February 2008 - Posts

• More Targeted attacks - Disguised as official government emails

  A new series of targeted attacks have been spammed that appear as official government business. These new attacks will even download actual PDF forms from the government site to make them appear more legitimate. Users should delete these messages and particularly avoid opening any attachments as AV protection may not be fully available in all cases. More Targeted attacks - Disguised as official government emails http://vil.nai.com/vil/content/v_142478.htm http://vil.nai.com/images/142478.gif QUOTE: McAfee Avert Labs has seen multiple large spam runs of Spy-Agent.cf.  The attachment callled complaint.zip is malicious.  Upon execution the trojan connects to malicious web sites. It also downloads legitimate PDF files probably to decieve the user that it is a legitimate application. This variant of trojan also has capability to download other trojans and malware on the system, for that it may contact the following website ... Posted Feb 28 2008, 05:06 PM by hwaldron with no comments

• EnergyMech IRC Bot - ported to Mac, Linux, and FreeBSD

  This is not a major concern, except that AV detection is almost non-existant for anyone who might be careless in these environments EnergyMech IRC Bot - ported to Mac, Linux, and FreeBSD http://isc.sans.org/diary.html?storyid=4042 QUOTE: Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc). After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.   Posted Feb 28 2008, 02:15 PM by hwaldron with no comments

• Castlecops Security Forums celebrate 6th Birthday

  http://www.castlecops.com/article-topic-1.html http://www.castlecops.com/t216074-Happy_Birthday_CCSP.html Security forums are a valuable resource for emerging developments, best practices, and technical assistance in cleaning malware infections.  Castlecops is one of the more established forums as they now celebrate their 6th year.  They provide a public service in capturing and fighting phishing attacks (PIRT) and are a valuable participant in the security community. Posted Feb 26 2008, 06:32 PM by hwaldron with no comments

• WinCE/InfoJack - New Trojan impacts Windows Mobile PocketPC

  Mobile computing devices like the iPhone or Windows Mobile Pocket PC should be periodically checked for updates and AV protection may also be desired. More importantly, users should be careful in sites visited and particularly with any new software they install on their systems.   WinCE/InfoJack - New Trojan impacts Windows Mobile PocketPC http://www.avertlabs.com/research/blog/index.php/2008/02/26/windows-mobile-trojan-sends-unauthorized-information-and-leaves-device-vulnerable/    QUOTE: A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China. WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning. The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games. Posted Feb 26 2008, 06:07 PM by hwaldron with no comments

• IE 8 Beta 1 may be offered to developers soon

  There is speculation among some of the technology watch groups that the first beta for IE 8 may be released in the near future.  IE 8 will feature improved compatibility with some of the industry standards, including the Acid2 test. This new browser environment will be interesting to both test and explore when it debuts.  IE 8 Beta 1 may be offered to developers soon http://blogs.zdnet.com/microsoft/?p=1214 http://www.activewin.com/awin/comments.asp?HeadlineIndex=42767 QUOTE: According to the invitation, Microsoft is planning to make IE 8 Beta 1 available to the general public, as well. But before that happens, an invitation-only test program will be conducted. The invitation describes IE 8 Beta 1 being focused on developers. IE 8 Beta - Passes Acid2 test http://blogs.msdn.com/ie/archive/2007/12/19/internet-explorer-8-and-acid2-a-milestone.aspx QUOTE: As a team, we’ve spent the last year heads down working hard on IE8. Last week, we achieved an important milestone that should interest web developers. Watch for official news that might be posted on Microsoft's IE blog: http://blogs.msdn.com/ie/ Posted Feb 25 2008, 09:36 PM by hwaldron with no comments

• Microsoft Announcement - Offers greater interoperability with 3rd parties

  It is always beneficial when standards and best approaches are shared between vendors, as security, interoperability, and efficiencies improve. Microsoft Announcement - Offers greater interoperability with 3rd parties http://www.microsoft.com/presspass/presskits/interoperability/default.mspx QUOTE: Microsoft today announced a set of broad-reaching changes to its technology and business practices to increase the openness of its products and drive greater interoperability, opportunity and choice. These changes are codified into four new interoperability principles and corresponding actions: 1) ensuring open connections; 2) promoting data portability; 3) enhancing support for industry standards; and 4) fostering more open engagement with customers and the industry, including open source communities. Posted Feb 21 2008, 04:22 PM by hwaldron with no comments

• SEC looses insider trading computer hacking case

  This is a case about a hacker who stole sensitive pre-announcement information from a company with weak security controls.  The hacker invested on the likelihood that the stock prices would tumble and made close to $300,000 in the process.  The courts ruled in favor of the hacker allowing him to keep the money and since he's in the Ukraine he probably won't be proscecuted. I feel the judge made an error, in evaluating the case.  Most likely the ruling was based on the wording, rather than the spirit of the law.  Whether sensitive stock valuation information is shared or stolen in an unauthorized manner -- it still violates laws applicable for insider trading. The SEC should strengthen applicable wording to prevent re-occurrences in the future.      SEC looses insider trading computer hacking case http://www.theregister.co.uk/2008/02/19/insider_trading_catch22/ Posted Feb 20 2008, 08:10 PM by hwaldron with 1 comment(s)

• Vista SP1 verses XP SP2 performance benchmarks

  Based on ZDNet lab tests, Vista SP1 provides equal and in some cases better performance than Windows XP SP2. It's always tough to benchmark different operating systems, as various settings may need to be adjusted so that there is equal footing for performance testing.  In earlier tests, there was a very slight advantage for XP SP2, so YMMV but not substantially enough to make that a point of differientiation in selecting which OS you may want to use. Vista SP1 verses XP SP2 performance benchmarks http://blogs.zdnet.com/Bott/?p=369 QUOTE: The first rule of benchmarking is: Your mileage may vary. On Ed Bott's test bed, with one exception, Vista SP1 was consistently as fast as or faster than XP SP2. Why the difference from Adrian Kingsley-Hughes' experience? Ed has a few theories. Earlier tests http://blogs.zdnet.com/hardware/?p=1332 http://blogs.zdnet.com/hardware/?p=1338 Posted Feb 20 2008, 06:11 PM by hwaldron with no comments

• Ozdok/Mega-D Botnet - May be generating 30% of all spam world-wide

  Based on testing and extrapolation of spam sampling results, this new 35,000 member botnet may be generating up to 30% of the spam email sent world-wide. While the Storm Worm still has far more spam producing capabilities, it can fall into periods of silence based on controls issued by the malware authors. This botnet should be followed closely as it's most likely in second place when it comes to world wide spam generation.    Ozdok/Mega-D Botnet - May be generating 30% of all spam world-wide http://www.secureworks.com/research/threats/ozdok/?threat=ozdok http://www.marshal.com/trace/traceitem.asp?article=510    QUOTE: Last week the TRACE research team at Marshal put forth some statistics regarding spam activity from botnets. The statistics pointed to a botnet dubbed "Mega-D" as the new leader of the spambot pack, spewing 32% of the world's spam according to Marshal's spamtraps. This set off a firestorm of speculation: what family of malware was behind this previously unknown botnet? How had it emerged to challenge Storm with hardly a mention in any research articles or press?   Based on the number of bots connecting to mail servers we monitor, we estimate that Mega-D consists of around 35,000 infected machines worldwide. This is a very strong botnet, but hardly a challenger to Storm. Even though Storm has waned to around 85,000 bots, it still holds far more spamming capacity.    Most AV Vendors ae currently detect the Ozdok Botnet http://www.virustotal.com/analisis/f24030f569a4777775a88c32ced84fe4 Posted Feb 20 2008, 03:15 PM by hwaldron with no comments

• Corporate Network Vulnerability and Penetration Testing

  Companies should perform vulnerability and penetration testing assessments on a regular basis.  This best practice is valuable for IT security professionals to perform on a quarterly basis to assess security defense weaknesses. There is also a signficant educational value, as security team members will increase their knowledge and better protect the company's informational assets. The vulnerability assessment is the analysis of the entire network and human control systems, in looking for any design weaknesses in the security architecture.  Penetration testing involves using network scanning tools to locate hidden weaknesses in the technical safeguards protecting the company.      Many basic security concerns can be checked with commercial and even freely available scanning tools.  Annually, a more comprehensive test can be performed by an external consulting firm specializing in this process.  Companies that are not evaluating or testing their controls could encounter unexpected weaknesses in controls (e.g., test server settings, admins not completely locking down servers, etc) Doing an audit/pentest or other assessment? http://isc.sans.org/diary.html?storyid=3989 QUOTE: Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network.  It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies. What is Network Penetration Testing? http://en.wikipedia.org/wiki/Penetration_test Network Penetration Testing - Best Practices http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1233892,00.html http://articles.techrepublic.com.com/5100-1009_11-5755555.html http://www.securityfocus.com/infocus/1736 http://www.cuinfosecurity.com/html/webinar-penetration-testing.html Posted Feb 19 2008, 04:28 PM by hwaldron with no comments

• Virus found in Hillary Clinton video circulating by email

  Malware authors are attempting to trick folks in this disguised email message currently circulating during our election season Virus found in Hillary Clinton video circulating by email  http://www.symantec.com/enterprise/security_response/weblog/2008/02/you_know_its_election_year_whe.html http://blogs.pcmag.com/securitywatch/2008/02/hillary_virus_attacks.php QUOTE: Malware is being distributed disguised as a video of her. First, an e-mail with the subject line "Hillary Clinton Full Video !!!" arrives advertising a video of her speaking to supporters in Virginia. The link goes through a redirect on Google (a common technique these days) and downloads a file mpg.exe, a trojan downloader which downloads a file named inst241.exe. This file (detected by Symantec as Trojan.Srizbi). So far the volume appears to be low. Trojan.Srizbi Description http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99 Posted Feb 15 2008, 09:53 PM by hwaldron with no comments

• Firefox Version 3 Beta 3 - New Security and Functional Features emerge

  The Mozilla foundation has released the 3rd beta for Firefox version 3, which contains some new security and functional features. This new beta version is mainly targeted for IT professionals rather than users.  So far in early testing, it is reliable, performs well, and provides significant improvements from the second beta version Firefox Version 3 Beta 3 - New Security and Functional Features emerge http://etech.eweek.com/content/web_technology/firefox_3_beta_3_brings_a_new_browsing_interface.html   http://developer.mozilla.org/devnews/index.php/2008/02/12/firefox-3-beta-3-now-available-for-download/ http://www.mozilla.com/en-US/firefox/3.0b3/releasenotes/ QUOTE: With the release today of Beta 3 of Firefox 3, we are definitely getting closer to the final release of Mozilla's open-source Web browser. But for a third beta, this version of Firefox 3 includes some fairly significant changes from the previous betas, including changes to the main user interface of the browser. New features and changes in this milestone that require feedback include: -- Improved security features such as: better presentation of website identity and security including support for Extended Validation (EV) SSL certificates, malware protection, stricter SSL error pages, anti-virus integration in the download manager. -- Improved ease of use through: easier add-on discovery and installation, improved download manager search and progress indication in the status bar, resumable downloading, full page zoom, and better integration with Windows Vista, Mac OS X and Linux. -- Richer personalization through: one-click bookmarking, smart bookmark folders, location bar that uses an algorithm based on site visit recency and frequency (called “frecency”) to provide better matches against your history and bookmarks for URLs and page titles, ability to register web applications as protocol handlers, and better customization of download actions for file types. -- Improved platform features such as: new graphics and font rendering architecture, JavaScript 1.8, major changes to the HTML rendering engine to provide better CSS, float-, and table layout support, native web page form controls, colour profile management, and offline application support. -- Performance improvements such as: better data reliability for user profiles, architectural improvements to speed up page rendering, over 350 memory leak fixes, a new XPCOM cycle collector to reduce entire classes of leaks, and reductions in the memory footprint. Firefox download site for all world-wide versions http://www.mozilla.com/en-US/firefox/all-beta.html Posted Feb 15 2008, 08:20 PM by hwaldron with no comments

• Storm Worm - New Valentines Day e-card Attacks

  After some "test runs" in early February, new waves of the Storm worm are now surfacing using Valentine's Day themes. These spammed email messages are designed to trick individuals into visiting the malicious websites (uses numeric IP addresses and lacks more detailed personalization that one would find in true e-cards sent this time of year).    If the associated EXE file lurking on the website is opened, the malware can automatically install silently on the system. This new wave of attacks is not well detected by AV products, as the malware agent is being constantly changed each hour automatically.    Avoid these emails completely, so you don't end up broken-hearted on Valentine's Day       Storm Worm - Valentines Day e-card Attacks  http://www.avertlabs.com/research/blog/index.php/2008/02/12/valentine-nuwar/  http://www.f-secure.com/weblog/archives/00001377.html  http://blog.trendmicro.com/storm-sure-loves-everybody/  http://isc.sans.org/diary.html?storyid=3979  http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/  http://uploadmalware.blogspot.com/2008/02/and-so-it-begins.html    QUOTE: With Valentine’s Day coming this week, we have seen a new wave of Nuwar spamming this Monday evening, amounting to more than 20 variants in a couple of hours. Detection for these variants from major AV vendors was near nonexistent, as the Nuwar writer is using a new compiler this time to bypass detection.    While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)    -- raw IP addresses in the spam lures  -- the filename is now “valentine.exe”, using a redirect and a clickable link  -- much more simple HTML websites  -- subjects include “Blind Love”, “Just You” and other warm fuzzy subjects  -- rapidly changing MD5 hashes  -- poor AV detection     EXAMPLE TO AVOID  Subject: Sweetest Things Aren't Things!  Date: Mon, 11 Feb 2008 13:13:58 +0900  From: REMOVED  To: Susan  Text: Love Poem: (Malicous Numeric IP address removed) Posted Feb 13 2008, 05:21 PM by hwaldron with no comments

• Vista Service Pack 1 - Key planning links

  Below are several links related to Vista SP1 that can help in planning for this important update, once it becomes more publicly available. Vista Blog - RTM announcements http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx Vista SP1 - FAQ http://blogs.zdnet.com/Bott/?p=365 Vista SP1 - The promised performance gains are here http://blogs.zdnet.com/hardware/?p=1244 Vista SP1 - Rolls up 551 bug fixes http://blogs.zdnet.com/Bott/?p=366 Microsoft Vista SP1 - Notable changes http://www.microsoft.com/downloads/details.aspx?FamilyID=d69c4e1b-c81a-41be-b1f5-66e615ba5912&displaylang=en Microsoft Vista SP1 - Release notes http://www.microsoft.com/downloads/details.aspx?familyid=B5B681F5-F366-4AD2-BA10-6A7D209DE7BD&displaylang=en Microsoft - Vista Home Page http://www.microsoft.com/windows/products/windowsvista/default.mspx Overview of Windows Vista Service Pack 1 http://technet2.microsoft.com/WindowsVista/en/library/417467e7-7845-46d4-85f1-dd471fbc0de91033.mspx?mfr=true When will SP1 be available? * Mid-March: Release to Windows Update (in English, French, Spanish, German and Japanese) and to the download center on microsoft.com. * Mid-April: Begin delivery to to Windows Vista customers who have chosen to have updates downloaded automatically. * April: Remaining languages RTM. Posted Feb 12 2008, 08:32 PM by hwaldron with no comments

• Microsoft Security Updates - February 2008

  There are a "bumper crop" of important security updates for Windows, MS/Office, and IE this month.   I've installed these at work and so far so good.  The ISC link should be monitored for any developments of exploits or installation issues related to these important updates. http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx Microsoft is releasing the following eleven new security bulletins for newly discovered vulnerabilities: ____________________________ Bulletin Number: MS08-003 Maximum Severity: Important Affected Products: Windows 2000, Windows XP, Windows Server 2003 Impact: Denial of Service ____________________________ Bulletin Number: MS08-004 Maximum Severity: Important Affected Products: Windows Vista Impact: Denial of Service ____________________________ Bulletin Number: MS08-005 Maximum Severity: Important Affected Products: Windows 2000, Windows XP, Windows Server 2003,  Windows Vista Impact: Elevation of Privilege ____________________________ Bulletin Number: MS08-006 Maximum Severity: Important Affected Products: Windows XP, Windows Server 2003 Impact: Remote Code Execution ____________________________ Bulletin Number: MS08-007 Maximum Severity: Critical Affected Products: Windows XP, Windows Server 2003, Windows Vista Impact: Remote Code Execution ____________________________   Bulletin Number: MS08-008 Maximum Severity: Critical Affected Products: Windows 2000, Windows XP, Windows Server 2003,  Windows Vista, Office 2004 for Mac, and Visual Basic 6.0 Impact: Remote Code Execution ____________________________   Bulletin Number: MS08-009 Maximum Severity: Critical Affected Products: Office 2000 SP3, Office XP SP3, Office 2003 SP2 Impact: Remote Code Execution ____________________________   Bulletin Number: MS08-010 Maximum Severity: Critical Affected Products: All IE on Windows 2000, Windows XP, Windows Server  2003, and Windows Vista Impact: Remote Code Execution ____________________________   Bulletin Number: MS08-011 Maximum Severity: Important Affected Products: Office 2003 SP2, Office 2003 SP3, Works 8.0, and  Works Suite 2005 Impact: Remote Code Execution ____________________________   Bulletin Number: MS08-012 Maximum Severity: Critical Affected Products: Office 2000 SP3, Office XP SP3, and Office 2003 SP2 Impact: Remote Code Execution ____________________________ Bulletin Number: MS08-013 Maximum Severity: Critical Affected Products: Office 2000 SP3, Office XP SP3, and Office 2003 SP2,  Office 2004 for Mac Impact: Remote Code Execution Posted Feb 12 2008, 07:26 PM by hwaldron with no comments

• PATCH NOW -- Adobe PDF exploits in-the-wild

  As PDFs are one of the standard documents exchanged by businesses, this new malicious exploit has already infected thousands of users.  While McAfee and other AV companies offer detections of this new PDF based malware, it's important to move to v8.1.2 for the best level of protection (please see the link at the bottom for full version) PATCH NOW -- Adobe PDF exploits in-the-wild http://www.avertlabs.com/research/blog/index.php/2008/02/11/another-adobe-pdf-exploit-in-the-wild/ http://vil.nai.com/vil/content/v_144105.htm QUOTE: McAfee Avert Labs is tracking an active exploitation of a recently patched vulnerability in Adobe Acrobat Reader now in the wild. The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript.  Complete mitigation requires upgrading Acrobat and Adobe Reader 7.x and 8.x to Version 8.1.2. Adobe PDF exploit infects 'many thousands,' says researcher http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061938 Adobe 8.1.2 PDF Reader site (22MB Download - uncheck Google toolbar option) http://www.adobe.com/products/acrobat/readstep2.html Posted Feb 12 2008, 06:17 PM by hwaldron with no comments

• Cisco Study - Remote workers need to follow more secure practices

  Professionals who work at home should ensure they are following the best practices as well as ethically providing a good full day of work for their employers.  This Cisco study highlighted some areas of security concern for remote workers. Cisco Study on Remote Workers Reveals Need for Greater Diligence Toward Security http://newsroom.cisco.com/dlls/2008/prod_020508.html QUOTE: Some of the key findings and reasons for risky behavior in year two include:   Opening emails and attachments from unknown or suspicious sources: Although it is one of the age-old security risks, many remote workers admit that they still open suspicious emails and attachments despite the potential for triggering malware attacks. China (62 percent) is the most egregious offender. But arguably more disturbing is a growing trend in entrenched Internet-adopter countries like the United Kingdom (48 percent), Japan (42 percent), Australia (34 percent) and the United States (27 percent). For example, in Japan, 14 percent admit they open both an unknown or suspicious email and any attachments.   Using work computers and devices for personal use: A 3 percentage-point increase year-over-year shows that more remote workers use corporate devices for personal use, such as Internet shopping, downloading music, and visiting social networking sites. This trend occurs in eight of the 10 countries, and the highest year-to-year spike occurs in France (27 percent to 50 percent). In Brazil, this trend rose 16 percentage points despite an increasing number of respondents agreeing that this was unacceptable behavior (37 percent to 52 percent year-over-year). Reasons Offered: "My company doesn't mind me doing so", "I'm alone and have spare time", "My boss isn't around", "My IT department will support me if something goes wrong".   Allowing non-employees to borrow work computers and devices for personal use: As employees work more from home, the likelihood increases that they will share corporate devices with non-employees (e.g. family, roommates) who are not educated by IT or held to a company's security policies. This trend is increasing. While China features the highest rate of "device sharing" for the year (39 percent), the United Kingdom (from 7 percent in 2006 to 22 percent in 2007) and France (from 15 percent to 26 percent) reveal steep year-over-year increases. Reasons Offered: "I don't see anything wrong with it", "My company doesn't mind me doing so", "I don't think it increases security risks", "Co-workers do it".   Hijacking wireless Internet connections from neighbors: Globally, 12 percent of remote workers admit to accessing a neighbor's wireless connection, with threefold year-to-year increases in Japan (6 percent to 18 percent) and France's 10 percent year-to-year rise (5 percent to 15 percent) representing the fastest-growing rates. China (from 19 percent in 2006 to 26 percent in 2007) and the United Kingdom (from 6 percent to 11 percent) also feature significant increases. Reasons Offered: "I needed it because I was in a bind", "It's more convenient than using my wireless connection", "I can't tell if I'm using my own or my neighbor's wireless connection", "My neighbor doesn't know, so it's OK".   Accessing work files with personal, non-IT-protected devices: Accessing corporate networks and files with devices that are not protected by an employee's IT team presents security risks to the company, its information and its employees. As the number of remote workers grows, the study reveals an annual rise (45 percent in 2006 to 49 percent in 2007) in this behavior. It's widespread in many countries, especially China (76 percent), the United States (55 percent), Brazil (52 percent) and France (48 percent). Reasons Offered: "These devices are secure with antivirus and other content security software", "I regularly use these devices to access my network", "My IT department has said it's OK to do so". Posted Feb 08 2008, 09:48 PM by hwaldron with no comments

• Minimizing User Rights Can Increase Security

  While a few software packages write to the Windows registry and config files, often a group of corporate users might be able work in a more protected mode.  If this group of users would not be installing software or needing advanced local ADMIN functionality, using limited accounts can better protect them against malware attacks.  While there are some malware attacks that can be successful even with limited accounts, this setting can greatly improve their protection for the many virus or spyware attacks. For home users, creating additional protected accounts of this nature can enhance protection as well.  Home users can boot to the secondary accounts for safer web browsing and email processing in their routine use of the system.  Then they can boot to the ADMIN account when they need to install software.  This gives users the best of both worlds.  Minimizing User Rights Can Increase Security http://www.eweek.com/c/a/Security/Minimizing-User-Rights-Can-Increase-Security/ QUOTE: Minimizing user rights on a machine is a key part of security and risk management, and should be balanced with business continuity concerns. Sometimes, less is more—at least when it comes to user rights and security.  Taking a least-privilege approach to user accounts is a key part of any in-depth defense strategy, many analysts and security pros say. In its defense, Microsoft has built the User Account Control feature into Windows Vista, allowing IT administrators to elevate their privilege for specific tasks and application functions while still running most applications, components and processes with a limited privilege. Other companies such as Symark Software and BeyondTrust also look to address the issue of least privilege with their software. A least-privilege approach, some argue, ensures that users always log on with limited account privileges, and can be used to restrict the use of administrative credentials to certain individuals and for certain tasks, such as installing programs. Malware sometimes is written to exploit elevated privileges and thus spread more rapidly, offering businesses another reason to restrict privileges. However, doing so can affect business productivity, which makes some businesses wary. Further recent discussion can be found in this forum thread: http://www.myitforum.com/forums/m_172828/mpage_1/key_/tm.htm#173611 Posted Feb 08 2008, 05:16 PM by hwaldron with 1 comment(s)

• Article - Windows Server 2008 Is Microsoft`s Leanest, Meanest Yet

  Microsoft has done a noteworthy job in designing both security and performance into the new Windows Server 2008 operating system as reflected in the following review by e-Week   Article - Windows Server 2008 Is Microsoft`s Leanest, Meanest Yet http://www.eweek.com/c/a/Infrastructure/Windows-Server-2008-Is-Microsofts-Leanest-Meanest-Yet/ QUOTE: Networking enhancements, a reduced attack surface and virtualization capabilities earn Windows Server 2008 eWEEK Labs' Analyst's Choice award.  "Faster" and "slimmer" are two adjectives to which few software product upgrades can lay legitimate claim—particularly if the software upgrade in question is a Windows operating system.  And, yet, Microsoft's Windows Server 2008, which recently hit the  RTM (release to manufacturing) milestone, demonstrates that Microsoft is capable of producing a lean, mean server machine—and doing it, no less, atop the same code base that backs the company's oft-maligned Windows Vista client operating system. Slideshow of key features http://www.eweek.com/c/a/Infrastructure/eWEEK-Labs-Walkthrough-Windows-Server-2008/ Below is also the home page for the new W/2008 server operating system:  http://www.microsoft.com/windowsserver2008/default.mspx Posted Feb 05 2008, 05:02 PM by hwaldron with 2 comment(s)

• ActiveX Vulnerabilities - Facebook, MySpace and Yahoo

  There are warnings for at least 6 Active controls that may experience buffer overflows or crashes and thus be subject to exploit developments   So far there are no known in-the-wild attacks and in using the ISC's GUI based tool (link at the bottom) I had no exposures on my current system. ActiveX Vulnerabilities - Facebook, MySpace and Yahoo http://www.eweek.com/c/a/Security/ActiveX-Under-Seige-Facebook-MySpace-Image-Uploaders-Vulnerable/ http://www.us-cert.gov/current/index.html#publicly_available_exploit_for_facebook http://www.kb.cert.org/vuls/id/776931 Six key sites and Killbits for those sites http://isc.sans.org/diary.html?storyid=3929 http://isc.sans.org/diary.html?storyid=3931 QUOTE: The US-CERT is urging Web surfers to immediately disable ActiveX controls from Internet Explorer to protect against a swath of publicly reported—and unpatched—software vulnerabilities. The US-CERT (Computer Emergency Response Team) recommendation follows the release of exploit code for multiple zero-day flaws in image uploaders used by Facebook and MySpace and bugs in the ActiveX control that ships with the Yahoo Music Jukebox oftware. According to Erik Kamerling, a vulnerability analyst at Symantec's DeepSight threat center, the availability of exploits for flaws in high-profile targets like Facebook and MySpace is cause for concern. Although Symantec is unaware of in-the-wild exploitation of the ActiveX flaws, there's a feeling that attacks are inevitable. Admins are advised to set the kill bit for the following CLSIDs as soon as possible: Aurigma: CLSID 6E5E167B-1566-4316-B27F-0DDAB3484CF7 ('ImageUploader4.ocx') Aurigma: CLSID BA162249-F2C5-4851-8ADC-FC58CB424243 ('ImageUploader5') Facebook: CLSID 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0 Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139 Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2 ISC GUI Tool can be downloaded from here: http://handlers.sans.org/tliston/KillBitGui-Feb08.exe ISC Command line http://handlers.sans.org/tliston/KillBitCLI-Feb08.exe Posted Feb 05 2008, 04:18 PM by hwaldron with no comments

• Storm Worm - Authorities may have identified the authors

  A few AV vendors (e.g., McAfee, F-Secure) have been successful in pentetrating some of the complex security of the botnet. This complex attack features a unique "fast flux" P2P client/server design. Authorities trying to track down and arrest these malware writers may now know specific individuals who are behind the Storm Worm. If the authors are found and arrested, it will provide the most suitable way to stop this complex attack.    Storm Worm - Authorities may have identified the authors http://www.internetnews.com/ent-news/article.php/3724966    QUOTE: American and Russian law enforcement agencies have finally identified the criminals behind the Storm worm, one of the nastiest pieces of malware to ever hit the Internet.    Now comes the hard part: arresting them. The exact number of people involved as well as their identities aren't being released while Russian authorities wind their way through multiple diplomatic, law enforcement and government channels.    Storm has been one of the toughest worms to eradicate because it was crafted so well. It mutates every 30 minutes, making it impossible for signature-based antivirus products to catch it, and there are no central command and control servers to take out like most other worms.    Alperovitch said the group responsible for creating Storm is based in St. Petersburg, a city that seems to be a magnet for computer criminals. Other gangs are based there, including the creators of the MPack malware development kit. St. Petersburg was also the home of the Russian Business Network, an Internet service provider that hosted all kinds of malware ... Posted Feb 02 2008, 01:39 PM by hwaldron with no comments