|
Sharing Security Developments, and Best Practices for corporate and home users
March 2007 - Posts
-
-
-
TJX Intruder had retailer's encryption key
http://www.eweek.com/article2/0,1895,2109299,00.asp
QUOTE: The massive data breach at $16 billion retailer TJX involved someone apparently armed with the chain's encryption key, but it might not have been needed as the cyber-thief was accessing data during the card-approval process before it was encrypted.
These are among the latest details in what is almost certainly the worst retail data breach ever. In a 10-K filing to the federal SEC (Securities & Exchange Commission), TJX said it didn't know who the intruders were, but it did provide more details about what they say happened that led to the card information of some 46 million consumers to get into unauthorized hands.
Additional Links
http://www.eweek.com/article2/0,1895,2106322,00.asp
http://www.eweek.com/article2/0,1895,2104200,00.asp
|
-
-
Some tech writers speculate this might be a practical joke or it could also be a legitimate campaign. If this becomes a legitimate attack, all MySpace users should track developments carefully during April 2007.
Up next: Month of MySpace bugs
http://blogs.zdnet.com/security/?p=127
QUOTE: The month-of-bugs phenomenon is showing no signs of slowing down. Next up: MySpace. During the month of April, hackers plan to expose security vulnerabilities in the popular social networking portal. The idea behind the planned Month of MySpace Bugs, according to the organizers, is to publish "silly XSS/misleading CSS style bugs" that affect MySpace user pages.
Kim Komando: Prepare now for MySpace bugs
http://www.komando.com/tips/index.aspx?id=3097
QUOTE: How secure is MySpace? It appears as if we are about to find out! The "month of bugs" trend continues with the recently announced MOMBY (Month of MySpace Bugs, Yuss!). Scheduled for April, MOMBY follows similar projects such as the Month of Apple Bugs.
MOMBY: a place for bugs (Official Tracking Site)
http://momby.livejournal.com/
QUOTE: The purpose of the exercise is not so much to expose Myspace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular websites populated by users of various levels of sophistication. We could have just as easily gone after Google or Yahoo or MSN or ZDNet or whatever.
Month of MySpace Bugs: April Fools?
http://news.com.com/2061-10789_3-6168655.html
QUOTE: It appears that the effort is meant mostly to poke fun at the previous "Month of" campaigns that focused on browser, Apple and kernel bugs. "Months of Bugs are whiny, attention-seeking ploys for acceptance," "Mondo Armando" and "Mustaschio" wrote. Oh, when is the MySpace campaign starting? "Were you not paying attention? April 1, 2007
|
-
There is limited information from AV vendors currently, but several excellent write-up on the threat itself is noted below. The SSL/Winsocks interface used by the trojan would make even trusted server connections unsafe for infected users. Users should be careful in all apsects of Internet access (e.g., email, IM, websites, etc).
CERT: Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities
http://www.us-cert.gov/current/current_activity.html#gozi
QUOTE: The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:
- Install anti-virus software, and keep its virus signature files up-to-date.
- Review the Securing Your Web Browser document.
Secure Works - Excellent In-Depth Analysis
http://www.secureworks.com/research/threats/gozi/?threat=gozi
QUOTE: A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.
- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million
Additonal Articles:
ISC: Gozi Trojan Steals SSL Encrypted Data for Fun and Profit
http://isc.sans.org/diary.html?storyid=2498
Russian (Gozi) Trojan powering massive ID-theft ring
http://blogs.zdnet.com/security/?p=133
Gozi Trojan Data Up For Sale Using Webmoney
http://digitalmoneyworld.com/gozi-trojan-data-up-for-sale-using-webmoney/
Google Links
http://www.google.com/search?hl=en&q=gozi+trojan
|
-
Home
http://www.antispywarecoalition.org/
Documents (Best Practices)
http://www.antispywarecoalition.org/documents/index.htm
FAQ
http://www.antispywarecoalition.org/about/FAQ.html
Members
http://www.antispywarecoalition.org/about/index.htm
CURRENT MEMBER LIST
Current ASC Members
Aluria Software , an Earthlink company
AhnLab
AOL
Berkman Center for Internet & Society, Harvard Law School
Bit9
Blue Coat Systems
Canadian Coalition Against Unsolicited Commercial Email
US Coalition Against Unsolicited Commercial Email
Canadian Internet Policy and Public Interest Clinic
Center for Democracy & Technology
CNET Networks
Computer Associates
Dell, Inc.
Eset
F-Secure Corporation
Google
Grisoft
HP
ICSA Labs
Internet Education Foundation
ISS
Lavasoft
McAfee Inc.
Mi5 Networks
Microsoft
National Center for Victims of Crime
National Cyber Security Alliance
National Network to End Domestic Violence
Panda Software
PC Tools
Radialpoint
Safer-Networking Ltd.
Samuelson Law, Technology & Public Policy Clinic at Boalt Hall,
UC Berkeley School of Law
Sana Security
Shavlik Technologies
Sophos
Spamhaus
Sunbelt Software
SurfControl
Symantec
Tenebril
Trend Micro
Webroot Software
Websense
Yahoo! Inc.
|
-
-
In the "what will they think of" next column ... March 24th (Saturday) is supposed to be a day without computers 
National Computer Shutdown Day - March 24th
http://www.eweek.com/article2/0,1759,2105644,00.asp
QUOTE: Tach it up, tach it up, buddy gonna shut you down," crooned the Kitty, Beach Boys-like, when he heard that March 24 has been designated Shutdown Day 2007 by the folks at shutdownday.org. The global experiment hopes to see if people can function without their computers for one day. "Of course, it has to be a Saturday—why couldn't it be a work day?" laughed the lazy Lynx.
|
-
Cisco phone users should apply the relevant patches if needed to prevent DoS based lockouts of service. So far, there are no known exploits of this in the wild. This one was of interest as I use a 7961 at work.
Cisco IP Phone 7940/7960 Denial of Service Vulnerability
http://secunia.com/advisories/24600/
http://www.frsirt.com/english/advisories/2007/1023
QUOTE: A vulnerability has been reported in Cisco IP Phone 7940 and 7960, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain SIP INVITE messages. This can be exploited to reboot the device by sending a specially crafted INVITE message with a malformed "sipURI" field of the Remote-Party-ID. The vulnerability is reported in devices running firmware POS3-07-4-00.
|
-
-
-
-
Secunia has a created a test page for this new vulnerability that could be used in possible phishing attacks. This new vulnerability requires users to hit the REFRESH button when navigation is cancelled to cross script to another site.
Internet Explorer 7 Cross-Site Scripting Vulnerability
http://secunia.com/advisories/24535/
http://www.frsirt.com/english/advisories/2007/0946
QUOTE: A weakness has been identified in Microsoft Internet Explorer 7, which could be exploited by malicious websites to conduct spoofing or phishing attacks. This issue is due to an input validation error in the resource page "res://ieframe.dll/navcancl.htm" when generating the "Refresh the page" link in order to reload a site, which could be exploited by attackers to spoof the displayed address bar by tricking a user into clicking on the "Refresh the page" link while visiting a malicious web page.
|
-
This new trojan horse attack has interesting visual features when users become infected.
JS/Shake - Creates an earthquake effect for Internet Explorer
http://vil.mcafeesecurity.com/vil/content/v_124353.htm
QUOTE: JS/Shake is a trojan which invokes your Internet browser and shakes the browser window side to side for a few seconds and then stops. It will then connect to a Russian website which contains adverts and popups.
|
-
Probably, most of us have received those annoying stock spam advertising messages that tell us to hurry up and buy them up, so you can make a 10-fold return on your investment  The SEC has taken recent action in suspending trading for 35 companies (most likely those who were actually participating directly in these schemes). The practice hasn't ended as I personally recieved more of these today, but this type of action might reduce the overall volume of these types of messages. Operation Spamalot - SEC takes action against Stock spammers http://www.avertlabs.com/research/blog/?p=217 http://www.sec.gov/news/press/2007/2007-34.htm
quote:
The Securities and Exchange Commission (SEC) announced in a press release on March 8 that it has suspended trading in securities of 35 pink sheet companies that have been the subject of recent stock spam campaigns. Stock spam has increased in volume in recent times and now represents a significant percentage of what we see each day. In 2006 alone we saw more than 300 different stocks being spammed.
|
-
The only significant DST impact to report is related to synchronizing "my biological clock" with the new time  Still, it's nice to get off from work with an extra hour of daylight
Yesterday, my XP system at home had no time related issues as the DST patch worked properly. I also accepted a DST patch to my Blackberry system and within 10 minutes this was properly synchronized with the new time changes. Today at work both of my XP systems had the correct time. I even tested my token based SecureID access and it's synchronizing fine. While I'm sure we have a few issues to revolve, it appears that our network administrators did an excellent job overall.
Below are related DST articles shared by the Internet Storm Center handlers. While there are some issues, most likely the industry came through this change much better than predicted. This is due to the efforts by network and security administrators in taking this change seriously and patching :
http://isc.sans.org/
|
-
As an IT professional I've worked with PCs since 1981, after working on a large corporate project to introduce this new technology in our company. I used PCs on daily basis in supporting our corporate users for the next 10 years. Security issues and viruses were rare and unheard of by most users.
Then in 1991, the Michelangelo virus was discovered and analyzed. It was a highly destructive boot sector virus that would wipe out an entire hard drive. The destructive routine to alter the MBR was triggered on March 6th of each year (birth date of Michelangelo, the great artist).
This hidden danger was discovered because some PCs were set with an incorrect date and triggered the virus early. The technical and regular media forecast major impacts of possible (as the Wiki link notes there were even claims of over 1 million infections).
In our own company, we took precautions and purchased copies of early AV software. Our technicians then scanned PCs throughout our company and some copies were found and cleaned in advance. We only lost 1 PC that I was aware of and we came through this event fine.
Worldwide around 20,000 PCs were lost, but this was one virus was a turning point in history. A major initiative started to improve PC security started, as the dangers and costs associated with highly destructive viruses were realized from this one event.
AVERT Blogs: Michelangelo Virus turns 15
http://www.avertlabs.com/research/blog/?p=214
QUOTE: In 1991, in Australia, Roger Riordan from Cybec discovered a new variant of the Stoned virus. The new threat was a boot sector virus, which infected the hard disk’s master boot record and the floppy disk boot sector. When researchers discovered that the virus contained a destructive payload triggering on the 6th of March each year, it gained the name Michelangelo. (The Italian Renaissance artist was born on March 6, 1475.)
Before Michelangelo, viruses were usually discreet and confined to the antivirus-specialist world. In March 1992, however, this virus changed the way the world looked at malware. With this newcomer, viruses really came into the public eye.
Michelangelo - Virus Details
http://en.wikipedia.org/wiki/Michelangelo_(virus)
http://www.answers.com/topic/michelangelo-computer-virus
|
-
http://www.pcworld.com/printable/article/id,129301/printable.html
QUOTE: So who's making the biggest impact online? We considered hundreds of the Web's most noteworthy power brokers, bloggers, brainiacs, and entrepreneurs to figure out whose contributions are shaping the way we use the Web. We whittled the list down to the top 50--well, actually the top 62--people, but as you'll see, there are some you just can't separate
|
-
Month of PHP bugs launched
http://articles.techrepublic.com.com/2100-1009_11-6163822.html
QUOTE: A security researcher has kicked off a project to put the spotlight on flaws in the widely used PHP scripting language.
The initiative, dubbed "Month of PHP Bugs," started on Thursday. Five vulnerabilities have so far been disclosed, several of which could allow a system running PHP to be compromised, according to the project Web site.
"This initiative is an effort to improve the security of PHP," Stefan Esser, a noted PHP security expert, wrote on the project Web site. The bug releases will focus on vulnerabilities in the PHP core, not on problems in the PHP language that might result in insecure PHP applications, he wrote.
PHP, which originally stood for Personal Home Page, is a popular scripting language used to create dynamic Web pages. Applications written in PHP accounted for 43 percent of the total vulnerabilities reported in 2006, according to a tally by Security Focus, a security news Web site.
|
-
This new variant will be easy to contain corporately, (e.g., esp. if attachment blocking is in place). As AV vendors lag a day or two behind massively spammed attacks, home users need to be careful.
New Warezov variant - Update-KBnnnn.EXE attachments
http://www.f-secure.com/weblog/archives/archive-032007.html#00001130
| Quote: |
The attachment is a ZIP file which contains a static EXE file. The name varies, but it's always something like Update-KB[random numbers]-x86.exe. We detect it as Email-Worm.Win32.Warezov.jx.
EMAIL TO AVOID:
Do not reply to this message
Dear Customer, Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction.
Customer support center robot |
|
-
-
This is a good safety check to locate any registered or past criminals living nearby.
Neighborhood Safety Search tool
http://www.familywatchdog.us
QUOTE: When you visit this site you can enter your address and a map will pop up with your house as the small icon of a house. Red, blue, or green, dots may be present your entire neighborhood. When you click on these dots, a picture of a person will appear with an address and the description of the crime he or she had committed. This site was developed by John Walsh from Americas Most Wanted. It is another tool to help us keep our kids safe.
|
-
DBAs and System Admins should ensure they are up-to-date on the latest security patches, so they are protected from this new injection based threat, that bypasses Oracle RDBMS security controls.
Oracle - Researcher points to potential attack for unpatched systems
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011942
QUOTE: February 27, 2007 (Computerworld) -- In a paper he plans to discuss Wednesday at the Black Hat DC 2007 conference, noted database security researcher David Litchfield is expected to outline a new attack method against Oracle databases that boosts the danger to unpatched systems. Litchfield, the managing director of U.K.-based NGSSoftware (Next Generation Security Software), has found a way to exploit Oracle vulnerabilities without requiring system privileges. The new tactic, which he spelled out in "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences (download PDF), increases the threat risk of many Oracle-disclosed bugs.
|
|
|
|