August 2007 - Posts

• SPAM - Be careful no matter how tempting the offers are

  In reviewing some of the captured SPAM early this morning, this free email offer caught my attention. Spammers try to appeal to our sense of getting something for free or a better bargain. There are no free lunches or even candy bars on the Internet.  SPAM should be considered like a telemarketing call out of the blue, and folks should always be careful, even when our favorite temptations like chocolate are offered. One study cited that 70% of folks would disclose their password for a bar of chocolate.  Hopefully, the importance of security has increased. http://msmvps.com/blogs/harrywaldron/archive/2004/04/20/5245.aspx http://msmvps.com/blogs/harrywaldron/archive/2005/05/08/46088.aspx Date: Sun, 31 Aug 2008 14:01:43 +0300  From: "Candy Bar Giveaway"  To: Harry  Subject: Get All the Chocolate Candy Bars You Can Eat!    Get a 24-PACK OF SNICKERS, FREE*!    •SNICKERS King Size or    •SNICKERS Cruncher or    •SNICKERS Almond    CLICK HERE [URL Removed]    Posted Aug 31 2007, 08:38 PM by hwaldron with no comments

• Recent WGA Validation Issues were a result of human error

  Brings back an old saying from when I first entered the IT field several years ago, "To err is human and to really foul up things takes a computer" This illustrates the need for thorough testing and strong change control procedures. Even then sometimes things might still go "bump in the night".   Recent WGA Validation Issues were a result of human error http://www.infoworld.com/article/07/08/29/Microsoft-blames-human-error-for-WGA-glitch_1.html http://blogs.msdn.com/wga/archive/2007/08/28/so-what-happened.aspx Posted Aug 30 2007, 02:01 PM by hwaldron with no comments

• Latest Storm Worm - Join the Beta Testing program

  No personal copies yet, but I'm sure the 1.7M Botnet will be sending us some soon http://www.avertlabs.com/research/blog/index.php/2007/08/29/more-nuwar-woes/ QUOTE: The Nuwar gang are up to no good again. So far we’ve seen a dizzying flurry of malicious ecards, sexy emails, membership themes and YouTube bait over the last couple of weeks from the authors of the Storm worm. The latest spam run calls for beta testers to try out a product in exchange for life time free updates. A sample mail is as follows Posted Aug 29 2007, 08:27 PM by hwaldron with no comments

• IBM zOS Release - Focus on Security Improvements

  Sharing for those who still use IBM mainframe technologies (as we currently do in our companies). IBM zOS Release - Focus on Security Improvements http://blogs.techrepublic.com.com/tech-news/?p=1059 quote: It appears that IBM has just introduced a new release of its renowned z/OS mainframe operating system.  Because of the mainframe’s place in the heart of a vast portion of the world’s financial services - as well as varied other large businesses, the focus this time round has been on security. IBM Boosts Mainframe Security http://www-03.ibm.com/press/us/en/pressrelease/22172.wss quote: ARMONK, NY - 17 Aug 2007: IBM (NYSE: IBM) today unveiled a new release of its mainframe operating system -- the z/OS -- adding features that increase the software's already fortress-like security for online commerce as well as the next generation of highly secure business transactions. IBM also announced new mainframe software that automates security administration and audit processes. Posted Aug 27 2007, 06:17 PM by hwaldron with no comments

• IRS wants to give you $80 - Phishing/Vishing Scam

  Please avoid all IRS based emails that might be currently circulating.  A well designed email scam is circulating, which appears to come from the IRS. It contains some legitimate IRS links and has a phone # in the email.  Calling the phone number will lead to a person impersonating the IRS  and collecting information from the call (e.g., SSN, account #'s, credit card info, etc)  The phone uses VOIP technology to hide the true location of the scammers and possibly spoof caller ID controls to show the "Internal Revenue Service".   Do not respond to any email from the IRS without contacting your local IRS branch prior to taking actions. Phish or Vish? The IRS is back http://isc.sans.org/diary.html?storyid=3316 Posted Aug 27 2007, 01:30 PM by hwaldron with no comments

• Latest Storm Worm - uses fake You-Tube links

  This new version of the Storm worm is designed to appear as legitimate video links to You Tube's site. Please be careful with all email links as the storm worm attacks continue.    Storm of the Day, Now with YouTube http://isc.sans.org/diary.html?storyid=3321    QUOTE: The latest variation of the Storm worm claims to be a you tube video. The link looks like a link to you tube, but actually points to a "numeric" URL like old storm variants. The downloaded binary is called "video.exe"     SAMPLE COPY - (with malicious content removed)    To: Harry  Subject: how did you get that on film, man?  From: (REMOVED)  Date: Sat, 25 Aug 2007 18:18:16 +0530    You can see your face right in the video. its all over the web dude. see for yourself ... (URL REMOVED) ... The link appears to be a valid U-Tube address but is spoofed to directed users to malicious web site) Posted Aug 26 2007, 02:40 AM by hwaldron with no comments

• Latest Storm Worm - eCards now uses HTML and fake URLs

  The ever-changing Storm Worm (a.k.a., Nuwar, Zheltain) has been revamped from plain text to HTML  This conversion process allowed the malicious authors to hide the dangerous numeric IP addresses and make it appear as a legitimate e-card site. The latest versions of most browsers (e.g., IE 7, Firefox 2, Opera 9, etc) allow users to "hover over" a URL and see the true address found in links (just be never to click without verfication).  The best practice is to avoid these messages completely, as hostile scripts could be embedded in future iterations of these massively spammed attacks. Clicking on the URL could automatically download and install some of the worst malware circulating in-the-wild. It is very difficult to detect and clean. Folks can save hours of aggrevation and possible damage to their systems by being careful and thinking before they click.  Finally, all users should keep their Anti-virus protection as up-to-date as possible to avoid these daily changing attacks. ‘Fun World’? Not Really–Part 2 http://www.avertlabs.com/research/blog/index.php/2007/08/22/fun-world-not-really-part-2/ QUOTE: Today Nuwar/Zhelatin spammed out several thousand mails, which are very similar to those we saw yesterday. Although the spam template did not change at all, the format of the mail changed. It changed to HTML instead of plain text, but it does not contain any active content such as JavaScript or ActiveX. Compared with the last spam wave, the IP address is no longer visible. Users might have learned not to click on http://xx.xx.xx.xx/ IP addresses in spam mails, and now they need to get educated again. Video - Storm Site http://www.f-secure.com/weblog/archives/archive-082007.html#00001257 QUOTE: The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser. EMAIL SAMPLES (with malicious content removed) ================================== To: Harry Subject: Someone sent you an Ecard From: (REMOVED) Date: Thu, 23 Aug 2007 23:22:53 -0400 (REMOVED) wants to send you a greeting from greet2k.com. To get your message, click on this link: greet2k.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) Greetings, greet2k.com ================================== To: Harry Subject: You have an E-Card from...? From: Date: Thu, 23 Aug 2007 14:11:32 -0700 Your Brother wants to send you a greeting from mycardmaker.com. If you would like to read this greeting, follow this link: mycardmaker.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) Greetings, mycardmaker.com ================================== To: Harry Subject: A Digital Card from someone who cares. From: (REMOVED) Date: Thu, 23 Aug 2007 16:16:58 -0500 (REMOVED) is delivering you an Ecard from buzzle.com. To view your card, follow this link: buzzle.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) Greetings, buzzle.com ================================== To: Harry Subject: This is a Card for you. From: (REMOVED) Your Neighbour asked us to send you this card from dgreetings.com. To Enjoy your Ecard, follow this link: dgreetings.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS) Sincerly, dgreetings.com ================================== Posted Aug 24 2007, 02:38 PM by hwaldron with no comments

• Storm Worm surpasses Sober as most prolific email virus of all time

  The storm worm was named after it's social engineering attempt to capitalize on one of the greatest Winter storms of all time in Europe during early 2007. Folks were invited to click on breaking news items and with the new e-card variants the Nuwar worm has grown to become the most significant email virus of all time (both in terms of email volume and malicious capabilities)    Record-breaking 'Storm' linked to spam surge  Biggest, baddest e-mail malware ever, says researcher  http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9030538     QUOTE: August 14, 2007 (Computerworld) -- Storm, the Trojan horse that collects PCs into hacker-controlled botnets, roared back into life last month in several waves, security researchers said Monday, and has blown by 2005's Sober to become the most prolific e-mail-borne malware ever.    "This is the biggest since Sober in mid-to-late 2005," said Sam Masiello, director of threat research at MX Logic Inc., referring to a long-lasting worm whose variants struck repeatedly in the second half of 2005, often in extremely high numbers. In November 2006, for instance, e-mail filtering companies reported malware-laden e-mail counts spiking 1,500% in a week, and said they were intercepting four times the usual number of infected messages.    According to MX Logic, Storm -- a bot Trojan that collects compromised computers into large networks of ready-to-use PCs -- has broken Sober's records. Thanks to Storm, the Englewood, Colo.-based managed e-mail security vendor tracked a July jump in malicious e-mail of 1,700% over June. Storm, however, is much more malevolent than Sober ever dreamed. "Not only is it designed to propagate more copies of Storm, but it releases huge quantities of spam," said Masiello. Posted Aug 23 2007, 04:37 PM by hwaldron with no comments

• Storm Worm - Invitations to become club members

  The highly polymorphic storm worm has now been very quickly re-engineered.  Messages now attempt to invite folks into various social network clubs found on the Internet   This new attack is widespread, as all most 2 million infected users are participating in a HUGE Botnet that spams out countless copies.  This new threat is circulating extensively. The 1st sample message is tempting, as I really like cats, but I think I'll decline this invitation Storm of the Day (Welcome Member) http://isc.sans.org/diary.html?storyid=3298 QUOTE: Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs"   =================================== SAMPLES with malicious information removed =================================== To: Harry Subject: Your Member Info From: "Cat Lovers" [EMAIL ADDRESS REMOVED] Date: Tue, 21 Aug 2007 16:01:11 +0800 Subject: Greetings, Welcome To Cat Lovers. User Number: 93275951895 Temp Login ID: user2686 Password ID: qt379 Please Change your login and change your Login Information. Click on the secure link or paste it to your browser: [DANGEROUS NUMERIC URL REMOVED] Enjoy, Confirmation Dept. Cat Lovers =================================== To: Harry Subject: Internal Support From: [EMAIL ADDRESS REMOVED] Date: Tue, 21 Aug 2007 03:46:26 -0400 New Member, We are glad you joined Ringtone World. Confirmation Number: 1433249943 Your Temp. Login ID: user9096 Temp Password ID: od872 Your temporary Login Info will expire in 24 hours. Please login and change it. Use this link to change your Login info: [DANGEROUS NUMERIC URL REMOVED] Enjoy, New Member Services Ringtone World =================================== To: Harry Subject: Membership Details From: "Internet Dating" [EMAIL ADDRESS REMOVED] Date: Mon, 20 Aug 2007 19:41:32 -0400 New Member, Here is your membership info for Internet Dating. User Number: 23913334 Your Login ID: user8588 Temp Password ID: gj779 Please Change your login and change your Login Information. Follow this link, or paste it in your browser: [DANGEROUS NUMERIC URL REMOVED] Enjoy, Membership Support Department Internet Dating =================================== To: Harry Subject: Welcome Letter From: "Net Gambler" [EMAIL ADDRESS REMOVED] Date: Tue, 21 Aug 2007 13:31:41 +0100 Greetings, We are glad you joined Net Gambler. Account Number: 92687431 Temp Login ID: user1564 Temp Password ID: gf869 Please Change your login and change your Login Information. Click here to enter our secure server: [DANGEROUS NUMERIC URL REMOVED] Enjoy, Support Department Net Gambler Posted Aug 21 2007, 02:55 PM by hwaldron with no comments

• CNET - My laptop was stolen, what concerns should I have?

  Laptop security is always a concern and several recommendations can be found in this featured CNET thread: CNET - My laptop was stolen, what concerns should I have? http://forums.cnet.com/5208-10149_102-0.html?forumID=7&threadID=259087 QUOTE: My wife and I had two laptops stolen from our room in an upscale hotel in Norfolk, Virginia last Saturday night. My question is somewhat open-ended. Is a concern justified for identity theft from the info available on the machine? Having owned the laptops for 1 to 2 years and using them as the primary home/travel computer, it is safe to say that everything was on the hard drive. Not only the 20GB of pictures, nor the finance stuff, or the research database, or all the cookies, etc.; even the money for the cost of the computers is poof--gone. What is the concern that the community would have for such a loss: identity theft, system hijacking, sleepless nights, having to buy new ones, and so on. In the future, in case of another loss, what are some solid security measures I can use to prevent someone from obtaining what I have on my laptops? Posted Aug 20 2007, 05:37 PM by hwaldron with 1 comment(s)

• Storm Worm - Inappropriate themes in latest variants

  The ever-changing Storm Worm is now circulating and I've personally started receiving copies captured in my spam filters.  The new version uses inappropriate subject lines as noted by the ISC below.  Based on samples received these messages contain only URL with only a numeric IP address in the body of the email text.  URLs in spam email are usually always dangerous sources of malware (esp. numeric IP addresses).  Users should avoid these new attacks as this virus is very difficult to clean and can affect both the privacy and performance of the PC itself.  http://isc.sans.org/diary.html?storyid=3286 Posted Aug 20 2007, 02:13 PM by hwaldron with no comments

• MPack - v0.91 now rated as More Dangerous

  MPack is a "malware development package", which allows rapid and easy-to-develop construction of web based attacks (e.g., PHP scripts, exploits).  A new version has surfaced which offers increased capabilities as noted by Symantec:  MPack - v0.91 now rated as More Dangerous http://www.symantec.com/enterprise/security_response/weblog/2007/08/mpack_getting_more_dangerous.html quote: Some of the key enhancements in the new version include: 1. The exploits include the existing ones present in v0.84. 2. There have been some changes to the management and reporting interface. 3. Some additional files are a part of the installation to ensure authentication. 4. Mpack has also introduced some more encryption and obfuscation to increase the detection complexity. 5. There are some modifications in the Mpack loading pages (ability to target specific countries) MPack toolkit v0.91 also comes with a legal disclaimer: Mpack is created solely for test purposes. You are prohibited to use it in conditions violating local or international laws. Authors hold no responsibility for any damage, direct or indirect, caused by usage of this software. Symantec's analysis of v0.86 http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html What is MPACK? http://isc.sans.org/diary.html?storyid=3015 http://www.securityfocus.com/news/11476 quote: In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites. A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims' systems and steal personal information. The MPack infection kit has been blamed for hundreds of thousands of compromised computers. And, it's malicious software with a difference: The creators have offered a year of support to those clients from the Internet underground who purchase the software for anywhere from $700 to $1,000. Posted Aug 17 2007, 08:48 PM by hwaldron with no comments

• New GpCode Ransomeware variants have surfaced

  New GpCode ransomeware attacks are circulating on a limited basis in the wild and AV vendors are adding protection.  These new variants will encrypt several types of data files on a PC, demanding $150 in an online payment for a de-crypting capability Users should never pay these "ransoms" as the cleaning tool most likely won't arrive and some AV vendors provide de-crypting tools to clean infected systems.  Still, this reminds us to periodically take a backup of important files and always avoid untrusted URLs and email attachments.  New GpCode Ransomeware variants have surfaced http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FGPCODE%2EAB http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FGPCODE%2EAC quote: This Trojan may arrive as a dropped file or downloaded file of another malware. This Trojan encrypts all files with certain extension names found on any readable and writable drive. As a result, the said files become unreadable. It then drops and opens the file ASAP!!!.TXT on the current user's Desktop folder. The said text file informs the user that the files have been encrypted, and that special software must be purchased to decrypt the files. Posted Aug 17 2007, 03:37 PM by hwaldron with 1 comment(s)

• New Storm Worm - uses constant polymorphic based repacking routines

  Below are recent links on the latest "animated e-card variants".  One point of concern comes from AVERT Labs on the constant repackaging of Nuwar to evade AV detections EVERY FEW MINUTES.  No wonder AV vendors are in the 30% detection range, as Nuwar is constantly mutating in an automated fashion. A few years ago, security researchers speculated on the "super worm" that would constantly mutate so that AV detection strings couldn't keep pace with in-the-wild copies circulating.  Unfortunately, we're getting closer to seeing this prediction come true     AVERT LABS - Keeping up with Nuwar http://www.avertlabs.com/research/blog/index.php/2007/08/15/keeping-up-with-nuwar/ QUOTE: Well, given that Nuwar is polymorphically repacked every few minutes and a functionally new version is released every day, that was hardly surprising. I zipped the samples up and sent them to our virus researchers to produce detection for them ... F-Secure - Zhelatin gang changing tactics http://www.f-secure.com/weblog/archives/archive-082007.html#00001249 QUOTE: Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out.  The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.Since last night, the messages have changed. You still get the normal greeting card spam.  But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer ... WebSense Alert on new storm worm http://www.websense.com/securitylabs/alerts/alert.php?AlertID=792 Posted Aug 16 2007, 05:41 PM by hwaldron with no comments

• Article: Best practices for online shopping

  I've subscribed to Network World magazine for a number of years and also receive the newsletter.  This two part article by Steven Zeligman below is one of the best articles I've read related to e-commerce security.  Following these guidelines will help you stay safe while shopping online on the Internet. ARTICLE:  Best practices for online shopping Author:     Steven Zeligman, MSIA, MCP, CISSP From:       Network World newsletter QUOTE: Best practices for online shopping Online shopping does pose risks, but the risk can easily be reduced. 1. Eliminate malware Before shopping online, clean your computers of malware (malware is MALicious softWARE). 2. Shop only at trusted online retailers Use the same common sense when shopping online that you would use when shopping in the physical world. Be as vigilant when choosing online retailers as when choosing brick-and-mortar merchants. If you are uncertain about a particular Web site, check the Better Business Bureau’s ratings http://www.bbb.org .  Reliable online merchants provide a phone number where you can talk to a customer-service representative about security issues.  Look for third-party seals of approval such as BizRate http://www.bizrate.com/ , BBSOnLine http://www.bbbonline.org/ , VeriSign Secured https://seal.verisign.com/ , and HackerSAFE https://www.scanalert.com/ . Usually clicking on the symbol will bring you directly to the report for the Web site you are visiting. 3. Look for Web site security indicators Although the following are by no means absolute indicators of security, they’re a start:  A padlock in the browser window’s status bar (be discriminating - sometimes it’s a false indicator http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse or even just a symbol placed on the Web page itself); URLs that start with “https” instead of just “http”; and The phrase “Secure Sockets Layer (SSL)” in the description of the communications protocol.  These are all indications that the online merchant may have taken measures to protect their customers’ private information in transit. 4. Safeguard your own personal information and records Do not send payment information via e-mail. Unencrypted e-mail is not a secure method of communication. All information transmitted via e-mail is at risk of interception by bad people.  Any trustworthy online merchant uses encryption technologies to protect private information during a transaction on their Web site. Keep records of all transactions, much as you keep paper receipts for physical “brick and mortar” purchases. An easy way to do that if you have full Acrobat is to print to an Acrobat file from your browser; alternatively, you can use the print function of your browser and send to a suitable printer or even take a screenshot and save the image file on disk. [MK adds: I keep records in folders labeled by vendor in a folder called “My Received Files.” I have a folder for software licenses, for example, one for DVDs, one for CDs and so on.] Other methods of safeguarding e-commerce information include: * Always conduct online transactions using a Web browser that has all current security patches and uses at least 128-bit encryption. * Always use strong passwords that contain a combination of uppercase letters, lowercase letters, and special characters for e-commerce accounts. * Never use obvious passwords such as family names, birthdays, pets’ names, etc. for e-commerce accounts. * Always use passwords that contain six or more characters. * Never share user names or passwords with anyone else. * Never use the “one-click shopping” that stores credit-card information accessible through an online account password. * Never perform online transactions on public computers. * If you have an unsecured home computer, do not allow your browser to store user IDs and passwords for the online-shopping sites you use. For more information on browser security and Web sites, see the following U.S. Computer Emergency Readiness Team (US-CERT) Cyber Security Tips: ST04-022 --  “Understanding Your Computer: Web Browsers” http://www.us-cert.gov/cas/tips/ST04-022.html ST05-001 -- “Evaluating Your Web Browser’s Security Settings” http://www.us-cert.gov/cas/tips/ST05-001.html ST04-012 -- “Browsing Safely: Understanding Active Content and Cookies” http://www.us-cert.gov/cas/tips/ST04-012.html ST05-010 -- “Understanding Web Site Certificates” http://www.us-cert.gov/cas/tips/ST05-010.html 5. Review the Online Merchant’s Privacy Statement Sometimes online merchants call their privacy statements “Terms of Use,” “Terms and Conditions,” “Privacy Statement,” or similar titles. A trustworthy online merchant will always post details regarding the use of consumers’ personal and financial information on their Web site. Consumers should read this policy carefully to ensure that their private information won’t be sold to third parties. Consumers should also be prudent about what personal and financial information they reveal to conduct an online transaction. It is usually necessary to provide a credit-card number. However, it should never be required to provide bank-account numbers or Social Security Numbers to conduct online shopping transactions.  There are many reliable online merchants; if you don’t like a merchant’s policies, choose a different one. 6. Summary With a few precautions, you can usually take advantage of online shopping conveniences without significant risk. The essential point is that you have to think before you shop - but that’s true in all situations. ========================== AUTHOR: Steven Zeligman, MSIA, MCP, CISSP, is the Network Security Manager at Dataline, Inc., and has more than 15 years of experience in information technology and security. His opinions are entirely his own and do not constitute the opinions of his employer. You are welcome to write to him at: steven.zeligman (at) gmail (dot) com  with comments on this article. Posted Aug 16 2007, 05:23 PM by hwaldron with no comments

• Opera 9.23 released for improved security and Vista compatibility

  co] Opera 9.23 is now available to address a critical security vulnerability http://secunia.com/advisories/26477/ Opera 9.23 for Windows is available for download. Changelog for Opera 9.23 for Windows http://www.opera.com/docs/changelogs/windows/923/ Stability Fixed four crash bugs found using Mozilla's jsfunfuzz tool. Fixed a stability issue with Speed Dial. Security Fixed a JavaScript security issue discovered with Mozilla's jsfunfuzz tool. See our advisory. Windows specific Scrolling problem with some Microsoft mice fixed on Windows Vista. Posted Aug 15 2007, 04:40 PM by hwaldron with no comments

• Microsoft Security Updates - August 2007

  Several Microsoft security updates are available to better secure Windows, Internet Explorer, Media Player, Office, and the Virtual PC environment. These should be applied expediently to ensure the best levels of protection. Microsoft Security Updates - August 2007 https://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx August 2007 - Security Patches Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227) http://www.microsoft.com/technet/security/Bulletin/ms07-042.mspx Vulnerability in OLE Automation Could Allow Remote Code Execution (921503) http://www.microsoft.com/technet/security/Bulletin/ms07-043.mspx Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965) http://www.microsoft.com/technet/security/Bulletin/ms07-044.mspx Cumulative Security Update for Internet Explorer (937143) http://www.microsoft.com/technet/security/Bulletin/ms07-045.mspx Vulnerability in GDI Could Allow Remote Code Execution (938829) http://www.microsoft.com/technet/security/Bulletin/ms07-046.mspx Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782) http://www.microsoft.com/technet/security/Bulletin/ms07-047.mspx Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123) http://www.microsoft.com/technet/security/Bulletin/ms07-048.mspx Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986) http://www.microsoft.com/technet/security/Bulletin/ms07-049.mspx Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) http://www.microsoft.com/technet/security/Bulletin/ms07-050.mspx Re-Released Bulletins: Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807) http://www.microsoft.com/technet/security/Bulletin/ms07-038.mspx The ISC site provides a good resource for tracking installation issues or exploit developments related to these newly released bulletins. Hopefully, this update will go smoothly, as it's working well so far on 2 of my PCs. Internet Storm Center - Analysis of current bulletins http://isc.sans.org/diary.html?storyid=3264 Posted Aug 14 2007, 10:20 PM by hwaldron with no comments

• New Storm Worm - Features dangerous animated e-card links

  Below are recent samples (with all URLs made safer) of email that should be deleted. The numerical links found in these messages may trigger an AUTOMATIC download and install of a very malicious copy of the Nuwar worm. This family of viruses is among the most advanced malware circulating using rootkit, botnet, polymorphism, and other techniques.  AV Protection may or may not be available for these new leading edge variants.  It's always advisable to never click on URLs or attachments whenever possible in email messages - even in those which may appear to be safe. ========================================== From: ********* To: Harry Subject: Movie-quality e-card Date: Mon, 13 Aug 2007 10:27:08 -0400 Mother() has created Movie-quality e-card for you at perfectgreetings.com. To see your custom Movie-quality e-card, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box): hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?bd9a4815755ec21d93815f9518b32f6c9fb697 Send a FREE greeting card from perfectgreetings.com whenever you want by visiting us at: hxxp://perfectgreetings.com/ This service is provided and hosted by perfectgreetings.com. ========================================== From: ********* To: Harry Subject: Animated postcard Date: Tue, 14 Aug 2007 12:40:40 +0200 School-mate() has created Animated postcard for you at greetingsisland.com. To see your custom Animated postcard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box): hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?23407b969d2b1d96eb463c6da46ca Send a FREE greeting card from greetingsisland.com whenever you want by visiting us at: hxxp://greetingsisland.com/ This service is provided and hosted by greetingsisland.com ========================================== From: ********* To: Harry Subject: Greeting ecard Date: Tue, 14 Aug 2007 02:53:35 -0400 Uncle() has created Greeting ecard for you at hallmark.com. To see your custom Greeting ecard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box): hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?42a6de1712445fd9c2b5 Send a FREE greeting card from hallmark.com whenever you want by visiting us at: hxxp://hallmark.com/ This service is provided and hosted by hallmark.com. Posted Aug 14 2007, 06:48 PM by hwaldron with no comments

• Blue Pill - Truths & Myths analysis by AVERT labs

  An interesting and technically rich article based on presentations at Black Hat last week.  While hypervisor and virtualized rootkits represent advancements in malware, AVERT claims they can't hide in a 100% undetectable state.  Blue Pill - Truths & Myths analysis by AVERT labs http://www.avertlabs.com/research/blog/index.php/2007/08/13/the-truths-and-myths-about-blue-pill-and-virtualized-malware/ QUOTE: Last week I was at BlackHat, and it was a very exciting week in terms of Blue Pill and the virtualization rootkits issue in general. During the BlackHat 2007 Briefings in Las Vegas there were three interesting sessions that relate to virtualization system security and rootkits. I attended those three sessions and had a chance to chat some with three presenters. The main points I would emphasize are the following: 1. Providing a system virtualization facility at the processor level without applying any sound security policy is a serious design flaw. 2. A malware authors’ job is to leverage system design flaws and hence the virtualization rootkits were very expected, including Blue Pill. 3. There is no rootkit that is undetectable even if it installs itself as a hypervisor   The challenge is always in how to repair rootkits once they control some layer in the system architecture 4. There needs to be a more organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions Posted Aug 13 2007, 02:43 PM by hwaldron with no comments

• Stock Spam - Now uses FDF attachment types

  I've received some stock spam that uses the FDF attachment, which I wasn't familiar with.  This PDF based attachment type might need to be added to corporate email attachment blocking lists.  Stock Spam - Now uses FDF attachment types http://www.f-secure.com/weblog/archives/archive-082007.html#00001246 Quote: After image spam, PDF spam, DOC and XLS spam we're now seeing FDF spam.  FDF apparently stands for Forms Data Format. This is a form file that's read by Acrobat and other PDF readers. the content of the file - suprise, surprise: stock spam. Posted Aug 10 2007, 08:16 PM by hwaldron with no comments

• Internet Explorer 7 Desktop Security Guide v2.0

  This appears to be a useful resource for corporate users to improve security settings for IE 7 Internet Explorer 7 Desktop Security Guide http://www.microsoft.com/downloads/details.aspx?FamilyId=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en QUOTE: Internet Explorer 7 offers users more protection than previous versions of the browser through a combination of new features and more secure default settings. In keeping with the need to balance security and usability, the default values for these new features and settings have been configured to offer the best choice for a broad range of users. This white paper examines some of these new features and settings that you can modify to provide a more "locked down" security configuration. This paper does not provide a complete review of all settings, nor is the guidance in it specifically equivalent to the Enhanced Server Configuration for Windows Server® 2003. The settings and features this paper discusses offer additional security guidance for the broadest impact on most users and administrators. This paper discusses both the Windows Vista® and Windows® XP versions of Internet Explorer. Administrators and system owners can use the guidance in this paper to tighten security settings in the browser to meet their specific needs. The document is structured to provide a description and review of the settings and features the paper discusses. Microsoft recommendations for enhancing the default security settings in some common deployment scenarios are also provided. Posted Aug 10 2007, 04:41 PM by hwaldron with no comments

• Article: Meetings - The Ten Worst Offenses

  We can all probably add items to this great list of tips for conducting better meetings. This is an excellent article sharing sound advice for both leaders and participants Article: Meetings - The Ten Worst Offenses http://msn.careerbuilder.com/custom/msn/careeradvice/viewarticle.aspx?articleid=1085   QUOTE: Unfortunately, meetings are not an expendable part of corporate America. They are, however – or at least they can seem like – a colossal waste of time. Mind-numbing as they may be, meetings are necessary. If conducted efficiently, they’re useful and can help you stand out in the workplace. Whether you’re the meeting leader or just a participant, prevent yourself from being “that guy” and never make these meeting mistakes: 1. Being Unprepared. 2. Showing Up Late. 3. Being a Meeting Hog. 4. Sitting Silently. 5. Expressing Rude Body Language. 6. Conducting Sidebar Conversations. 7. Arguing or Putting Others Down. 8. Leaving Your Cell Phone On. 9. Chewing Gum. 10. Shutting Down After the Meeting. Posted Aug 08 2007, 07:21 PM by hwaldron with no comments

• Network World Article: SOX - Five years of headaches

  This is one of the better articles I've recently read related to SOX. It shares how the expense aspects of SOX have been exacerbated due to the difficulties in interpreting how to properly comply. Hopefully, improvements will be forthcoming with the New SOX guidelines that should be in effect by year-end. Some quotes from the article are noted below: Network World Article: SOX - Five years of headaches  http://www.networkworld.com/news/2007/072607-sox.html QUOTE(s):  It hasn’t been cheap: spending on SOX compliance was $5.5 billion in 2004 and is now more than $6 billion annually, according to AMR Research. “It was millions of dollars extra that was spent. This was due to people overcomplying, doing far more testing than was necessary,” ... Whereas today companies focus on 31 so-called key controls, in the days after SOX, public firms were testing for as many as 200 controls, he says. “It was extremely painful for everybody. Nobody really knew how to comply,” Kamens says. “Because there was so much pressure on public companies to pass, everybody was scared and they did exactly whatever auditors told them to do. Failure was not an option.” Smaller public companies — technically those with less than $75 million of stock in the hands of public investors — have been granted numerous extensions allowing them to postpone compliance. Currently, they are scheduled to face the requirements of SOX on Dec. 15. A compliance project approached correctly should cost 50% to 75% less than what companies have been spending, but many businesses insist on an inefficient, bottom-up approach that audits process-level controls like expenditures, payroll and property ... Posted Aug 06 2007, 09:05 PM by hwaldron with 1 comment(s)

• Email Hoax - Planet Mars at closest distance to earth

  The August 4, 2007 daily newsletter from www.spaceweather.com warns of the continued circulation of a hoax from 2003 claiming that the Earth is nearing it's closest approach to Mars ever. While true in 2003, the claims were unfounded and annually in August the email hoax resurfaces.   This is one more example of why these alarming messages should not be forwarded to everyone you know.  Folks should verify these types of messages to ensure all information is accurate. In most cases, when an email says to "pass it on" to your friends, you should pass it to the recycling bin instead. Email Hoax - Planet Mars is at closest distance to earth http://spaceweather.com/archive.php?view=1&day=04&month=08&year=2007 Additional links on Mars email hoax http://science.nasa.gov/headlines/y2005/07jul_marshoax.htm http://www.snopes.com/science/mars.asp http://www.google.com/search?hl=en&q=mars+email+hoax QUOTE: BEWARE THE MARS HOAX: It's August, which means it's time for the annual Mars Hoax. An email is going around claiming that Mars will approach Earth on August 27th; the encounter will be so close, the email states, that Mars will rival the full Moon in size and brightness. (Imagine the tides!)  Don't believe it. The Mars Hoax email first appeared in 2003. On August 27th of that year, Mars really did come historically close to Earth. But the email's claim that Mars would rival the Moon was grossly exaggerated. Every August since 2003, the email has staged a revival. Here's something that is true: Mars is having a close encounter with the Pleiades star cluster, easily seen in the eastern sky before sunrise. Especially good mornings to look are August 6th and 7th when the crescent Moon joins the planet and the cluster to form a pretty celestial triangle. Set your alarm! Posted Aug 06 2007, 08:12 PM by hwaldron with no comments

• McAfee releases new Virus Scan engine 5200

  About once per year McAfee releases it's latest AV scan engine to improve it's scanning and detection process.  The new engine is working well for the corporate Enterprise v8.50i. New AV engines usually provide the following benefits: - Improved performance - New Algorithms to more efficiently search an ever increasing malware library - Improved scanning for new technology vectors under attack - Ability to dig more deeply for malware threats, such as rootkits - Corrections of any issues in prior engine version McAfee Virus Scan engine 5200 Download Site http://www.mcafee.com/apps/downloads/security_updates/engines.asp Download site for McAfee engine 5200 update in link below:     Engine-only Superdat File (Intel) Posted Aug 05 2007, 03:30 AM by hwaldron with 1 comment(s)

• Ten Tech skills you should develop during the next five years

  When I started in IT almost 35 years ago, my first manager noted that we will learn something new in this field each day.  That's true and part of the continuing education we need in IT profession.  Ten new technologies and their associated skill sets are identified in this article.   Ten Tech skills you should develop during the next five years http://blogs.techrepublic.com.com/10things/?p=193 QUOTE: If you want a job where you can train in a particular skill set and then never have to learn anything new, IT isn’t the field for you. But if you like to be constantly learning new things and developing new skills, you’re in the right business. 1: Voice over IP 2: Unified communications 3: Hybrid networks 4: Wireless technology 5: Remote user support 6: Mobile user support 7: Software as a service 8: Virtualization 9: IPv6 10: Security Posted Aug 03 2007, 02:45 PM by hwaldron with no comments

• Storm Worm Botnet of 1.7M could create large DDoS attack

  The well crafted e-card attacks (which I still recieve daily) has contributed in created infections among almost 2 million computers. The Nuwar family is very sophisticated malware and it is difficult to remove. In addition to using rootkit techniques to hide on an infected PC, Nuwar creates a botnet client that can be manipulated by the worm authors to send spam or potentially flood a website with a distributed denial of service (DDoS) attack Storm Worm Botnet of 1.7M could create large DDoS attack http://www.informationweek.com/news/showArticle.jhtml?articleID=201202711 quote:  The massive Storm worm attack has built a botnet of 1.7 million computers -- large enough to unleash a highly damaging denial-of-service attack, researchers fear. As the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a botnet of nearly 2 million computers -- researchers worry about the damage hackers could wreak if they unleash a denial-of-service attack with it. Between July 16 and Aug. 1, researchers at software security firm Postini have recorded 415 million spam e-mails luring users to malicious Web sites, according to Adam Swidler, a senior manager with Postini. Before the Storm worm began its attack, an average day sees about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm. Joe Stewart, a senior security researcher at SecureWorks, noted that the number of zombie computers that the Storm worm authors have amassed as skyrocketed in the past month. From the first of January to the end of May, the security company noted that there were 2,815 bots launching the attacks. By the end of July, that number had leapt of 1.7 million. "It's really gotten enormous," said Stewart. "It's been building with exponential growth. It's one of the largest botnets I've ever heard of." Storm Worm Erupts Into Worst Virus Attack In 2 Years http://www.informationweek.com/story/showArticle.jhtml;?articleID=201200849 quote:  Storm worm authors are blasting the Internet with two types of attacks, and both are aimed at building up their botnet. Posted Aug 03 2007, 01:50 PM by hwaldron with no comments

• More BBB Phishing targeted at executives

  Targeted phishing expeditions purportedly from the Better Business Bureau (BBB) have been circulating and it was even noted in our local news reports.  These are usually specifically targeted by name and email address for management or executives in a company.  These documents are crafted in HTML to appear geniune (except for an occasional spelling error as highlighted below).  Individuals should verify authenticity with local or state agencies when in doubt and avoid any links in email. More BBB Phishing targeted at executives http://isc.sans.org/diary.html?storyid=3224 http://www.secureworks.com/research/threats/bbbphish/?threat=bbbphish QUOTE: We have information that executive staff at 3 corporations are still being targeted with emails with mailicious attachments that AV vendors are finding hard to identify. The best and ongoing analysis of this highly successful attack is the BBB Phishing Trojan analysis by Joe Stewart of SecureWorks. EXAMPLE:  "This is an automated email that confirms the registration of your complaint case number : CX784486090 filed by your company on 7/29/2007 concerning Online Identity Theft. While The Better Bussiness Bureau Online does not resolve individual consumer problems, your complaint helps us investigate fraud, and can lead to law enforcement action.   ATTACHED you will find a copy of your complaint .Please print and keep this copy for your personal records. We use secure socket layer (SSL) encryption to protect the transmission of the information you submit to us when you use our secure online forms. The information you provided to us is stored securely. Posted Aug 02 2007, 10:12 PM by hwaldron with no comments

• McAfee notes milestone of 300,000 Malicious items

  Anti-virus providers must continue to handle an ever increasing load and complexity for handling malware risks. McAfee notes milestone of 300,000 Malicious items http://www.avertlabs.com/research/blog/index.php/2007/08/01/300000-malicious-items-approaching-fast/ QUOTE: In 2000 we had a little over 50,000 malicious items. That figure went to 100,000 in 2003. In August 2006 we passed the 200,000 barrier and almost exactly 1 year later, we will be passing the 300.000 barrier. With these huge numbers appearing the handling of samples can’t be maintained by humans only. Posted Aug 02 2007, 05:33 PM by hwaldron with no comments

• WSJ Article - Balancing Corporate Security with personal use by employees

  The WSJ article is excellent and provides guidance adjusting corporate security policies if needed. The article shared a few new techniques and workarounds I wasn't familiar with (e.g., Google English-to-English web-filtering workaround).   From a corporate perspective, you want to encourage folks to use their PCs for business purposes primarily and allow some personal freedoms.  Employees need to know that business equipment and access are being monitored for security reasons (but the data collected could be evaluated for productivity reasons also).        From an employee perspective, they must give your employer an "honest day's work for your wages" and ensure that any non-work activity is safe enough that their boss would not bring it up as an issue.   Even though folks are being paid to work, they are spending the best hours of their day at work and being completely restrictive (e.g., no personal use at all) can become the genesis for some of the workarounds shared.   Given the dangers out there, it's better to be over-restrictive with corporate policy than lax.  As shared in the article, security controls are a delicate balancing act by both sides.  Sharing security awareness and best practices with employees can help guide them at home and in occasional personal usage of facilities at work. WSJ Article - Ten Things Your IT Department Won't Tell You http://online.wsj.com/article/SB118539543272477927.html Posted Aug 02 2007, 03:22 PM by hwaldron with no comments