Corruption Vulnerability
http://secunia.com/advisories/23012/
http://kernelfun.blogspot.com/2006/11/mokb-20-11-2006-mac-os-x-apple-udif.html
QUOTE: LMH has reported a vulnerability in Mac OS X, which potentially can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in Apple Disk Image Controller when handling corrupted DMG image structures. This can be exploited to cause a memory corruption and may allow execution of arbitrary code in kernel-mode. The vulnerability is reported in a fully patched Mac OS X (2006-11-20).
WORKAROUND: Deactivate the option "opening safe files after downloading" in the preferences and grant only trusted users access to affected systems
|
-
-
This 2 page evaluation provides report card scoring on various categories for the "Ultimate" edition.
Vista Ultimate scores B+ on Information Week evaluation
http://www.informationweek.com/news/showArticle.jhtml?articleID=194500135
QUOTE: Overall: B+ My biggest Vista surprise was, struggle though I might, I couldn't find much significantly different from previous versions. Then it dawned on me: That's a good sign, because it indicates that Microsoft's focus is no longer on look and feel but rather on the software guts required to keep Vista from crashing.
For businesses, and for CIOs charged with the decision about migrating to Vista, the three burning questions are: just how much better is Vista at security than XP, what's the total cost of ownership, and how much more does Vista-capable hardware cost?
Early word is that Vista's security is indeed a big step up, notwithstanding the surface annoyance of the user account controls. On the TCO front, Microsoft's broad embrace of an ecosystem extending beyond Vista to encompasses both Office 2007 and Exchange 2007 might go a long way toward blunting incursions onto the desktop from Linux. As for buy-in costs, I'm not the first reviewer to opine that, rather than rushing to Vista right out of the box, businesses will most likely migrate to Vista as part of their normal PC upgrade cycle.
|
-
DBAs and security professionals should carefully watch WOODB developments during December 2006 to ensure data bases and information stay as protected as possible.
WOODB - Week of Oracle Database Bugs scheduled during December 2006
http://weblog.infoworld.com/techwatch/archives/008988.html
QUOTE: Based on the great idea of H D Moore "Month of Browser Bugs" and LMH "Month of Kernel Bugs", we are proud to announce that we are starting on December the "Week of Oracle Database Bugs" (WoODB).
What is the WoODB about?
An Oracle Database 0day will be released every day for a week on December.
Why are you doing this?
We want to show the current state of Oracle software ("in")security also we want to demostrate Oracle isn't getting any better at securing its products (you already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc, etc, etc.).
Why are you targeting only Oracle?
We have 0days for all Database software vendors but Oracle is "The #1 Star" when talking about lots of unpatched vulnerabilities and not caring about security.
Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
|
-
As I was listening to the radio news on my way to work, I learned about the new online shopping day now termed as "Cyber Monday". The growth and convenience factors related to the Internet have made the first Monday after Thanksgiving a very large day for online orders. In fact, it was the 2nd largest online shopping day of all last season (i.e., 12/12/2005 was the largest).
One reason is that many folks return back to work and put the companies high-speed Internet facilities to work (e.g., some folks may not have Internet at home, they may be on dial-up, or they may even have some idle time on their hands, etc).
Just as shoppers must lock their cars and hide purchases in their trunks, they must also be careful during Cyber Monday or any other time they choose to shop online.
Some safety tips include:
1. Does your employer permit this? -- Hopefully, most employees will recognize that employers have a right to monitor all Internet activities conducted on business equipment. However, some employers permit some personal use during lunch, breaks, or after hours. Users should check IT policies or with their supervisors if they are unsure on corporate usage policies. They should carefully use this business resource and not allow "Cyber Monday" to become grounds for "Layoff Tuesday"
2. Always "Think before you click" -- Be careful with email links or URLs returned via a website search. Phishing attacks are disquised sites that look like the real e-commerce site, but they are designed to capture your credit card or account information for fraudulent misuse. These types of sites are abundant and often referenced in spam email. Always go in by the parent site and remember that a complete stranger on the Internet doesn't truly want to give you anything. More information can be found at www.castlecops.com
3. Conduct e-commerce with mainstream sites that use secure server technology. Never shop by email or other untrusted conventions. Research human contact or return policies, so that you can resolve issues quickly.
4. Use a true credit card, rather than a bank debit card as better fraud protection is present
5. Maintain your privacy at all times. Only provide information once you're certain the information can be trusted. Also ensure your system is free of any malware.
Cyber Monday - Home Page
http://www.cybermonday.com/
Cyber Monday - FAQs
http://www.shop.org/cybermonday/
Cyber Monday Frequently Asked Questions
• Is Cyber Monday the biggest online shopping day of the year?
• Was Cyber Monday “made up?”
• Why are you encouraging consumers to shop through CyberMonday.com?
• How big was Cyber Monday last year?
• How are retailers encouraging people to shop online this year?
• Do retailers get upset when consumers shop online rather than in stores?
• Where can I find more information about the holiday season?
Stay Safe while shopping online (a few sites found in a quick search)
http://onguardonline.gov/index.html
http://www.bbb.org/alerts/article.asp?ID=153
http://usgovinfo.about.com/od/consumerawareness/l/blonlineshopsaf.htm
http://www.microsoft.com/athome/security/default.mspx
http://usa.visa.com/personal/security/protect_yourself/basics/index.html
http://pittsburgh.about.com/od/shopping/bb/bybshopon.htm
http://www.pcanswer.com/articles/holidaytips2005.htm
|
-
-
POC was developed in one hour and a fully functional exploit within 3 hours ... This signifies that sooner is better when it comes to pilot testing and rolling out the updates as quickly as possible in the corporate environment.
Fully working MS06-070 POC exploit developed in just 3 hours
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005163
QUOTE: One of the exploits that has become available for the workstation service flaw was developed by Immunity Inc. The Miami Beach-based penetration-testing company was able to develop a proof-of-concept code against the flaw one hour after Microsoft released a patch for it on Tuesday and a fully working exploit in about three hours, said Kostya Kortchinsky, a senior researcher at Immunity. The code has been tested and found to be working "perfectly well" against several versions of Windows 2000, including Service Pack 3 and SP4, he said. The only mitigating factor is that an attacker would need to have a domain controller set up and accessible somewhere around the machine that is being attacked for the exploit to work, he said.
|
-
More Posts Next page »
|
|
|