|
Sharing Security Developments, and Best Practices for corporate and home users
November 2006 - Posts
-
Symantec has published a removal tool for the new Spybot.ACYR worm which manipulates the SYM06-010 vulnerability within the Norton or Symantec anti-virus product itself, (along with several popular Windows exploits). Symantec users should apply the AV updates offered by the vendor during Spring 2006, if they have not done so yet. The removal tool is beneficial as Spybot embeds itself within the Windows registry and it is tough to remove manually.
W32.Spybot.ACYR - New Symantec Removal Tool
|
-
Microsoft has released an improved version of their WGA anti-piracy facility and encourages all users to move to this latest version. Adjustments have been made based on customer feedback and issues with prior releases (e.g., false positives, etc).
I've applied the new version successfully with no issues so far. This control applies primarily to the Windows XP environment and allows users to upgrade to IE 7, Media Player 11, and other new software releases.
Microsoft releases new WGA version
Microsoft WGA Knowledge Base information
Microsoft WGA Home Page
Computer World Article on New WGA version
QUOTE: This is the most current release of Windows Genuine Advantage Notifications. We encourage you to upgrade to this version. This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft’s continually improving anti-piracy technology.
Specific features of this version include:
* Improved Setup – A new installation wizard provides an overview of the tool, and shows validation results immediately at the end of the installation process. No reboot is required following installation.
* Redesigned User Interface - The system tray notifications have been redesigned to make them more visually appealing with clear links to full details of each message and further options for resolving any problems.
* Improved User Assistance – Improved messaging for users who are unable to complete validation, along with links to more and better self-help tools.
|
-
I'm thankful WOODB didn't materialize. If they had exploitable code ready to publish, maybe the vendor took a proactive stance? I firmly believe all POC exploits should always be shared with the vendor in a private manner
Week of Oracle Data Base Bugs (WOODB) Project Cancelled http://www.incidents.org/diary.php?storyid=1897 http://www.argeniss.com/woodb.html
QUOTE: Argeniss has cancelled the week of Oracle bugs due to "many problems".
|
-
The key point I took from the article is that even with the overlapping standards, you can't rely on SAS 70 meeting SOX 404 compliancy needs completely (and vise-versa). Additionally, companies that take Information Security seriously shouldn't have too much difficulty with SOX 404. Most likely you're satisifying both sufficiently where there are unique items that aren't in common with both.
http://www.cfo.com/article.cfm/8344746/c_8317584?f=home_todayinfinance
QUOTE: To be sure, it's clear that SAS 70 calls for a comprehensive report detailing the design, assessment, and effectiveness of a vendor’s internal controls and how they affect financial reporting for clients of the outsourcing services vendor.
But there are widespread misperceptions about the standard's purpose, particularly about what an audit covers in terms of technology activities, some say. "A SAS 70 is intended to be a service-auditor-to-client auditor communication tool. But some [information technology] people think it affirms privacy and security. It doesn’t," says Everett Johnson, president of the Information Systems Audit and Control Association.
|
-
-
-
-
The 2006 edition of this list is available at the following site:
http://sectools.org/
QUOTE: After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.
|
-
-
http://secunia.com/advisories/23139/
QUOTE: Symantec has acknowledged a vulnerability in NetBackup Puredisk, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
|
-
-
I'm seeing significant increases in SPAM activity in both corporate and personal email accounts. Here's hoping some of the proposed actions help.
SPAM Email - EU taking action for major increase at year-end http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005418
QUOTE: November 27, 2006 (IDG News Service) -- The European Commission has urged its member states to beef up their efforts to cut spam, spyware and malicious software, after research showed that up to 85 percent of all e-mail received in the European Union is unsolicited.
Better cooperation with enforcement authorities from other countries, including countries outside the Union, is essential to defeat the spammers, the Commission said, noting that the The U.S. and the E.U. have agreed to tackle spam through joint enforcement initiatives.
|
-
-
http://iase.disa.mil/stigs/checklist/index.html
Documents Date Size Active Directory Checklist Version 1, Release 1.3 Updated! (posted Nov 21, 2006) Oct 05, 2006 379KB Application Security Checklist Version 2, Release 1.9 Updated! (posted Nov 21, 2006) Nov 24, 2006 1443KB Application Services Checklist Version 1, Release 1.1 Sep 21, 2006 448KB Biometrics Checklist Oct 31, 2005 843KB Cisco Router Checklist (Supplement to the Network Checklist V6R4) Dec 2, 2005 110KB Database Security Checklist, Version 7, Release 2.2 Oct 29, 2006 749KB Defense Switched Network Checklist Version 2, Release 3.2 Nov 24, 2006 2622KB Desktop Applications Checklist, Version 2, Release 1.6 Updated! (posted Nov 21, 2006) Nov 24, 2006 817KB Domain Name System (DNS) Checklist Version 2, Release 2 May 16, 2006 1077KB Enclave Checklist Version 3, Release 1.6 July 2006 289KB ERP STIG Security Application Checklist Jun 2006 1590KB Draft Joint Information Assurance Officer Checklist Jan 11, 2006 78KB Joint System Administrator Checklist Joint System Administrator Checklog Jan 11, 2006 Jan 11, 2006 43KB 43KB Draft Joint Wireless Administrator Checklist Draft Joint Wireless Administrator Checklog Jan 11, 2006 Oct 18, 2005 60KB 96KB Juniper Router Checklist (Supplement to the Network Checklist V6R4) Dec 2, 2005 124KB Keyboard, Video, and Mouse (KVM) Switch Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006 642KB Macintosh OS X Checklist V1R13 April 2006 528KB Multi-Function Device (MFD) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006 471KB .NET Framework Security Checklist V1R2 .NET Framework Security Memo .NET Framework Security Comment Matrix May 2006 Oct 19, 2005 Oct 19, 2005 627KB 27KB 21KB NetOps Checklist Sept 20,2005 1926KB Network Checklist Version 6, Release 4.4 Jul 21, 2006 2,453KB Open VMS Security Checklist April 2006 310KB OS/390 Logical Partition Checklist April 2006 688KB OS/390 RACF Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006) Nov 2006 2508KB OS/390 ACF2 Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006) Nov 2006 2877KB OS/390 Self Assessment Checklist April 2006 853KB OS/390 TSS Checklist Version 5, Release 2.1 Updated! (posted Nov 21, 2006) Nov 2006 2596KB Storage Area Network (SAN) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.3 May 2006 955KB Tandem Checklist V2R1.2 April 2006 2,670KB Traditional Basic Checklist May 2006 1438KB Traditional Common Compliance Validation Checklist May 2006 534KB Traditional DISA Checklist May 2006 549KB Traditional NIPRNET Compliance Validation Checklist May 2006 137KB Traditional SIPRNET Compliance Validation Checklist May 2006 1607KB Unisys Checklist Version 7, Release 2 Nov 24, 2006 1236KB Universal Serial Bus (USB) Checklist for Sharing Peripherals Across the Network STIG Version 1, Release 1.2 April 2006 352KB UNIX Security Checklist Version 5, Release 1 Nov 15, 2006 936KB Virtual Machine (VM) Checklist April 2006 559KB VMS 6.0 Vulnerability ID to STIG ID Cross Reference April 2006 500KB Voice Over Internet Protocol (VOIP) Checklist V2R2.2 May 19, 2006 1729KB Web Server Security Checklist April 2006 1579KB Windows 2000 Security Checklist Version 5, Release 1.7 Updated! (posted Nov 21, 2006 Nov 24, 2006 1717KB Windows 2003 Checklist Version 5, Release 1.7 Updated! (posted Nov 21, 2006 Nov 24, 2006 1,388KB Windows NT Security Checklist Version 4, Release 1.21 Jul 28, 2006 995KB Windows XP Security Checklist Version 5, Release 1.7 Updated! (posted Sep 19, 2006 Nov 24, 2006 1,442KB Wireless Security Checklist Version 4, Release 2.1 Just added(posted Sep 07, 2006) Aug 25, 2006 412KB Wireless Blackberry Security Checklist Version 4, Release 2.1 New! (posted Sep 07, 2006) Aug 25, 2006 554KB
|
-
Kaspersky Labs documents how folks can pay malicious individuals in the Internet underworld a fee to attack their sites. Alternatively, Internet sites can be held hostage by DDoS attackers, until a ransom payment is made
November 25, 2006 "Saturday Morning Specials" http://www.viruslist.com/en/weblog?calendar=2006-11
QUOTE: If you are wondering, the cost to DDoS a website can range between $100 and several thousand US Dollars. For www.viruslist.com it would be around $3000 per day.
Apparently, there are even special discounts for "DDoS multiple sites" packs - "buy two, DDoS the third for free!". They even offer different methods to DDoS a website - for instance, syn flood or heavy traffic. This is because some ISPs charge by traffic, and several hundred GBs of extra traffic can cost the website owner a lot more than the DDoS attack.
Faced with a massive DDoS attack, many companies simply remove their websites from the net until is attack is over. Others pay up the ransom, if there is one. The best thing to do is to work with the ISP and companies specializing in blocking DDoS attacks. Please don't pay the ransom, it only encourages the bad guys to carry on.
|
-
-
-
F-Secure notes a significant number of new variants spammed to avoid AV detection. Be careful with all SPAM and unsolicited email messages:
http://www.f-secure.com/weblog/archives/archive-112006.html#00001032
QUOTE: We've been busy with the latest spam runs of the Warezov family over the last hours. We've added detection for the following variants, and there are probably more on the way:
W32/Warezov.HB W32/Warezov.HC W32/Warezov.HD W32/Warezov.HE W32/Warezov.HF W32/Warezov.HG W32/Warezov.HH W32/Warezov.HI W32/Warezov.HJ
|
-
This update will allow for the Windows XP, 2000, and 2003 versions to include the recently passed DST changes. These changes appear to be included in Vista Gold. This special update must be manually downloaded and applied (as it's not included in Windows Update). If users don't apply these changes, they'll have to manually change times to accommodate for the new DST rules.
Windows Time Zone Update - New Daylight Savings Time Rules http://support.microsoft.com/kb/928388
QUOTE: Starting in the spring of 2007, daylight saving time (DST) start and end dates for the United States will transition to comply with the Energy Policy Act of 2005. DST dates in the United States will start three weeks earlier (2:00 A.M. on the second Sunday in March) and will end one week later (2:00 A.M. on the first Sunday in November).
The update that this article describes changes the time zone data to account for the United States DST change. This time zone update will also include changes for other related DST changes, time zone behavior, and settings. Some of these changes will occur in 2007, and some have occurred since these versions of Windows were originally released.
|
-
-
This morning I had several new messages with file attachments containing a brand new variant of Stration (aka Warezov). Even though I'm up-to-date on McAfee protection, these new viruses would have infected by system had I selected the file attachments.
1. Mail server report. Tue Nov 21, 2006 32k 2. Status Tue Nov 21, 2006 33k 3. Mail server report. Tue Nov 21, 2006 32k 4. picture Tue Nov 21, 2006 45k 5. Mail server report ....
F-Secure also reports increased activity http://www.f-secure.com/weblog/archives/archive-112006.html#00001029 http://www.f-secure.com/weblog/archives/archive-112006.html#00001028 http://www.f-secure.com/weblog/archives/archive-112006.html#00001027
----- VIRUS TOTAL ANALYSIS ------
Subject: [VirusTotal] Server notification
Complete scanning result of "Update-KB5290-x86.zip", processed in VirusTotal at 11/22/2006 16:15:21 (CET).
[ file data ] * name: Update-KB5290-x86.zip * size: 22972 * md5.: 674a6a5c631abc5f5d745d851f988166 * sha1: 778bada5df8c3ea2452073d774e2e754e14157cb
[ scan result ] AntiVir 7.2.0.44/20061122 found [TR/Dldr.Stration.G] Authentium 4.93.8/20061122 found [Possibly a new variant of W32/Tricky-Malware-based!Maximus] Avast 4.7.892.0/20061122 found [Win32:Warezov-QI] AVG 386/20061120 found nothing BitDefender 7.2/20061122 found [Win32.Warezov.GK@mm] CAT-QuickHeal 8.00/20061122 found nothing ClamAV devel-20060426/20061122 found [Worm.Stration.PR] DrWeb 4.33/20061122 found [Win32.HLLM.Limar.based] eSafe 7.0.14.0/20061120 found [suspicious Trojan/Worm] eTrust-InoculateIT 23.73.63/20061122 found [Win32/Stration!ZIP!Worm] eTrust-Vet 30.3.3205/20061121 found [Win32/Stration!ZIP!generic] Ewido 4.0/20061122 found [Worm.Warezov.gj] F-Prot 3.16f/20061122 found [Possibly a new variant of W32/Tricky-Malware-based!Maximus] F-Prot4 4.2.1.29/20061122 found [W32/Tricky-Malware-based!Maximus] Fortinet 2.82.0.0/20061122 found [W32/Stration.GK@mm] Ikarus 0.2.65.0/20061122 found [Email-Worm.Win32.Warezov.dr] Kaspersky 4.0.2.24/20061122 found [Email-Worm.Win32.Warezov.gj] McAfee 4901/20061121 found nothing Microsoft 1.1804 /20061122 found nothing NOD32v2 1877/20061122 found [Win32/Stration.PP] Norman 5.80.02/20061122 found [W32/Stration.CEP] Panda 9.0.0.4/20061121 found nothing Prevx1 V2/20061122 found [Trojan.Update-KB] Sophos 4.11.0/20061116 found [W32/Stratio-Zip] TheHacker 6.0.3.122/20061121 found nothing UNA 1.83/20061121 found nothing VBA32 3.11.1/20061122 found [Email-Worm.Win32.Warezov.gj] VirusBuster 4.3.15:9/20061122 found [Trojan.Opnis.Gen.28]
[ notes ] packers: UPX packers: UPX
|
-
-
Secunia rates this new vulnerability and POC exploit code as highly critical. Throughout the month, POCs have been developed on a daily basis with many of these pertinent to unpatched Linux 2.6 and Apple vulnerabilities
MOKB: Apple Mac OS X Critical Memory Corruption Vulnerability http://secunia.com/advisories/23012/ http://kernelfun.blogspot.com/2006/11/mokb-20-11-2006-mac-os-x-apple-udif.html
QUOTE: LMH has reported a vulnerability in Mac OS X, which potentially can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in Apple Disk Image Controller when handling corrupted DMG image structures. This can be exploited to cause a memory corruption and may allow execution of arbitrary code in kernel-mode. The vulnerability is reported in a fully patched Mac OS X (2006-11-20).
WORKAROUND: Deactivate the option "opening safe files after downloading" in the preferences and grant only trusted users access to affected systems
|
-
-
This 2 page evaluation provides report card scoring on various categories for the "Ultimate" edition.
Vista Ultimate scores B+ on Information Week evaluation http://www.informationweek.com/news/showArticle.jhtml?articleID=194500135
QUOTE: Overall: B+ My biggest Vista surprise was, struggle though I might, I couldn't find much significantly different from previous versions. Then it dawned on me: That's a good sign, because it indicates that Microsoft's focus is no longer on look and feel but rather on the software guts required to keep Vista from crashing.
For businesses, and for CIOs charged with the decision about migrating to Vista, the three burning questions are: just how much better is Vista at security than XP, what's the total cost of ownership, and how much more does Vista-capable hardware cost?
Early word is that Vista's security is indeed a big step up, notwithstanding the surface annoyance of the user account controls. On the TCO front, Microsoft's broad embrace of an ecosystem extending beyond Vista to encompasses both Office 2007 and Exchange 2007 might go a long way toward blunting incursions onto the desktop from Linux. As for buy-in costs, I'm not the first reviewer to opine that, rather than rushing to Vista right out of the box, businesses will most likely migrate to Vista as part of their normal PC upgrade cycle.
|
-
DBAs and security professionals should carefully watch WOODB developments during December 2006 to ensure data bases and information stay as protected as possible.
WOODB - Week of Oracle Database Bugs scheduled during December 2006 http://weblog.infoworld.com/techwatch/archives/008988.html
QUOTE: Based on the great idea of H D Moore "Month of Browser Bugs" and LMH "Month of Kernel Bugs", we are proud to announce that we are starting on December the "Week of Oracle Database Bugs" (WoODB).
What is the WoODB about? An Oracle Database 0day will be released every day for a week on December.
Why are you doing this? We want to show the current state of Oracle software ("in")security also we want to demostrate Oracle isn't getting any better at securing its products (you already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc, etc, etc.).
Why are you targeting only Oracle? We have 0days for all Database software vendors but Oracle is "The #1 Star" when talking about lots of unpatched vulnerabilities and not caring about security.
Why not the Month of Oracle Database Bugs? We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
|
-
As I was listening to the radio news on my way to work, I learned about the new online shopping day now termed as "Cyber Monday". The growth and convenience factors related to the Internet have made the first Monday after Thanksgiving a very large day for online orders. In fact, it was the 2nd largest online shopping day of all last season (i.e., 12/12/2005 was the largest).
One reason is that many folks return back to work and put the companies high-speed Internet facilities to work (e.g., some folks may not have Internet at home, they may be on dial-up, or they may even have some idle time on their hands, etc).
Just as shoppers must lock their cars and hide purchases in their trunks, they must also be careful during Cyber Monday or any other time they choose to shop online.
Some safety tips include:
1. Does your employer permit this? -- Hopefully, most employees will recognize that employers have a right to monitor all Internet activities conducted on business equipment. However, some employers permit some personal use during lunch, breaks, or after hours. Users should check IT policies or with their supervisors if they are unsure on corporate usage policies. They should carefully use this business resource and not allow "Cyber Monday" to become grounds for "Layoff Tuesday"
2. Always "Think before you click" -- Be careful with email links or URLs returned via a website search. Phishing attacks are disquised sites that look like the real e-commerce site, but they are designed to capture your credit card or account information for fraudulent misuse. These types of sites are abundant and often referenced in spam email. Always go in by the parent site and remember that a complete stranger on the Internet doesn't truly want to give you anything. More information can be found at www.castlecops.com
3. Conduct e-commerce with mainstream sites that use secure server technology. Never shop by email or other untrusted conventions. Research human contact or return policies, so that you can resolve issues quickly.
4. Use a true credit card, rather than a bank debit card as better fraud protection is present
5. Maintain your privacy at all times. Only provide information once you're certain the information can be trusted. Also ensure your system is free of any malware.
Cyber Monday - Home Page http://www.cybermonday.com/
Cyber Monday - FAQs http://www.shop.org/cybermonday/
Cyber Monday Frequently Asked Questions • Is Cyber Monday the biggest online shopping day of the year? • Was Cyber Monday “made up?” • Why are you encouraging consumers to shop through CyberMonday.com? • How big was Cyber Monday last year? • How are retailers encouraging people to shop online this year? • Do retailers get upset when consumers shop online rather than in stores? • Where can I find more information about the holiday season?
Stay Safe while shopping online (a few sites found in a quick search) http://onguardonline.gov/index.html http://www.bbb.org/alerts/article.asp?ID=153 http://usgovinfo.about.com/od/consumerawareness/l/blonlineshopsaf.htm http://www.microsoft.com/athome/security/default.mspx http://usa.visa.com/personal/security/protect_yourself/basics/index.html http://pittsburgh.about.com/od/shopping/bb/bybshopon.htm http://www.pcanswer.com/articles/holidaytips2005.htm
|
-
-
POC was developed in one hour and a fully functional exploit within 3 hours ... This signifies that sooner is better when it comes to pilot testing and rolling out the updates as quickly as possible in the corporate environment.
Fully working MS06-070 POC exploit developed in just 3 hours http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005163
QUOTE: One of the exploits that has become available for the workstation service flaw was developed by Immunity Inc. The Miami Beach-based penetration-testing company was able to develop a proof-of-concept code against the flaw one hour after Microsoft released a patch for it on Tuesday and a fully working exploit in about three hours, said Kostya Kortchinsky, a senior researcher at Immunity. The code has been tested and found to be working "perfectly well" against several versions of Windows 2000, including Service Pack 3 and SP4, he said. The only mitigating factor is that an attacker would need to have a domain controller set up and accessible somewhere around the machine that is being attacked for the exploit to work, he said.
|
-
More Posts Next page »
|
|
|