May 2008 - Posts
During April, a hacking contest took place where Vista's security was compromised through Flash, rather than a weakness in it's own security controls. As I don't have Flash installed on any of the complementary browsers I use (e.g., Firefox, Opera), I've been getting along without Flash in these environments fine. I then reviewed the IE security options and found an easy way to easily disable or enable Flash as desired. This specific approach doesn't work with IE 6 or earlier versions.
Currently, a new massive attack has been launched where malicious SWF objects have been seeded on thousands of web sites (one estimate was that 250,000 web pages were infected). Most of the current attacks can be stopped by moving to the latest version of Flash (9.0.124). However AVERT and other AV vendors still investigating whether new exploits are being crafted that could possibly infect up-to-date systems.
The instructions below show how you can temporarily disable Flash until there's certainly all possible exploits have been patched. As I like the setting to avoid Flash based advertising, I usually keep it set that way and turn it on occassionally when it's truly needed.
IE Settings - Disable/enable add-in services (e.g., Flash)
Tools >>> Internet Options >>> Program Tab >>> Manage add-on options button >>> Filters >>> Add-ons that run without requiring permission >>> Select Shockwave Object >>> Click Disable button at bottom
To re-enable Flash, all you need to do is follow the steps in green above and select Enable button in last step. If desired, you can also disable Adobe PDF Reader and Windows Media Player from starting within IE. They will still work properly in starting outside of IE if desired. As the settings work like the Flash process noted in green above, these services can also be toggled back on if needed.
CAUTIONARY NOTES IN SETTINGS ABOVE:
1. Avoid making these changes unless you are familiar with IE settings and understand the technical steps noted in green.
2. Avoid setting off other services as it could affect or break browser functions.
3. Flash might be used often in an email website or forum you might be posting frequently to, and the warning message could appear often.
4. The technical settings were specifically for IE 8 and they should work for IE 7.
Hopefully, the tapes were misplaced rather than stolen for the purposes of identity theft or fraud.
Bank of New York Mellon loses tapes with data on 4.5M clients
QUOTE: May 30, 2008 (Computerworld) Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.
The bank informed the Connecticut State Attorney General's Office that the tapes belonging to its BNY Mellon Shareowner Services division were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal
Security sites are warning of increased dangers of malformed Shockwave Flash (SWF) objects. I've read reports of possibly 250,000 web pages hosting this new exploit. It is important to move to the latest version of Flash if prompted or manually update if you are not on version 9.0.124.
Adobe test site which will show latest version (should be 9.0.124)
How to manually update if needed (be sure to uncheck Google Toolbar)
AVERT reports that recent sites affected by mass hacking attacks are being redirected to load malicious SWF files. These exploits are being programmed for specific versions of Flash to broaden the scope of attacks. Finally, please see last AVERT link (05/28), as they are researching a new variant that might possibly exploit Flash where it is fully up-to-date (e.g., 9.0.124).
Adobe Flash Player Flaw - Massive Exploitation reported
QUOTE: Adobe Flash Player Flaw Massive Exploitation -- The Adobe Flash Player vulnerability which was disclosed this week by Symantec and believed to be unknown (zero-day) is a previously known issue that was patched with version 22.214.171.124. Multiple compromised web pages are currently exploiting this flaw and distributing malware.
QUOTE: Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability. Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks. Hacked sites reference an external script, just as they have for quite some time. But, the external scripts now reference an SWF file.
New variants emerging - AVERT researching claims that currently patched systems may be vulnerable?
QUOTE: At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.
I listen often to Kim Komando's talk show and found today's Tip of the Day newsletter offered a lot of practical advice on buying a new PC, as well as an easy-to-understand overview of the latest micro-processor developments.
Picking a microprocessor
It's time to move up from my old Intel Pentium 4, 3GHz system. Where can I learn about what's out there? Dual Core? Dual Quad? I need a simple explanation about these processors.
A lot has happened since your microprocessor was introduced. The 3GHz Pentium 4 goes back about five years. That qualifies as an eon in computers.
For most people, that old Pentium 4 would still be adequate. Today's cutting edge chips are running far in front of consumer software. So, unless you're editing lots of video or playing the most demanding games, you don't need to worry about the chip. Today's chips are more advanced than your Pentium. As you point out, they have multiple cores. They are also 64-bit chips, while yours is 32-bit. The architecture of these things is just brilliant. But most of it is going unused.
Let's start with the cores, since you mentioned them. Each core is its own little processor. Both Intel and AMD are producing multi-core chips. The most advanced Intel chips have four cores. AMD had the chip lead at one time. But it struggled with its quad core chips. It did finally get them out, well after Intel. Quad-core chips work well on servers. But they are overkill in the consumer space. A quad core gives you one thing—bragging rights.
Windows is capable of running on multiple cores. So it can take advantage of these advances. But few consumer programs use more than one core. In fact, porting consumer programs to multiple cores is a huge concern. The same type of thing applies to 64-bit chips. This number refers to the amount of data a core can crunch at once. AMD and Intel chips now are 64-bit. That's pretty meaningless, though. Practically everything else is 32-bit.
True, you can get a 64-bit version of Windows Vista. But I don't recommend that. You would probably discover that drivers are hard to find. That would mean that certain peripherals couldn't be used. You could probably get by with Intel's Celeron, or AMD's Sempron. Both are budget microprocessors. But you can't be sure of what the future will bring. So I would go with an Intel Core 2 Duo or AMD Athlon X2. If future programs use dual-core technology, you'll be ready. You might see high-end computers with Intel Extreme or AMD Phenom chips. Those are very powerful. They should work well in gaming and video-editing situations. Otherwise, you can't use the power.
I assume you'll be buying Windows Vista. You will see one of four versions. I have a chart that explains them. There is a fifth version—Enterprise. You won't see that in stores. Vista is more capable than its predecessor, XP. Consequently, its video requirements are pretty stiff. Get a minimum of 128 megabytes of video RAM. Go for 256MB, if you have room in your budget. I prefer a separate video card. But integrated graphics will also work. I have a tip that explains this further. Don't overload your system with random access memory. I recommend 2 gigabytes. If you need more, go up to 3GB. Over that, and you're probably just throwing your money away.
Windows Vista UAC Controls - Tame it without turning it off
Vista User Access Controls (UAC) may be doing too good of job at times as it's designed to provide safety warnings. This warning system is designed to prompt for an administrative password anytime icons or scripts containing the shield icon are invoked. This article from Information Week is excellent and shares some techniques to tailor UAC so that it still properly warns but less often on the common day-to-day tasks.
Information Week: How To Tame Microsoft Windows Vista's UAC
QUOTE: Are all those Windows Vista User Account Control warnings driving you nuts? Here are seven ways to make Vista's UAC less intrusive, while keeping legitimate security threats at bay. It's tempting to just turn off UAC and be done with it, but I'm not convinced this is a worthwhile solution. There are times when you'll want the protection that UAC affords, and there are ways you can make UAC a lot friendlier and less intrusive. Work with it rather than against it, and you may be pleasantly surprised at how manageable it really is.
BRIEF SUMMARY OF SEVEN UAC RECOMMENDATIONS
1. Slow An Overzealous UAC (tailor the circumstances UAC dialogs should and should not show up)
2. Use Process Explorer (use of this optional tool from Systems Internal)
3. Schedule A Task To Run As Admin (set up common pre-existing applications to bypass UAC)
4. Use UAC's "Quiet Mode (require advanced registry to set up common pre-existing applications for bypass) UAC)
5. Turn Off The Secure Desktop (The visual screen darkening and normalization after accepting may consume a few seconds. Turing this off on older equipment may make UAC more acceptable)
6. Tighten Up UAC's Control (It may also be desirable for Admins to supply passwords for UAC prompts)
7. Enforce Running Signed Code (Another strengthening measure is to ensure only signed code is run which can safeguard against malware; but as a caution there are many legitimate programs that execute unsigned code)
While the Storm worm botnet continues to spread using email techniques, SQL injection techniques are starting to be used as an approach to seed malware on vulnerable computers. Folks should be careful with email in avoiding all attachments and website links, and stay up-to-date on security patches and AV protection.
Storm Worm - New Version uses SQL Injection Techniques
QUOTE: What has changed compared to previous campaigns? Storm Worm is back in the SQL injection attack phrase, with a malicious iframe injected at a small of sites for the time being. Moreover, assessing the storm worm infected hosts can only be done if you spoof your browser UI, otherwise you will get no indication for any kind of malicious activity going on. Furthermore, despite that there are no exploits used at the infected hosts but, a heavily obfuscated HTML/Rce.Gen was detected in their injected domain which would load automatically upon someone visiting an already injected site.
[l] This Information Week article provides an excellent overview of Identity Theft monitoring services. As more than 225 million records have been breached since 2005, this article describes what these firms can and cannot do for their customers. A list of low-cost and free methods of protection are also provided:
ID Theft Monitoring Services: What You Need To Know
QUOTE: Take identity theft monitoring service providers. The pitch? Give us your Social Security number and notification of suspicious identity activity is only an e-mail alert or phone call away. These services, which typically cost $10 to $20 per month, offer to guard your identity by monitoring the three credit-reporting agencies (Experian, Equifax, and TransUnion), cell phone applications, government databases, and public information. Some also provide insurance (subject to underwriting, and not valid in every state) to help defray costs associated with recovering from identity theft cases.
Monitoring helps with identity theft by actively watching for fraud in your name. "The credit monitoring service notifies you at an earlier stage than you might otherwise know about the fraud, because otherwise it could be months before someone potentially finds out about it," says Paul Stephens, director of policy and advocacy at PRC.
Monitoring, however, won't stop identity theft outright. "With credit monitoring, your report is still potentially seen by people who want to commit fraudulent acts against you," he says. "You'll get an early warning, but you haven't actually prevented them from using the report." At this point, it's also too late to freeze your credit, which prohibits anyone but current creditors from seeing a credit report. This means your personal data is already at large, and may have been used to gain a credit card, cell phone, or even mortgage in your name.
Below are some low-cost and free ways to better protection the use of your identity:
Five Mostly Free Alternatives to ID Theft Monitoring Services
SUMMARY OF FREE OR LOW-COST RECOMMENDATIONS
1. Watch your credit reports. Everyone is entitled to see a free credit report annually from each of the three credit-reporting agencies (Experian, Equifax, and TransUnion). To obtain yours, see:
2. Use credit freezes. A credit freeze (aka "security freeze") locks credit reports so only you or current creditors can see it. It can also be unlocked on a per-creditor basis, for example if you're going to buy a house, car, or get a new credit card. The cost is $10 per bureau to place a freeze and $10 to lift a freeze
3. Place fraud alerts. Under the Fair Credit Reporting Act, consumers may place a fraud alert on their credit report for 90 days -- renewable indefinitely
4. Avoid debit cards. Attacks which steal card numbers via ID-swiping devices -- often installed at gas stations and grocery stores -- are on the rise.
5. Look to resolution services. Public agencies and non-profit organizations can help you clean up identity theft for free.
Daily, I'm receiving numerous copies of "gas spam". These messages typically claim a savings of 70 cents per gallon if you subscribe to the special product or solution.
Folks must avoid selecting any links in spam messages to avoid any potential for spyware or viruses. This includes even opting out of future emails. Spammers rarely honor opt out requests, and it actually validates they have an active clean email address.
The best practice is to line all these messages up in the in-box and delete them without opening them. There are no free lunches on the Internet. Always avoid email messages where claims are made that seem too good to be true.
Gas Spam Emerges - Can you really save 70 cents per gallon?
QUOTE: In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam. Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas.
As recommended, these keys should be regenerated for better protection after applying the latest release. The links below can help explain some of the key issues:
INFOCon yellow: update your Debian generated keys/certs ASAP
QUOTE: Scripts that allow brute forcing of vulnerable keys (see this as rainbow tables for SSH keys) are in the wild so we would like to remind all of you to regenerate SSH keys ASAP. Please keep in mind that SSL certificates should be regenerated as well. This can be even more problematic if you had your certificates signed since you'll have to go through this process again (and possibly pay money again).
Update 2310 UTC: The new Debian package for SSH (ssh_4.3p2-9etch1) also applies a package called "openssh-blacklist". After this update, your SSH server will refuse keys from the compromised set. The package also installs a new tool called "ssh-vulnkey" that can help in hunting down key files that contain weak keys. Note that in combination with the existing ssh-keyscan, ssh-vulnkey can be used to easily identify servers that use weak host keys, so while these Debian patches help those who patch, they also make attacks easier against those who did not yet patch.
H.D. Moore's Analysis
QUOTE: But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption
While HP is working on a solution for the flawed IntelPPM driver used for certain AMD models, this neat solution will check for the presence of vulnerable PCs and disable the driver so that Windows XP SP3 can successfully load.
QUOTE: May 15, 2008 (Computerworld) A former Microsoft Corp. security manager has published a tool designed to detect and fix PCs that may be susceptible to "endless reboots" if updated to Windows XP Service Pack 3 (SP3).
Jesper Johansson, once a program manager for security policy at Microsoft and currently an MVP (Microsoft Most Valuable Professional) who works at Amazon.com, posted a link to the tool on his blog yesterday, beating his former employer and Hewlett-Packard Co. to the draw. Neither company has yet come up with a fix or patch for the weeklong snafu.
Johansson's small, 16K VBScript (Visual Basic Scripting Edition) file checks whether the PC is running a processor from Advanced Micro Devices Inc. (AMD), and if so, examines the Windows registry to see if a device driver meant for Intel-based machines is set to load.
"If it is, it will offer you an option to disable it," said Johansson in an update to a blog post where he has been summarizing reports of Windows XP SP3 problems and offering solutions. Users can run the script from the command line to check multiple machines on a network, Johansson added.
This is EXCELLENT advice, as this process is often neglicated due to the need to start the next project right away.
Article: 10 things you should do near the end of a project
QUOTE: In either case, you probably go through the typical inception, elaboration, and construction phases of a project. But when it comes to the end of a project, many project managers come up just short of the finish line. Failure to handle the final steps can add confusion to an initiative and may lead to customer dissatisfaction, unhappy staff, and a project dragging on longer than necessary.
#1: Finalize testing
#2: Finalize training
#3: Validate deliverables
#4: Get project signoff
#5: Release the team
#6: Analyze actual vs. planned
#7: Archive documentation
#8: Ensure contract closure
#9: Conduct a postmortem meeting
#10: Perform a self assessment
As noted in the article, there are both advantages and disadvantages to using free security sofware instead of a purchased security suite. Personally, I like using some of the freely available tools as they are efficient and as protective as competing products that require purchase.
Still, folks should do their homework and ensure any free products will meet their needs. They should research free product offerings to understand what they will and will not be able to do functionally with these tools.
ADVANTAGES OF FREE SECURITY PRODUCTS
-- Free product offerings are better than having no protection at all (especially for folks on a tight budget)
-- There are actually many great free firewalls, AV products, and anti-spyware tools available (some free products are often as good or better than competing paid products - but you have to do your homework)
-- Sometimes a simple "no frills" solution is all you need and it might even offer better performance than a full featured product offering lots of "whistles and bells"
-- You can try adding a new layer of protection and if you find there's not a compelling need you can uninstall it and it hasn't cost you any money (e.g., if you rarely get spyware and wanted to test out a free product offering)
DISADVANTAGES OF FREE SECURITY PRODUCTS
-- Security suites may cover more areas of exposure for improved protection (so there are no gaps)
-- Some free products may not be as comprehensive in their scope of protection when compared to paid products (e.g., AV protection may be limited to just files and may not cover exploits, rootkits, or other risks)
-- Some free security products may try to upsell folks with occasional popup messages to the more comprehensive paid versions
-- Very limited user support may be available, where full technical support may be available for
-- Most free products are only available for personal use and these must not be used on a free basis in a corporate environment
Below is an analysis of some of the most recent product offerings. Both AVG and Avast have been well rated as basic AV products. They often provide protection for leading edge threats more quickly than even some of the mainstream solutions.
PC Magazine - Updated list of Free Security Software
QUOTE: Sometimes free security is worth what you pay for it. But if you know what to look for, you can get a an excellent buy when it comes to protecting yourself—without dropping a lot of cash. You may be better off with a full-scale commercial Internet security product, but you're far better off with a free product than with no security product at all. You may be surprised at how much protection you can get at no cost. The latest versions of the popular free antivirus products from avast! and AVG both now include spyware protection as well, and they're quite effective.
SPECIFIC PRODUCTS REVIEWED INCLUDE
avast! antivirus 4.8 Home Edition
AVG Anti-Virus Free 8.0
Spybot Search & Destroy 1.5
Spyware Terminator 2.0
This is an interesting article as the majority of the thefts were conducted using non-technical approaches. Folks should be careful in storing or discarding sensitive documents as criminals will use any means to steal from others
US Attorney seeks 5 years for the Bonnie and Clyde of ID theft
QUOTE: While they used professional Internet tools to facilitate some of these thefts, the bulk of their identity theft was low-tech: "Purse snatching, burglarizing apartments and mailboxes with stolen keys, breaking into gym lockers, soliciting information over the telephone by false pretenses, picking up documents while visiting." With what they obtained they ran down others' credit cards, established new ones in the victims' names and ran those down, created accounts with banks and spent from those. They transferred a lot of money around to cover tracks.
The moral, other than that some people have no morals, is that online identity theft isn't the only way you can get ripped off. It may not even be the most likely way. Keep an eye on other vehicles, like what's in your mailbox or purse.
While the installation of the XP SP3 upgrade has went well for me and it should for most users. A service pack represents a major upgrade of operating system or product binaries and should be performed in a cautious manner.
It's important to read an research all pre-requisites prior to installing. For example, in testing Internet Explorer 8 beta, I discovered it must uninstalled, then apply the XP SP3 upgrade, and then IE 8 beta was reinstalled.
Internet Explorer Prerequisites - A must read for XP SP3
Excellent resource for Windows
Microsoft Forums - XP SP3 issues
Below is a good overview from the 25th anniversary. Spam remains a major problem with email today and folks should always be careful in avoiding taking any actions other than deleting it.
QUOTE: In fact, the earliest documented junk e-mailing I've uncovered was sent May 3, 1978 -- 25 years ago this month. (It was written May 1 but sent on May 3.) And in a surprising coincidence (*), just a month ago marked the 10th anniversary of March 31, 1993, the first time a USENET posting got named a spam
The DEC marketer, Gary Thuerk, identified only as "THUERK at DEC-MARLBORO" (There were no dots or dot-coms in those days, and the at-sign was often spelled out) decided to send a notice to everybody on the ARPANET on the west coast. In those days there was a printed directory of everybody on the Arpanet which they used as source for the list. The message trumpeted an open house to show off new models of the Dec-20 computer, a foray into larger, almost mainframe-sized systems.
This was a spam, though the term would not be used to refer to it for another 15 years. Thuerk had his technical associate, early DEC employee Carl Gartley, send the message from his account after several edits. Alas, at first he didn't do it right. The Tops-20 mail program would only take 320 addresses, so all the other addresses overflowed into the body of the message. When they found that some customers hadn't got it, they re-sent to the rest.
More on the History and Types of SPAM
More Posts Next page »