June 2008 - Posts

Idea In searching early this morning, I ran across the link below which highlights numerous security advantages that Vista has over XP.  In fact the improved security has caused some incompatibility issues with some applications written for Windows 2000 or XP.   Still, if you have a new or relatively new system that's capable of running Vista and your applications are compatible, you will benefit from the improved security which is part of TWC. 

MSDN - Technical document highlights Vista's security advantages
http://msdn.microsoft.com/en-us/library/bb188739.aspx

Idea Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL injection attacks, that are currently circulating. This security tool can help spot weaknesses that should addressed by the web development tool (e.g., strengthening SQL-Server calls for improved security by using parameterized lists, ADO, stored procedures, and other secure techniques). URL Scan can detect or block many of the generic attacks by searching for special keywords.
 

 URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks
 http://blogs.iis.net/wadeh/archive/2008/06/05/urlscan-v3-0-beta-release.aspx 
 
 QUOTE: UrlScan installs as a filter on IIS and looks at incoming requests in real time. It can then screen requests based on a set of general request properties. For example, it can block overly long URLs or headers. It can block requests with unexpected HTTP verbs or strings in the URL.
 
 Today, in 2008, we find ourselves in a similar situation. We are seeing a particularly nasty automated SQL Injection attack that is targeting our customers. This attack defaces web servers and sends their clients off to malicious servers that attempt to install malware. As before, the vulnerability does not exist in IIS - or any software from Microsoft. In this case, the attack is exploiting vulnerabilities in customer developed applications. And as before, the real fixes will need to come from the myriad developers of those applications.
 
 The new set of features in version 3 are:
 
 * Support for query string scanning, including an option to scan an unescaped version of the query string.
 * Change notification for configuration (no more restarts for most settings.)
 * UrlScan can be installed as a site filter. Different sites can have their own copy, with their own configuration.
 * Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
 * Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these. The rules can be applied based on the type of file requested.
 
 We also have plans to update the IIS 7 request filter to add these features. In the interim, UrlScan 3 is fully supported on IIS 7.
 
 IMPORTANT RECOMMENDATION: Finally, it cannot be overstated that these tools are just an interim measure to buy time to fix the affected applications. While they are effective against the current wave of automated attacks, they cannot protect against more directed attacks against a specific server. The category of SQL Injection vulnerabilities is so broad that there are no known filter strategies that can block a determined hacker against application vulnerabilities. There are many resources available for learning about SQL Injection attacks and prevention strategies.
 
 ADDITIONAL RESOURCES - HOW TO PREVENT SQL-INJECTION ATTACKS
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/05/31/microsoft-best-practices-for-preventing-sql-injection-attacks.aspx 
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/06/15/new-sql-injection-attacks-the-need-to-improve-legacy-web-applications.aspx 
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/06/25/sql-injection-mitigation-tips-for-asp-development.aspx

Idea Microsoft, the Internet Storm Center, the SQL-Server Worldwide Users Group (SSWUG), and others are actively promoting the dangers associated with automated SQL injection attacks.  While SQL Injection concerns have been around for several years, these attacks have growth substantially this year because of automation.  There are also numerous vulnerable websites out there, which provide an opportunity for malware attacks.  There is a need to fix these sites and promote secure web development. 

SQL Injection mitigation tips for ASP development
http://isc.sans.org/diary.html?storyid=4610

QUOTE: With the recent SQL injection attacks on ASP pages. A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers Brian Erman has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection. from happening.

Brian Erman's SQL Injection filtering for ASP
http://paste-it.net/public/c3cb69a/

To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input. If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily.

In actual fact, such mechanism exists, it is called parameterized query. The user input are passed to the SQL server as an argument (sort of like calling a function in programming language), the SQL server during query execution have a way to identify what part of the statement is static control, and which part is user input.

Parameterized queries have been widely publicized. In classic ASP, parameterized query is possible if you use ADO command object, an example is here. Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

GOOD EXAMPLES OF PARAMETERIZED QUERIES
http://aspnet101.com/aspnet101/tutorials.aspx
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=6999
http://www.inrsolutions.com/blog/details.asp?id=5

Music While Malware authors continue to develop exploits to attack vulnerable systems, they are also creating automated toolsets. The new Trojan2Worm toolkit can take any executable and publish it rapidly as worm based malware that can quickly spread on USB, DVDs, CDs, network shares, and other media.

Malware Automation - Trojan2Worm Toolkit
http://vil.nai.com/vil/content/v_146248.htm
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

QUOTE: This Tool-Kit is used by an attacker to convert any executable into an autorun worm, which can spread through removable devices, by implementing an “AutoRun.inf” configuration file. "Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

Trojan2Worm (T2W) toolkit turns any executable file into a worm with auto-spreading capabilities. As such it provides the ability for Trojan infection agents to acquire worm-like spreading abilities.

The tool requires minimal skills to use, net security firm Panda Security reports. Features include the ability to compress infectious files or mutate their contents, tricks designed to make it easier to smuggle malware past anti-virus scanners. It's also possible to program malware so that it disables Task Manager, Windows Registry Editor or even selected browsers.

Storm The latest storm worm variant sends false news alerts to trick individuals into selecting links and infecting their system. Avoid these messages and use major news sites as a source for alerts.

Storm Worm - Uses Fictional Breaking News Alerts
http://www.avertlabs.com/research/blog/index.php/2008/06/20/breaking-news-not/
http://www.f-secure.com/weblog/archives/00001459.html

QUOTE: Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Lightning EXAMPLES
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race


This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

The IT Security website is an excellent resource for researching corporate security needs and best practices. The articles below describe options and best practices for corporate firewall implementations.

http://www.itsecurity.com/features/essential-guide-firewalls-061208/

QUOTE: Firewalls play a central role in IT security, standing between enterprise networks and the outside world to protect computers, applications and other resources from external attack.

Related Articles:

5 Firewall Tests and Supporting Tools

Firewall Comparison Guide

3 Tips For Deploying a Firewall

10 Tips to Make Sure Your Firewall is Really Secure

Moon This new desktop publishing application for rich-text blogging, recently became available. It's free and I plan to learn how to use it in the coming weeks.

Windows Live Writer
http://get.live.com/writer/overview
http://get.live.com/writer/features
http://get.live.com/writer/sysreq

Wikipedia Information
http://en.wikipedia.org/wiki/Windows_Live_Writer

Windows Live Writer Blog
http://windowslivewriter.spaces.live.com/

QUOTE: Windows Live Writer is a desktop application that makes it easy to publish rich content to your blog. Key functions include: 

1. Publish to most major blog services
2. Create a compelling blog easily
3. Preview before you post
4. Compose your entries offline

Time Windows Safari users should apply this release promptly, as it addresses the following security vulnerabilities: 

Windows Safari 3.12 - Addresses recent security concerns
http://isc.sans.org/diary.html?storyid=4601

QUOTE: Safari 3.1.2 for Windows was released to address the following security vulnerabilities:

CVE-ID: CVE-2008-1573
Available for: Windows XP or Vista
Impact: Viewing a maliciously crafted BMP or GIF image may lead to information disclosure

CVE-ID: CVE-2008-2540
Available for: Windows XP or Vista
Impact: Saving untrusted files to the Windows desktop may lead to the execution of arbitrary code

CVE-ID: CVE-2008-2306
Available for: Windows XP or Vista
Impact: Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code

Apple Safari for Windows - Release & Download Links
http://support.apple.com/kb/HT2092
http://www.apple.com/support/downloads/safari312forwindows.html

QUOTE: "This update is recommended for all Safari Windows users and includes stability improvements and the latest security updates".

Time Below are two articles from Computerworld that provide key communication guidelines on what should and should not be shared within a manager/employee relationship.

QUOTE: As an IT professional, you know the basic rules of office politics, the simple do's and don'ts that govern life at work. Adhering to these standards -- the ones that tell you to be proactive and a team player -- will help you keep your job. If you really want to advance, though, you need to know which types of information your boss relies on you to provide:

Article - Five things you should tell your manager
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9097738

1. The real story. "Sugarcoating problems, holding back information, overpromising and consistently underdelivering are all reasons why IT has a bad reputation.

2. Your ideas. "Bring me ideas to improve the business, even if they're outside of IT

3. What you want. Ted Maulucci, CIO at Tridel Corp., a condominium developer in Toronto, tries to shift his workers into the jobs that they enjoy most.

4. No. It takes courage to tell the boss that you don't agree, but it's better for all involved when you say no to suggested projects, timelines, budgets or technologies that just aren't going to work

5. Your successes. No one wants to spend each day hearing only about project setbacks, failed servers and unexpected downtime. Good news is welcome too. Yet IT workers seem reluctant to promote the positive

Five things you should never tell your manager
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9097818

1. All about the technology -- and nothing about the business. Acting like the business is terra incognita is a no-no. "Never tell me you don't know what the business wants but you'll build it when they decide,"

2. There's only one solution. "People can sometimes develop a fondness for a certain technology or programming language or manufacturer into almost a religion, but it's never the case that one type of solution is the proper one for all situations,"

3. Bad opinions about your colleagues. It's a simple rule that can get overlooked when your team is struggling with a missed deadline or a failing project, but think before you point a finger, because bosses generally don't want to hear about it -- especially if you haven't tried to work it out on your own.

4. There's no way. Robert Strickland, senior vice president and CIO of T-Mobile USA Inc. in Bellevue, Wash., makes his position very clear: Everything is possible.

5. A surprise. CIOs almost universally say they don't like surprises -- particularly unpleasant ones. Ian S. Patterson, CIO at Scottrade Inc., a St. Louis-based online brokerage firm, says he always prefers to hear news -- good and bad -- directly from his workers.

This new variant disquises itself as a news flash to tempt users into selecting a hostile URL with a .cn domain

The email tries to convince users to download a dangerous malware object called beijing.exe

McAfee Information (DAT 5321)
http://vil.nai.com/vil/content/v_140835.htm

New Storm Worm - China/Beijing Earthquake Theme
http://www.f-secure.com/weblog/archives/00001457.html
http://www.sophos.com/security/analyses/viruses-and-spyware/w32nuware.html
http://www.theregister.co.uk/2008/06/19/bogus_beijing_quake_malware_ruse/

QUOTE: One of the trademarks of the Storm gang's 18 month lifespan has been that they're very creative and current when it comes to their social engineering techniques, e.g. 1, 2, 3, et cetera. The latest variant is e-mail that arrives to your inbox reporting a violent earthquake in Beijing.

Samples of the bogus alert doing the rounds, featuring subject lines such as "Million dead in Chinese quake", link to a website on a .cn domain. This site claims a quake measured in at 9.0* on the Richter scale has caused millions of casualties while throwing preparations for the games into turmoil. The page contains links to a supposed video that actually downloads the Nuwar-E worm onto the Windows boxes of marks credulous enough to fall for the ruse.

Idea The Mozilla foundation released version 3.0 of Firefox today, which contains improved security, performance, and functionality.  As many individuals use Firefox as a complementary browser, these improvements make version 3.0 a worthwhile upgrade. 

Firefox 3.0 - New Release provides improved security, performance, and functionality
http://isc.sans.org/diary.html?storyid=4580
http://www.mozilla.com/en-US/firefox/

Firefox 3.0 - Mozillazine KB
http://kb.mozillazine.org/Category:Firefox

Firefox 3.0 - English version Download
http://www.mozilla.com/en-US/products/download.html?product=firefox-3.0&os=win&lang=en-US

What’s New in Firefox 3
http://www.mozilla.com/en-US/firefox/3.0/releasenotes/

QUOTE: Firefox 3 is based on the Gecko 1.9 Web rendering platform, which has been under development for the past 34 months. This new platform includes more than 15,000 changes to improve performance, stability, rendering correctness, and code simplification and sustainability. Firefox 3 is built on top of this new platform resulting in a more secure, easier to use, more personal product with a lot more under the hood to offer website and Firefox add-on developers.

FIREFOX 3.0 - NEW SECURITY FEATURES

* One-click site info: Click the site favicon in the location bar to see who owns the site and to check if your connection is protected from eavesdropping. Identity verification is prominently displayed and easier to understand. When a site uses Extended Validation (EV) SSL certificates, the site favicon button will turn green and show the name of the company you're connected to. (Try it here!)

* Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. (Try it here!)

* New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. (Try it here!)

* New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid
SSL certificate. (Try it here!)

* Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.

* Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.

* Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

* Vista Parental Controls: Firefox now respects the Vista system-wide parental control setting for disabling file downloads.

* Effective top-level domain (eTLD) service better restricts cookies and other restricted content to a single domain.

* Better protection against cross-site JSON data leaks.

 

ADDITIONAL LINKS
http://www.mozillazine.org/talkback.html?article=23936
http://www.dria.org/wordpress/archives/2008/06/12/655/
http://software.silicon.com/os/0,39024651,39246115,00.htm
http://www.mozilla.com/en-US/firefox/all-rc.html
http://mozillalinks.org/wp/2008/06/firefox-3-rc-2-review/
http://www.spreadfirefox.com/
http://www.mozilla.com/en-US/firefox/?from=getfirefox

Idea SQL Injection attacks provide an easy way to add malicious redirecting scripts on web sites. Most mainstream Internet sites use secure coding conventions (e.g., ADO, parameterized lists to SQL call statement, well written stored procedures, etc.) 

Prior to these automated SQL infection attacks, some developers may not have been aware of the controls needed (e.g., lack of training or awareness on the need for filtering controls). It was also much easier to get the web pages developed without having to place the extra security logic in.

SQL injections have been around for years, (e.g., including several posts starting in 2004 contained in this blog).  The automation and popular use of SQL injection attacks have now changed the landscape, where the monitoring and prevention of automated SQL injection must be performed by everyone.

As the ISC documents another new attack is circulating, which now embeds the attack into a single SQL statement.  Three good controls were shared for legacy web applications as follows:

Internet Storm Center - New SQL Injection attacks
http://isc.sans.org/diary.html?storyid=4565

QUOTE: We continue to receive more reports of SQL injection attacks, using updated URLs. One of the "neat" features of this exploit is how it uses one single SQL statement which will pull all the necessary information from the database itself.

RECOMMENDATIONS: Finally: How to defend against this? The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:

* Limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables

* Monitor your webapplication for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges

* Keep a close eye on your data and your application. Look for new javascript in titles and other spots that shouldn't have any

SQL injection attacks and other automated techniques are now used to seed redirecting scripts and malicous objects on web sites. It is more important than ever to use safe practices, and some of these include:
 
 -- Avoid visiting sites suggested in email messages
 -- Avoid numeric IP sites only
 -- Stay with Mainstream websites (and enter them directly rather than from email messages)
 -- Stay up-to-date on AV protection
 -- Stay up-to-date on Microsoft security using Automatic Updates (e.g., Windows, Office, IE, etc.)
 -- Keep other products updated (e.g., Flash, Firefox, etc)
 -- Use IE 7 rather than IE 6 (if you have Windows XP)
 -- Look at the URL names carefully and avoid unusually named sites (a few seconds of caution may prevent hours of repair work)

 
 GNC - Malicious code makes Web surfing risky
 http://www.gcn.com/online/vol1_no1/46417-1.html
 
 McAfee's more detailed study
 http://www.mcafee.com/us/local_content/misc/mapping_the_mal_web_2008.pdf
 
 QUOTE: The chance of downloading malicious code from a Web site has increased 41 percent in the past year, according to a recent study of malignant sites by McAfee Inc. ... During the last three years, the exploitation of browser vulnerabilities through code hosted on Web sites has become the primary method for compromising computers. Some of the sites are set up for to host and distribute the code, although increasingly the malware is being placed surreptitiously on legitimate sites.

Computer Another new attack approach in addition to "carpet bombing" is noted in this article. As a safer and more managable practice, users should never save files to the desktop for any browser.  Instead, setup a special folder called DOWNLOAD as a target for anything you save from email or web browsing.  This way you can remember where it's stored plus isolate and scan it for malware as well.

Safari on Windows - not looking good
http://isc.sans.org/diary.html?storyid=4562

QUOTE: Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).

Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file.

If you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at

http://www.microsoft.com/technet/security/advisory/953818.mspx

Time During the last half of 2007, many users were affected by an issue where Windows Update would lockup with the 100% CPU utilizaiton issue.  I also had difficulties at home in updating my oldest PC that used Windows 2000 SP4.  As I used it predominantly for work dial in purposes, I had not moved to XP to keep needed applications intact. 

As it is an older PC, I had tweeked most services so that they are started manually rather than automatically.  This included Windows Update where the Automatic Updates were turned off, (although I had always faithfully updated the system each "Patch Tuesday").

While the 100% update issue was not experienced on any of my XP based systems, the Windows 2000 system was affected.  A variety of things were tested in trying to fix this issue, including deleting all Windows Update web objects and technical settings.  Manually applying these updates (using IE's menu bar of TOOLS / WINDOWS UPDATE), still resulted in 100% CPU utilization.  A few updates were successful, but it locked up the PC environment, so that it could not be used until an update was completed (and this seemed to take much longer to accomplish as well).  

The better solution found was to TURN ON AUTOMATIC UPDATES and let updates stream across in a more transparent manner.  This allowed me to use the PC and get gradually updated throughout the day.  I'ved used this setting since probably February and it's working well so far.   

Windows Update - SVCHOST 100 Percent issue solved at home
http://www.google.com/search?hl=en&q=windows+update+100+percent

Key Microsoft Windows Update Fix - December 2007
http://support.microsoft.com/kb/916089

More Posts Next page »