May 2007 - Posts

Computer A new version of Firefox has been released and should be applied promptly to address security concerns.  Most folks should Autoupdate without issues (and users can also select HELP and CHECK FOR UPDATES from the Menu bar)   

Firefox 2.0.0.4 Released - Security and Improved Vista Support
http://isc.sans.org/diary.html?storyid=2891

What's New in Firefox 2.0.0.4
Release Date: May 30, 2007

http://www.mozilla.com/en-US/firefox/2.0.0.4/releasenotes/

1. Security Update

2. Windows Vista Support: More enhancements and fixes for Windows Vista are included.

3. New Languages: Afrikaans (af) and Belarusian (be) are now available. Beta releases for several new languages are also available for testing.

Security Update: The following security issues have been fixed. 

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.4

Fixed in Firefox 2.0.0.4

MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

Thanking Rod for sharing this link, as the MyIT Forums newsletter is one of my "must reads" each day 

First of all, good security ain't solely about operating systems themselves     It's more about the process itself.  You can implement either OS poorly, not keep them updated, etc.  You also need more than just the OS alone to be properly protected from the dangers of the Internet. 

However, if the right protective processes and best practices are followed, both versions of Windows as are fairly secure.  If good security management principles aren't followed, neither operating system will ultimately protect the system from "click happy" users.   

With that prelude, I disagree the theme of the article, as Vista clearly has some advantages (e.g., improved kernel protection, improved code base, UAC warning system, etc).    In fact, in the charts it was rated as providing better spyware/adware protection (which is probally the most frequent hidden exposure folks encounter)

Yes, Vista security could have been tweeked a little better (e.g., in my opinion a better bi-direction Firewall).  Still, on paper see security is at least slightly better than XP and thus I respectfully disagree particularly with the "Bottom Line" proposed in the article.    

Review: Vista, XP Users Equally At Peril To Viruses, Exploits
http://www.crn.com/software/199701019

QUOTE: After a week of extensive testing, the CRN Test Center found that users of Windows Vista and Windows XP are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP. One of Microsoft's big promises with Vista was a more secure operating system. But when stripped to the bare bones and thrown into the wild, wild Web, Vista's security failed to impress Test Center engineers.

THE BOTTOM LINE -- Based on the Test Center's findings, businesses that migrate their Windows PCs from XP to Vista will get a slightly more secure OS. But as the Finjan reports showed, Vista's security remains wafer thin. 
In the end, both the Vista and the XP test notebooks were almost equally damaged by viruses, trojans and other malware. And because most of the Web sites in the test were able to exploit Vista's weaknesses, Internet users are just about equally vulnerable with both OSes.

VARs can still cite improved security as a selling point for Vista upgrades. Yet to avoid giving customers a false sense of safety, solution providers should stress that third-party security suites also will be needed to provide systems with ample protection.

Most AV vendors only highlight the most prominent new viruses, but they usually have to add dozens of new signatures daily to their detection files.  More amazingly, it's a miracle that AV software can even run, much less efficiently without impacting performance. 

AV vendors are always challenged by the growing in signature file sizes, (e.g., McAfee's has almost doubled in the past 2 years).  There is alsooccasional need to adjust the scanning engine when new treats emerge in previously safe file types or system areas.  As one of friends recently stated, "AV Detection is Rocket science"   

F-Secure estimates there are over 300,000 viruses
http://www.f-secure.com/weblog/archives/archive-052007.html#00001198

QUOTE:  Question: How many viruses or malware exist in general? Can you give me some number? The approximate count is now over 300,000.

The full text of the PCAOB recommendations has been posted at their website. While these are still subject to SEC approval, that action is anticipated with an effective date for implementation around Nov 2007 (effective for fiscal year 2008 from an accounting perspective).  The SOX 404 standards are controls and guidelines for automated IT financial systems, required for publicly listed companies.

Sarbanes-Oxley - Accouncement of proposed changes for Section 404 
http://www.pcaob.org/News_and_Events/News/2007/05-24.aspx

Quote: The adopted standard and related documents are available on the Board’s Web site under Rulemaking Docket 21

Sarbanes-Oxley - Full text of proposed changes for Section 404  
http://www.pcaob.org/Rules/Docket_021/index.aspx

Key PDF files (1st 2 PDFs from main link above)

PCAOB Release No. 2007-005: An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements and Related Independence Rule and Conforming Amendments (Size=351KB)
http://www.pcaob.org/Rules/Docket_021/2007-05-24_Release_No_2007-005.pdf

SEC Filing Form 19b-4 (Size=42MB - download this huge PDF to your PC rather than viewing with browser)
http://www.pcaob.org/Rules/Docket_021/AS5_19b-4.pdf

Computer I work with Excel spreadsheets often and recently captured the process for pivoting tables.  I had used formulas and even table matching techniques and this process is much simplier and works like magic. 

Who says you can't teach old dogs new tricks Wink  

Excel - Step by Step instructions on How to Pivot a Table
http://www.excelforum.com/showthread.php?p=1787972#post1787972

P.S. Please select the attachment link "How to Pivot a Table" at the bottom of this post for a Word document with screen excerpts showing the step-by-step process. 

Computer I've used 2 of the 3 sites below for years.  I discovered the Internet Health Report site today and bookmarked it as a monitoring resource.

Internet Storm Center - Significant Security Events
http://isc.sans.org/

Internet Health Report - Status of Major Carriers
http://internethealthreport.com/

Internet Traffic Report - Status of Performance by Continent
http://www.internettrafficreport.com/

While this email is most likely not wide spread, folks should be cautious of spoofed messages from banks and software vendors.  Links in email messages can download hostile malware agents that can be difficult to recover from.

Microsoft Support has something very important to say
http://www.f-secure.com/weblog/archives/archive-052007.html#00001200

QUOTE: A few hours ago we received reports of an important update supposedly coming from Microsoft Support. Since this "update" is not part of the monthly cycle, we were of course suspicious.  Looking at the e-mail, our suspicions grew due to the glaring typos and the non-Microsoft domain link. 

The sample contained in the link is now detected as Backdoor:W32/VanBot.CA since 2007-05-28_05.  Updates are always good, but in this case, keep your virus definitions updated instead.

16 of 30 AV vendors detect EICAR encapsulated in Rich Text Files

Computer EICAR is an industry standard virus signature file that all AV vendors use for testing purposes.  It is harmless.  At work, I've used it often in the past to test corporate server and PC systems to ensure AV defenses were working. Vendors not detecting this test file most likely should adjust their systems  

AVERT: Rich Text Malware
http://www.avertlabs.com/research/blog/index.php/2007/05/25/rich-text-malware/

16 of 30 AV vendors detect EICAR encapsulated in Rich Text Files
http://vil.nai.com/images/Blog-%20RTF%20Malware4.JPG

QUOTE: Every single scanner detected the antivirus test file EICAR.COM, but only 16 out of 30 scanners were able to detect it embedded inside a rich text file. In layman’s terms, one could take an already detected malware and embed it inside a rich text file and half the antivirus software on the market would not detect this type of threat. A perfect foil for virus authors to use in phishing and spam runs.

http://www.microsoft.com/technet/technetmag/issues/2007/06/

QUOTE: It's security month again. Learn how User Account Control in Windows Vista protects the machines you manage by limiting the administrator privileges users normally run with. BitLocker Drive Encryption, another Vista feature, adds security as well by providing full volume encryption and the validation of startup components.

Also this month, finally get the tools you need to manage and control the kinds of hardware users install and connect to your network. You may be surprised at the range of security improvements this provides. Plus, read up on the four security must-haves: risk management, anti-malware, network anomaly detection, and configuration monitoring.

Computer Below is part of a recent post in a forum, where a member asked how they might protect themselves better after a major virus or spyware infection created an unbootable system that needed reformatting.

QUOTE:  Yes, sometimes advanced spyware or viruses become so ingranulated in the Windows registry and startup process that reloading is your only method of recovery.  Tools, more secure settings and best practices will help prevent future occurrences. You probably know most of this general advice and I'll share what I see as a helpful in protection from some of the dangers out there:

1. Good AV package (there are certainly good free versions)
2. Good Firewall (bi-directional preferred)
3. Ensure you are using XP SP2 and IE7, (IE 6 has so many unpatched holes)
4. Firefox offers a good complementary browser with very few working exploits in the wild
5. Best practices and avoidance and "thinking security" at all times are probably your best defenses. Avoid all attachments and URLs in emails (plain text mode is also preferable). Be careful in website visitations (avoid all ads and untrusted sites). Think of every spam message as a telemarketing call or door-to-door salesman visiting ... There ain't no free lunches out there.
6. Monitor new developments. You don't have to become a security expert, but when a new risk emerges take the precautions, workarounds, countermeasures, etc. You're welcome to bookmark my Security Blog (link in signature) as I try to share new developments, best practices, etc. from a user standpoint (and there many other great sites out there as well)
7. You might want to research Anti-Spyware solutions (Counter-Spy, Spysweeper, AVG's version, AdAware, etc.)
8. Ramp up your security services and lock down unneeded services
9. When it comes to email or websites, avoid trusting them too quickly. I like the "No Trust" rule, rather than "Trust but Verify", as top-notch scammers can create authentic looking HTML that appears to come from a bank, Paypal, Microsoft, or other vendors. Call if you have to and validate anything suspicious.
10. Protect your privacy and avoid sharing sensitive info.
11. Use strong passwords and even change them periodically.
12. Stay up-to-date on all Windows patches and security updates for other products

While this is still subject to PCAOB and Congressional approval, passage of the proposed change appears promising according to the article. It's good to see these changes coming to SOX 404 Smile 

SEC approves Sarbanes-Oxley changes for section 404
http://www.forbes.com/feeds/ap/2007/05/23/ap3751963.html 
http://www.reuters.com/article/ousiv/idUSN2323489520070523
http://www.washingtonpost.com/wp-dyn/content/article/2007/05/23/AR2007052301106.html

QUOTE:  The U.S. Securities and Exchange Commission approved new guidance on Wednesday to help companies comply with what critics say is a burdensome and costly provision of the Sarbanes-Oxley corporate reform law. The agency, by a 5-0 vote, encouraged companies to take a more risk-based approach to complying with Section 404 of the legislation.

"Congress never intended that the 404 process should become inflexible, burdensome and wasteful," SEC Chairman Christopher Cox said at the agency's open meeting. Section 404 requires companies to assess their internal controls over financial reporting. It also calls for external auditors to report on management's assessment and on the controls themselves.

Corporations and business lobbyists have complained that Section 404 was too expensive and the SEC has conceded that, in some cases, overly cautious companies caused the law's costs to exceed its benefits.

The new guidance allows managers to identify the highest risks to their books as opposed to forcing them to test a long list of controls. The Public Company Accounting Oversight Board is expected to vote on Thursday in favor of revised guidance for auditors on a risk-based approach when assessing a company's internal controls.

Google has launched a new online security blog that discusses security controls for this major website

Google's New Online Security Blog
http://googleonlinesecurity.blogspot.com/

Introducing Google's online security efforts
http://googleonlinesecurity.blogspot.com/2007/05/introducing-googles-anti-malware.html

 QUOTE: Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post.

Opera has just released v9.21 for Windows which corrects a serious security issue.  All Opera users should update to the latest version.  So far there are no issues in upgrading to the latest version in my own personal testing. 

Opera Browser - 9.21 change log
http://www.opera.com/docs/changelogs/windows/921/

Advisory: Malicious torrent files can execute arbitrary code
http://www.opera.com/support/search/view/860/

Opera Torrent File Handling Buffer Overflow Vulnerability
http://secunia.com/advisories/25278/

QUOTE: A vulnerability has been reported in Opera, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the handling of torrent files and can be exploited to cause a buffer overflow when a user right-clicks a malicious torrent entry in the transfer manager. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in versions prior to 9.21 for Windows.

This MSNBC article was informative and while the threat isn't new, web malware has increased in scope to where the volume of email viruses have declined in favor of other ways to compromise user security.

Internet Threat - Growth of Infectious Web Pages
http://redtape.msnbc.com/2007/05/the_next_net_th.html

The Ghost In The Browser - Analysis of Web-based Malware
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf

QUOTE: Don't click on attachments? Good. Always keep that firewall turned on? Even better. Stay away from the Internet's unsavory neighborhoods? Better still. Think you are protected? Wrong.

Computer criminals are evolving their tactics to subdue your computer, experts say. Each time you invest more money and time in staying safe, the bad guys just find another way around your defenses. Their newest method may be the trickiest yet: Web pages booby-trapped with infectious computer code.

In the study, Google found 300,000 Web sites laced with such malicious code, and another 700,000 suspicious sites. For perspective, the study found only 18,000 Web sites laced with adware.

So called drive-by downloads are not new, but criminals have seized on the tactic lately because their success rate with traditional e-mail viruses has tapered off thanks to improved software and consumer education. Avoiding e-mail viruses is fairly easy, as long as consumers following clear rules like "don't click on any attachments." But drive-by downloads are much more sinister, as no user interaction is required beyond opening an infected site in a Web browser.

This security test was interesting    Roughly 1 out of 1,000 individuals clicked on this ad which even had text stating "you could get a virus infection by visiting there"  

Being selective and careful will reduce the risk of coming in contact with adware, spyware, and viruses, as "an ounce of prevention is worth a pound of cure"  

ISC - People will click on Anything
http://isc.sans.org/diary.html?storyid=2811

QUOTE: Didier Stevens documented an interesting experiment, in which he purchased a Google ad that encouraged people to click on the ad to be infected.  Didier was curious to see how many people would actually click. More than you might think.

It turns out, the "ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%." Not bad at all, considering that the campaign cost around $23.

The ad said:

===============================
Drive-By Download
Is your PC virus-free?
Get it infected here!
===============================

More Posts Next page »