March 2008 - Posts

QUOTE: A while ago we blogged about the MBR rootkit, which has been getting attention from all the security vendors. We're glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.

  Unfortunately, Hannaford experienced a "targeted" attack, which is a growing trend in malware related incidents.  AV controls may or may not handle these uniquely crafted attacks although other layers of defense should helped detect or mitigate this incidentAnother disturbing aspect of this attack was that Hannaford was also rated as being PCI/DSS compliant 

Hannaford Supermarket Chain - 4.2 Million Credit Card Numbers Stolen,2933,338712,00.html

Hannaford Supermarket - Press Release
(What to do if you are a victim)

Hannaford may not have to pay banks' breach costs under PCI, says Gartner

QUOTE:  PORTLAND, Maine (AP) -- Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida enabled the massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday.

The Scarborough, Maine-based grocer confirmed a report in The Boston Globe that it told Massachusetts regulators this week about the link between the breach and the illicit programs, known as malware. The company doesn't know how the malware -- short for malicious software -- got onto nearly all its 271 stores' servers, Hannaford spokeswoman Carol Eleazer said.

Virtually everything is possible, she said. There are still many, many aspects that we don't totally understand. At least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria.

The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit. Hannaford has said its breach, which occurred between Dec. 7 and March 10, allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

Even while the Hannaford hack was still going on last month, the company was found to be in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.

Computer Tipping Point sponsored a head-to-head contest between laptops using Vista, Linux (Ubuntu distribution), and OS 10.5 recently. The vulnerabilty found was shared privately with Apple so that it can be corrected before exploits develop in the wild.  While I consider OS 10.x well designed and a fairly secure OS, the overall security of any product is only as strong as it's weakest link.  Hopefully both the Mac and Windows vulnerabilities in Safari 3.1 will be corrected expediently. 

Safari 3.1 vulnerability - MacBook Air Hacked In Two Minutes

QUOTE: Security researchers from Independent Security Evaluators managed to hack a MacBook Air using a zero-day vulnerability in Apple's Safari 3.1 Web browser. The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.

Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems.

In a blog post on Friday, TippingPoint said, "Since the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope of the targets beyond just default installed applications on those laptops; any popular third-party application (as deemed 'popular' by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise."

The Acid tests are used to gauge how well browsers comply with the Web Standards Project. An internal build of the Opera browser appears to have passed all Acid3 tests, scoring 100/100.  These tests are highly complex CSS, JS, DOM, and XML tests that are based on the Web Standards Project. A flaw was found in the Acid3 testing methodology itself, lowering the score to 99/100.  Still, Opera came in close enough to be fully compliant soon.

Opera Browser - Passes Acid3 Web Standards test

QUOTE: The Opera browser today became the first browser to pass the Acid3 test. On the Opera desktop team blog, Lars Erik Bolstad writes: I have a quick update on where we are with Acid3. Since the test was officially announced recently, our Core developers have been hard at work fixing bugs and adding the missing standards support. Today we reached a 100% pass rate for the first time! There are some remaining issues yet to be fixed, but we hope to have those sorted out shortly.

Opera is the first to cross the finish line, at least in an internal build. The rest of us will have to wait a few days before we can verify the results, but this is exciting. Now it’s a race between Mozilla Firefox, Apple Safari, and Microsoft IE to see who will come in second.

More on ACID3 tests

ACID3 - Actual Test Page

QUOTE  Acid3 is a test page from the Web Standards Project that checks how well a web browser follows certain web standards, especially relating to the DOM and JavaScript. It was in development from April 2007, and released on 3 March 2008. The main developer was Ian Hickson, who also wrote the Acid2 test. Acid2 focused primarily on Cascading Style Sheets, but this third Acid test focuses also on technologies used on modern, highly interactive websites characteristic of Web 2.0, such as ECMAScript and DOM Level 2. A few tests also concern Scalable Vector Graphics, XML and data: URIs. Only elements from specifications as of 2004 are included.

Idea In the Sarbanes-Oxley business forums, these free guidelines were shared as resources that can provide companies with SOX 404 compliancy. The Institute of Internal Auditors (IIA) have developed some excellent documents that help ascertain Information Technology risk requirements. 

IIA's Guide to the Assessment of IT Risk (GAIT) Methodology

Download The GAIT Methodology. (PDF, 2MB)

QUOTE: The GAIT Methodology is a risk-based approach to assessing the scope of IT general controls. It is an approach for evaluating whether any ITGC deficiencies identified during Section 404 assessments represent material weaknesses or significant deficiencies. The Guide to the Assessment of IT Risk (GAIT) series describes the relationships among risk to the financial statements, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls (ITGC)

Global Technology Audit Guide (GTAG) Document Library

QUOTE: Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide(GTAG) is written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. The GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices.

After navigating to the GTAG link noted above, please click on the links below to download the free guides in PDF format.

Guide 9: Identity and Access Management
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 8: Auditing Application Controls
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 7: Information Technology Outsourcing
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 6: Managing and Auditing IT Vulnerabilities
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 5: Managing and Auditing Privacy Risks
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 4: Management of IT Auditing
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
(Purchase printed version from The IIA Research Foundation Bookstore

Guide 2: Change and Patch Management Controls: Critical for Organizational Success
(Purchase printed version from The IIA Research Foundation Bookstore)

Guide 1: Information Technology Controls
(Purchase printed version from The IIA Research Foundation Bookstore)

GTAG Overall Slides (PPT, 475KB)
GTAG presentation slides highlight what is GTAG, who is GTAG target audience, who are involved the GTAG development, guides published, future topics and etc.

Idea Internet Explorer 8 - New Security Improvements

This article highlights two worthwhile IE 8 improvements that can better protect users from phishing attacks.

Internet Explorer 8 - Two New Security Improvements

QUOTE:  IE 8's security environment benefits from the addition of two major enhancements: the Safety Filter tool and the Domain Highlighting feature. Here's a closer look at both of these new enhancements.

1. Safety Filter -- IE 8 ups the ante with a new Safety Filter that analyzes the entire URL string to search for carefully hidden signs that a Web site may be something other than it claims to be. In Microsoft's words, the Safety Filter provides "a more granular detection" capability, allowing the browser to protect users from more targeted and sophisticated attacks.

2. Domain Highlighting -- IE 8's other major new security feature is a technology that highlights the top-level domain in the browser's address bar. This enhancement might not sound like much, but it is designed to provide a hard-to-miss visual clue that will function like a traffic light. The idea is to enable users to quickly confirm that the Web site they are visiting is the site that they intended to visit.

Digital Piracy - Latest RIAA Developments

Music Movie  Folks should avoid the temptations of pirated "free" music or videos that are offered on some P2P networks.  Besides malware dangers, the RIAA can impose strict penalties to those who are discovered.  In particular college students have been targeted, as noted in the article below. 
Article - What Happens If the RIAA Targets You?

QUOTE: If you’re pirating music and video using BitTorrent or LimeWire, here’s what to expect if the lawyers come calling. Since early 2007, the RIAA (Recording Industry Association of America) and the MPAA (Motion Picture Association of America) have been scanning IP addresses from P2P (peer-to-peer) applications and sending cease-and-desist notices to offenders, along with pre-litigation fines of $3,000.

Not surprisingly, these two corporate copyright associations have found many targets huddled together on the same networks: college campuses. Like fish in a barrel, college students have proven to be easy targets for corporate lawyers, as the RIAA and MPAA formulate an aggressive strategy to stop the free transfer of copyrighted material from one desktop to another. So what should users of P2P software like BitTorrent or LimeWire expect if the lawyers come calling?
In late February 2008, the RIAA sent out pre-settlement letters — in its 13th wave of anti-piracy litigation — to more than 400 students enrolled at various colleges, including Boston University (35 students), Columbia University (50 students), University of Southern California (50 students) and University of Virginia (16 students), among others.

In total, 5,406 pre-litigation settlement letters have been sent to college students since February 2007. Of those cases, more than 2,300 were settled, and 2,465 ended in lawsuits, according to the RIAA. At $3,000 a pop, those 2,300 settlements yielded the RIAA $6.9 million. Of those that went to lawsuits, the RIAA asked for $750 per song illegally transferred, according to the University of Connecticut’s student newspaper, The Daily Campus. University of Connecticut student “Dave,” who was caught downloading a mere 109 songs, could face a bill of $81,750 if he fought his case in court and lost.

The RIAA may regret the lawsuit it filed in 2005 against a disabled single mother from Oregon named Tanya Andersen. Andersen has launched a lawsuit of her own against the RIAA, which may reveal exactly how the organization and MediaSentry Inc. (now owned by SafeNet Inc.) identify offending IP addresses — juicy information indeed when turned over to college students and BitTorrent developers.

Furthermore, the RIAA’s pubic position as a defender of recording artists’ rights may be losing its luster, since those artists apparently haven’t seen a dime of the money collected from last year's $270 million settlement with P2P operators Napster LLC, Kazaa and Bolt. “After the labels recouped their legal expenses,” an industry source told the New York Post, “there wasn't much left to pass along to the artists.”


Six security advisories are addressed in Firefox and existing users should move to the new version for improved security. Most users should autoupdate successfully.

Firefox release - Security Improvements

Firefox release notes

Firefox - New version found here if needed

Firefox - Specific Security Changes Addressed

MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
MFSA 2008-18 Java socket connection to any local port via LiveConnect
MFSA 2008-17 Privacy issue with SSL Client Authentication
MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
MFSA 2008-15 Crashes with evidence of memory corruption (rv:
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

Two new critical security advisories have been issued for Apple's new Safari 3.1 Windows browser.

Apple Safari 3.1 for Windows - Critical security vulnerabilities

Description: Juan Pablo Lopez Yacubian has discovered two vulnerabilities in Safari, which can be exploited by malicious people to conduct spoofing attacks or potentially compromise a user's system.

1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption. Successful exploitation may allow execution of arbitrary code.

2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. The vulnerabilities are confirmed in version 3.1 for Windows. Other versions may also be affected.

Solution Status:  UNPATCHED

Star It's important to keep up-to-date with the latest Service Packs, as support for Vista "Gold" will eventually expire several months from now.  Usually, service packs are also beneficial in enhancing performance or correcting functional issues.  Service Packs also ensure that the PC is up-to-date from a security standpoint, although hopefully most folks have automatic updates enabled or are keeping up-to-date otherwise.

Most users will not experience issues during SP updates.  However, as Service Packs represent major changes there have been a few issues reported as noted below.  As it's beneficial to be on the latest binaries, Microsoft is offering free support for any Vista SP1 issues discovered (even outside the original guidelines).   This program seems to apply to home users, as existing service channels would be used for corporate users.   

Microsoft offers free support for Vista SP1 installs

QUOTE: Vista users encountering problems when they upgrade to Service Pack 1 can breathe easier: the company is giving away free support for those installing the service pack. The transition to the service pack has not been problem-free for many users, some of whom have seen their computers fall into endless reboot cycles and struggled with broken applications after installing the upgrade.

Normally, only Windows Vista users who bought the retail product would be eligible for free support but, for SP1 installation, even users with an original-equipment-manufacturer copy of Vista on their computer can get Microsoft's help, according to the official Vista blog

Some additional resources are noted below:

Windows Vista SP1 - Ready for Download

Windows Vista SP1 - Release Information

Windows Vista SP1 - Solution Center

Windows Vista - How to obtain SP1

How to obtain Microsoft support files from online services

Windows Vista Blog - Home Page

Lightning A friend recently forwarded a virus warning message that contains elements of fact and fiction. Mixing falsehoods in with truth, still always results in an untrue overall message.

THE GOOD -- In some respects, it does point to the Storm Worm and the need to avoid e-cards and clicking on URLs that might be present in an email message. It shares a link to Snopes which is also legitimate. Still, most users should be aware of the dangers of opening any unexpected attachments or clicking or any links found in an email message.

THE BAD -- However, much of the message makes false claims (e.g., burning a hole in the hard drive, etc.), that can confuse users and cause issues. For example, immediately shutting down a PC upon receipt of an email message titled as POSTCARD could cause someone to loose work on any sessions that were open.  

THE UGLY -- Passing on these types of messages also can cause folks to have to read and deal with unnecessary email.  False alerts can also cause folks to be off-guard when real attacks surface.


Date: Fri, 21 Mar 2008 10:36:17 -0500
From: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Fw: Virus Named 'Postcard'
Date: Fri, 21 Mar 2008 08:26:06 -0400

Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

I checked, and it is for real!!

Get this E-mail message sent around to your contacts ASAP.


You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD,' regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which 'burns' the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact list. This is the reason why you need to send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it.

If you receive a mail called' POSTCARD,' even though sent to you by a friend, do not open it.! Shut down your computer immediately.

This is the worst virus announced by CNN. It has been classified by Microsoft as the most destructive virus ever This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.



Folks should continue to be careful with any Office documents (e.g., Word, Excel, Powerpoint, Access, etc) received in email (or exchanged in other ways).  As the March security updates strengthened some of previous vulnerabilities, it is important to stay up-to-date on security updates Windows, Office, and all other software products.

Microsoft Security Advisory 950627 - Jet Database Engine Vulnerability

QUOTE: Microsoft is investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word. Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.

Microsoft is investigating the public reports and customer impact. We are also investigating whether the vulnerability can be exploited through additional applications. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. At this time, we are aware only of targeted attacks that attempt to use this vulnerability. Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited.

Star Apple Computers recently released their Windows version of the Safari browser. In beta testing Safari, it has performed well and been reliable. While the latest versions of Internet Explorer, Firefox, and Opera offer advanced functionality, Safari offers an easy-to-use interface and excellent performance, as a complementary browser. 

Apple Safari 3.1 Browser release for Windows

Windows Requirements
Windows XP or Vista
At least 256MB of RAM
500Mhz Pentium-class processor or better


QUOTE: Why you’ll love Safari.

Blazing Performance
Safari is the fastest web browser on any platform.

Elegant User Interface
Safari’s clean look lets you focus on the web — not your browser.

Easy Bookmarks
Organize your bookmarks just like you organize music in iTunes.

Pop-up Blocking
Say goodbye to annoying pop-up ads and pop-under windows.

Search any text on any website with the integrated Find banner.

Tabbed Browsing
Open and switch between multiple web pages in a single window.

Instantly snap back to search results or the top level of a website.

Forms AutoFill
Let Safari complete online forms for you, automatically and securely.

Built-in RSS
RSS tells you when new content is added to your favorite sites.

Resizable Text Fields
Resize text fields on any website: Just grab the corner and drag.

Private Browsing
Keep your online activities private with a single click.

Apple engineers designed Safari to be secure from day one.


Person This article provides an excellent list of considerations for anyone affected by company downsizing.  It's important not to panic or let emotions overrule logic at this critical time, (e.g., avoid burning any bridges, as when better times emerge experienced workers are often the first to be rehired). Following these steps won't necessarily ease the pain, but they can help improve your chances for landing on your feet to a brighter future ahead.  

Corporate Layoffs - Ten Important Considerations

QUOTE: The layoff experience is nothing short of a nightmare, and it goes so quickly,  employees rarely have time to consider their rights. When the economy slides into a recession, layoffs are inevitable. Whether it's three or four people laid off, a massive downsizing or a company that has been forced to shut its doors, the layoff experience is nothing short of a nightmare for most workers.

Years and even decades of valued work, input and influence on a company comes to a screeching halt in a surprisingly formal and succinct process. Rarely are the pink-slipped given time to download personal documents from their computers or say goodbye to peers. If severance is involved, there will be papers to sign. HR might want an exit interview. And that's all there is. The process happens so quickly, most are too stunned and shaken to consider what rights or entitlements they do or do not have.

1. Go to HR First
2. Your Rights from Written Agreements
3. What Company Policies Entitle You To
4. Your Statutory Rights
5. What You Are and Are Not Owed
6. How Severance Does and Does Not Work
7. What Signing a Release Means
8. What Benefits You're Entitled To
9. Why Employers Want to Minimize Your Trouble
10. What the Recession Will Mean for the Laid-Off

StarThe 2 links below highlight important Office security updates.  Keeping Windows, Office, and IE up-to-date will help protect you from most exploits currently circulating. 

 Be sure to keep all non-MS products updated as well Smile

March Security Updates - Improvements for Office

More Posts Next page »