November 2007 - Posts

Gift Minyanville is a neat site that offers stock market and investment tips. These 6 tips are excellent in avoiding scam artists that try to take advantage of this business season.

Holiday Safety Tips - Don't Fall Prey to Holiday Scams
http://www.minyanville.com/articles/index/a/14897

QUOTE: The holidays bring good cheer, mistletoe – and scam artists. Holiday scammers play on your trusting nature, desire for a bargain and “urgent need” to update your financial information in their continuing quest to separate you from your money.  Keep an eye out for these holiday scams:

1. Avoid E-Card greetings
2. Phony Sign-Up Tables at the mall or other public places offering charge cards
3. Emails requesting "Account information needed" 
4. Emails, phone calls, or regular mail claiming "You are the winner"
5. Emails or regular mail claiming that "You are approved for credit cards"
6. Other telemarketing scams

SUMMARY: Just remember what your mother taught you: If it’s too good to be true, it’s a scam. Keep that in mind and no crook will spoil your holiday.

Gift This advice is excellent for better ensuring safety while shopping online during the holidays. 

QUOTE:

5 Ways To Increase Safety While Shopping Online

1. Shop from Reliable Retailers. It's wise to do business with companies you already know and trust. If the retailer is unfamiliar, look up information on the company with the Better Business Bureau or the Office of the State Attorney General in the state where the seller is located.

2. Use a Credit Card, Not a Debit Card Online. Credit cards limit your liability for unauthorized charges to $50. You're not assured this protection with a debit card.

3. Ask about Single Use Credit Cards. Some credit card companies use a new technology that allows them to issue a single use credit card number for online purchases. With this number, you avoid having to use your real credit card number online, so security isn't jeopardized.

4. Avoid Buying On Public Computers. A hacker or thief can easily put a keylogger on a public computer that allows him or her to know everything you've typed — including your credit card numbers and passwords. Stay away from public access computers when shopping!

5. Don't Save Your Credit Card Numbers Online. Many reputable sites give you the option to save credit card numbers online to make future purchases easy. However, if the company's database is ever successfully hacked, your information could be exposed. It's safer to re-enter your numbers with each transaction.

Webroot Safe Holiday Shopping Guide - (PDF format, 16 pages, 1.8MB)
http://www.webroot.com/pdf/Webroot_HolidayShopping_USA_1107.pdf

I may have spoken too soon, as a new batch of .cn sites are starting to show up, according to Sunbelt

Internet Search poisoning - 2nd wave could be on the way?

Sunbelt is reporting new seedings for the .cn domain (China) oriented websites in Google (and this could  possibly show up in other search engines). The sites are not launching exploit attacks yet, but this could change. 

What to avoid:  Avoid unusual sites with random letter/number combos, numerical IP addresses, and sites which end in a domain name of "cn" from Internet searches.

Sunbelt: HEADS UP: More Google poisoning on the way?
http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html

quote:

Google has removed the sites responsible for the recent massive Google poisoning attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here.  Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change.

Music Some interesting research posted in entries below. The participants could be getting more than just music or video, as this environment is also a major conduit for malware

Majority of Internet bandwidth consumed by P2P services
http://blogs.techrepublic.com.com/tech-news/?p=1651

Consumption moves to 95% at night
http://arstechnica.com/news.ars/post/20071128-nocturnal-p2p-transmissions-account-for-95-percent-of-internet-bandwidth.html

QUOTE: New research from German deep packet inspection gear maker Ipoque shows that P2P traffic consumes anywhere between 49 and 89 percent of all Internet traffic in the day. At night, it can spike up to an astonishing 95 percent.

 Good news = Google has filtered out these malicious sites from it's indexes  
 Bad news = These malicious sites are still out there on the Internet

Google fixes Malicious redirects to malware sites from it's search results

  The malicious redirecting sites are still present and folks need to be cautious at all times.  The improved filtering should help reduce the likelihood of hostile sites being returned on the 1st few pages of a search.

Google expunges malware sites from search results
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049820

QUOTE: Google Inc. has purged its index of the thousands of malware sites that wormed their way into results lists for hundreds of legitimate search phrases, researchers confirmed today.

"They look gone to us," said Alex Eckelberry, the CEO of Sunbelt Software, the company that broke the news Monday of a massive, coordinated campaign by attackers to spread malware through search results on Google, Yahoo, Microsoft Live Search and other sites.

Some updates are noted below on this very serious threat related to malicious web sites that may be offered from Internet searches (e.g., Google).  Numerous malicious pages are being created in a manner that they will appear prominently on the 1st few pages of a search (e.g., ranked high in order of appearance from a search and the malware gang appears to be keyed in on Google's site ranking methodology).

Below is some excellent advice from Sandi on what to avoid:

http://msmvps.com/blogs/spywaresucks/archive/2007/11/27/1359221.aspx

QUOTE: Take a close look at the URLs for the malware links; they are all random collections of letters and numbers, and they're all Chinese domains. Users of Google (and other web search engines) need to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly avoid 'nonsense' domains like those in the Sunbelt screenshots


Below is the latest update from Sunbelt on this threat: 

http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

QUOTE: Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.


Sunbelt is classifying this particular threat as follows in CounterSpy:

SCAM.IWin Malware Family
http://research.sunbelt-software.com/threatdisplay.aspx?name=Scam.Iwin&threatid=43561

QUOTE: Scam.Iwin is created by a browser exploit for the purpose of transmitting false clicks to internet URLs.  The victim's computer is used to generate income for the attacker in a pay-per-click affilate program by transmitting false clicks to the attacker's URLs without the user's knowledge. The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the internet. Scam.Iwin is thought to be related to CoolWebSearch.


Original post from yesterday:

http://myitforum.com/cs2/blogs/hwaldron/archive/2007/11/27/internet-searches-massive-number-of-redirects-to-malicious-sites.aspx

Email If the "123" extension type (Lotus 1-2-3 spreadsheet format) is not being used, this might be valuable to add to the email attachment blocking list used by Lotus Notes shops.  There are some workarounds for version 5 and 7 and IBM may have a version 6 solution by the end of the month. 

Lotus Notes - vulnerable to attack thru "123" extension
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049439
http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21285600

QUOTE: Sebastián Muñiz from the CORE IMPACT Exploit Writers Team (EWT) at Core Security Technologies contacted IBM® Lotus® to report a potential keyview buffer overflow vulnerability in Lotus Notes® when viewing a Lotus 1-2-3 (.123 extension) file attachment. In specific situations it was found that the possibility exists to execute arbitrary code.

To successfully exploit this vulnerability, an attacker would need to send a specially crafted Lotus 1-2-3 file attachment to users, and the users would then have to double-click and View the attachment.

Idea There are a number of new features and improvements that the next version of SQL Server will provide when it is released in 2008.

MVP Brad McGehee discusses the ins and outs of SQL Server 2008
http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1283694,00.html

QUOTE: With the release of the recent SQL Server 2008 Community Technology Preview, and a final product expected in the second half of 2008, SQL Server MVP Brad McGehee shared some of his insights with SearchWinIT.com on the product's complexity, what's new for IT managers and DBAs and where the database still needs a little work.

Sunbelt posted this cautionary note today noting that folks should be careful when selecting links provided from an Internet search. One theory for the seeding might be malicious links posted in blogs, forums or other community sources? Given the dangers of email and hostile URLs, it's important for folks to stay as up-to-date as possible on security patches, AV protection, and old fashioned common sense

BREAKING: Massive amounts of malware redirects in searches
http://sunbeltblog.blogspot.com/2007...f-malware.html

QUOTE: We’re seeing a large amount of seeded search results which lead to malware sites. These are using common, innocent terms — one researcher landed on a malware site through searching for alternate firmware for a router.

Music Quicktime and possibly iTunes processing could be affected by malformed RSTP headers found in QT music formats.  Users should be careful with email attachments and website visitation, plus watch for any forthcoming QT updates, as Apple will most likely patch this serious vulnerability promptly.

Apple QuickTime and iTunes Critical Vulnerabilities 
http://secunia.com/advisories/27755/
http://isc.sans.org/diary.html?storyid=3690
http://www.frsirt.com/english/advisories/2007/3984
http://www.kb.cert.org/vuls/id/659761
http://www.f-secure.com/weblog/archives/00001325.html

QUOTE: Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.

ISC UPDATE-1:  We have received a report that exploits are now working for Vista, XP, IE6, IE7, and Safari 3.0 on Windows.  Keep in mind that other attack vectors may be vulnerable as well.

ISC UPDATE-2:  Firefox has been reported as an exploit vector as well.

Idea While these 10 tips shared in an Information Week article require some work, they will help ensure safety both at home and while on the road as well:

Wireless Security - 10 tips to secure your laptop
http://www.informationweek.com/news/showArticle.jhtml?articleID=203102748

QUOTE: Whether you're home or on the road, these security steps will help protect you and your computer from wireless scoundrels:

1. Make sure you are connecting to the right network.
2. Secure your connection.
3. Use frequency settings that are different from others
4. Find the strongest signals
5. Turn off your wireless network adapter when you are on the plane
6. Use whole disk encryption on your laptop
7. If you are having trouble connecting to a network, trying rebooting Windows
8. Make sure you have a firewall and it is running
9. Pick your hotspot connection and your supplier carefully
10. Finally, don't blithely accept SSL certificates and SSH public keys

AVERT Labs, a security division for McAfee, has projected 10 top threats for 2008 based on current trends. 

http://www.avertlabs.com/research/blog/index.php/2007/11/19/avert-labs-2008-threat-predictions/

QUOTE:  The complete set of predictions is available for download on McAfee’s Threat Center (PDF link here) as well as a bonus episode of our podcast Audio Parasitics.

Email I recently received a copy and this is well crafted.  The email address is spoofed to appear as if it came from this government agency and text related to the company complaint appears to be convincing    This as I'm not the proper person this should be addressed to, I was 99% certain this was similiar to other recent attacks and avoided any infections. 
Email attacks can be both convincing and dangerous   In this case, McAfee DAT protection came a few days after receving this copy (and they are usually among the 1st of AV companies providing protection).  When any unexpected email message calls for action, it's always beneficial to pause and avoid taking any actions.  In most cases, an unexpected email of this nature is an attack.  When in doubt, verify an email message through a phone call or via the true main web site.  

McAfee Information - Keylog-LMtry Trojan
http://vil.mcafeesecurity.com/vil/content/v_143577.htm

Washington Post
http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html?nav=rss_blog

WebSense Alert
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=822

Cool Firefox is a highly functional and fairly secure browser, which can be used to complement Internet Explorer 7 in the Windows environment. I've been testing the alpha version (aka Minefield) for several months and it has been reliable with just a few crashes experienced. The 1st beta was installed using the "clean install" techniques and so far it seems to be working well

Firefox 3.0 Beta 1 - Now Available
http://www.mozilla.com/en-US/firefox/all-beta.html

QUOTE: The Mozilla Corporation today released Firefox 3 Beta 1, which is now available for download in a variety of languages. The beta includes updates to the default theme, the new places site management features, improved security architecture, and Gecko 1.9.

Firefox 3.0 Beta 1 - Release notes
http://www.mozilla.com/en-US/firefox/3.0b1/releasenotes/

Firefox 3.0 Project Page
http://wiki.mozilla.org/Firefox3

Related Mozilla Blog entries
http://blog.mozilla.com/blog/2007/11/20/firefox-3-beta-1-ready-for-testing/
http://developer.mozilla.org/devnews/index.php/2007/11/19/firefox-3-beta-1-now-available-for-download/

Idea The following resources are excellent in defining the requirements related to SOX 404 IT controls:

SOX 404 Powerpoint presentation by EKS&H (11 slides, 820KB)
selecting this link will download this PPT file
http://www.hftpcoloradofrontrange.org/dwnlds/HFTP_SOX_Presentation.ppt

SOX 404 PDF detailed requirements by KPMG (48 pages, 880kb)
http://www.kpmg.com/aci/docs/PCAOB_S-O_404_v9.pdf

ISACA - Free PDF version of COBIT 4.0
http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1920

QUOTE: The ISACA is now offering a free PDF versions of COBIT 4.0, (plus the older 3.0 standards as well). You'll need to follow the registration process through and once you become a member you can login and obtain a PDF copy. There are also additional benefits and documents if you become a paid member of ISACA. Many external audit firms use COBIT standards to ensure SOX 404 requirements are met. This free benefit can help folks get started with key IT standards they may need to implement to safeguard their financial systems 

More Posts Next page »