July 2008 - Posts

Companies using Oracle's Web Logic Server should apply protection quickly to address this serious security exposure.

Oracle Web Logic Server - Serious Zero Day (exploitable w/o authentication)
http://isc.sans.org/diary.html?storyid=4798
http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html

QUOTE: Oracle has released an emergency workaround that corrects a 0-day flaw in WebLogic Server and WebLogic Express, specifically with the Apache Connector, which is remotely exploitable without authentication.

Supported Products and Components Affected

• Oracle WebLogic Server 10.0 released through MP1    
• Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3    
• Oracle WebLogic Server 8.1 released through SP6    
• Oracle WebLogic Server 7.0 released through SP7    
• Oracle WebLogic Server 6.1 released through SP7

Patch Availability: Fixes for this vulnerability will be made available as soon as testing is completed when an updated version of this document will be uploaded and email sent to affected customers. Until fixes are available, workarounds described at

https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html

These articles and templates are excellent resources for making a good business case:

Best Practices - Importance of Making a Good Business Case
http://blogs.techrepublic.com.com/tech-manager/?p=564
http://blogs.techrepublic.com.com/tech-manager/?p=538

Quote:
The vast majority of unsuccessful projects fail not because of poor project management, but because of poor decisions with respect to the choice of projects. A good business case helps to make right decisions and avoid horrible waste.

There is a fallacy that a business case is a thick tedious manuscript, written by professional consultants in an incomprehensible language. It’s printed on high-quality paper stock and placed onto the top shelf of an executive’s office to be used as a breeding ground for dust bunnies. This is not a business case; this is a disaster.

The sole role of a business case is that of a communication tool, composed in a language that the target audience understands and with enough detail to facilitate decision making on his or her part. There’s no magic formula when it comes to the size of a business case. The size is irrelevant. What is relevant is that the business case provides all the necessary information to make the job of the decision maker possible. Brevity is always a virtue.


Business Case and PM Templates
http://www.bizvortex.com/index.php?option=com_content&task=section&id=7&Itemid=31

The IT Security web site provides EXCELLENT resources for corporate users.   These articles provide comprehensive guidelines for implementing secure wireless networking.     

http://www.itsecurity.com/features/essential-guide-wireless-security-071708/

As more businesses deploy wireless networks to connect employees, professional partners and the general public to company systems and the Internet, the need for enhanced wireless security grows increasingly important. Fortunately, as more companies become aware of the threats facing their wireless networks — and how to combat them — the gap between wired and wireless-network security is gradually narrowing.

Related Articles:

Nail Down Mobile Security

Securing Your Enterprise Wireless Network

Network Scanning: Find Out What’s Really on Your Wireless Network

Wireless Security Checklist

Travel The recent fake UPS bills have been adapted to appear like legitimate invoices and e-tickets a customer might expect to receive by email. Folks who have recently purchased e-tickets recently, should be especially careful.
 
 Airline invoices and e-tickets - Fake malware versions circulating
 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110883
 http://www.spyware-techie.com/genericdownloaderab-trojan-found-in-fake-invoice-and-airline-e-ticket-emails/
 http://www.avertlabs.com/research/blog/index.php/2008/07/25/invoice-spam-takes-flight/
 http://www.avertlabs.com/research/blog/index.php/2008/07/24/fake-invoice-spam-carries-malware/
 
 QUOTE: The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.
 
 However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia, according to McAfee threat researcher Craig Schmugar.
 
 EMAIL MESSAGES TO AVOID
 
 These messages may appear in following general format:
 
 From: [name] [airline_name] Airlines
 Subject: Your order from {airlines} [number]
 or
 Online order for flight ticket [number]
 
 
 Hello, Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:
 
 Your login: [characters]
 Your password: [characters]
 
 Your credit card has been charged for $[number in the $400 range]
 We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
 
 Kind regards,
 [name]
 [airline]
 
 Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon)

Below are the first confirmed reports that new DNS exploits are now being exploited in-the-wild. There are dangers associated with unpatched or misconfigured DNS servers.
 
 DNS cache poisoning attacks exploited in the wild
 http://blogs.zdnet.com/security/?p=1590
 
 QUOTE: Numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the “recent” DNS cache poisoning vulnerability :
 
 Surprised? I’m not, since this was pretty logical given that the three publicly available exploits have been downloaded over 15,000 times in the last couple of days. What I’m actually surprised of is that it took so long to produce a working exploit, and the despite the media outbreak raising awareness on the potential for abuse, major international and local ISPs remain vulnerable. Ironically, remain vulnerable just like they’ve always been even though patches for a particular vulnerability were available. Insecure and misconfigured DNS servers were, and continue to be a realistic threat even in a Web 2.0 world.
 
 More on the risks associated with these new DNS exploits can be found here:
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/07/26/avert-labs-excellent-diagrams-on-new-dns-dangers.aspx
 
 http://msmvps.com/blogs/harrywaldron/archive/2008/07/24/new-dsn-exploits-are-being-developed-patch-your-servers-now.aspx

 IdeaThe diagrams in the link below are excellent in showing how DNS resolves canonical names to numerical IP addresses, and how the bad guys can potentially manipulate these with the new exploits.  Most vendors now offer security updates for DNS and these should be applied as quickly as possible to better protect corporate Internet applications and customer information (e.g., especially from potential phishing attacks).

http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/

Idea This is a good article on tactics and communication techniques when working with co-workers who create issues in the workplace.

The Thing That Drives Me Nuts About My Co-Worker
http://msn.careerbuilder.com/custom/msn/careeradvice/viewarticle.aspx?articleid=1566

QUOTE: For many people, bad habits are unconscious. John might not realize that clipping his fingernails in the lunchroom is repulsive. Suzy is clueless that coffee was not made to be slurped and Ed doesn't know that showering only three times per week is unhygienic (and stinky!).

Let's be honest: Nobody's perfect; not even you. Results from a recent MSN Zogby data poll show that 20 percent of workers say their co-workers have at least one habit that drives them crazy. So while your co-worker might have a more obvious bothersome tendency (like always talking on speakerphone), maybe your constant complaining about everyone else's behaviors has the same effect.

"You really only have one option when it comes to being annoyed by a fellow employee," says Donna Flagg, president of The Krysalis Group, a business and management consulting firm in New York City. "Simply let your co-worker know how you feel and politely ask them if they would mind curtailing their annoying habit."

Techniques for addressing co-worker issues

1. Ask yourself if the behavior is better described as controlled or a recurring pattern
2. Check yourself
3. Be discreet
4. Be specific
5. Be positive

Gift As IE 8 offers improved security and support of World Wide Web Consortium (W3C) web standards, webmasters and web developers should test their applications extensively in the coming months.   

Article: Microsoft confirms IE 8 will ship this year
http://blogs.zdnet.com/microsoft/?p=1500&tag=nl.e539

QUOTE: Microsoft Senior Vice President of Online Services and Windows, Bill Veghte, just told attendees that Microsoft will release the final version of Internet Explorer (IE) 8 to the Web “later this year.”

Microsoft has tried its best not to provide a ship target for IE 8 — like most of its Windows client family of products. Company officials did acknowledge last month that a second public beta of IE 8 is due out in August.

Microsoft has been warning Web developers to prep for IE 8, which will be more standards-compliant, to prepare now for IE 8 by adding a new tag to their sites to keep them from breaking when viewed with IE 8.

IE Beta v2 will be available in August
http://blogs.msdn.com/ie/archive/2008/06/03/ie8-beta-2-coming-in-august.aspx

Computer Below are resources for corporate users related to the developments associated with the new DNS vulnerabilities. The CERT advisory has an excellent list of vendors and their current status for this issue. It is important to apply applicable security patches for DNS servers as quickly as possible due to active exploit development.

So far, two versions of exploit code have been developed for this vulnerability. While the first exploit affects DNS caching, security researcher, H.D. Moore has developed a more potent second exploit that can replace nameserver entries with the potential to redirect traffice to malicious sites (e.g., malware downloading, phishing attacks, etc).

In some ways, this new security exposure is reminiscent of the Code Worm and Blaster attacks during the earlier part of this decade. While security patches were available, many companies did not have the time or insight to patch all of their potential exposures. While there's time, security administrators should PATCH NOW.

ARTICLES: Major DNS vulnerability now public
http://cwflyris.computerworld.com/t/3374560/1676699/127883/2/
http://isc.sans.org/diary.html?storyid=4765
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://cwflyris.computerworld.com/t/3374560/1676699/127883/2/
http://blog.trendmicro.com/major-dns-cache-poisoning-vulnerability-patch-now/
http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=209401195
http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html

QUOTE: "Patch. Today. Now. Yes, stay late." - That's the word from security researcher Dan Kaminsky, who recently presided over an unprecedented effort to coordinate a fix for a DNS vulnerability across more than 80 software and hardware vendors

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity Inc. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The attack can be used to redirect victims to malicious servers on the Internet by targeting the DNS servers that serve as signposts for all of the Internet's traffic. By tricking an ISP's servers into accepting bad information, attackers could redirect that company's customers to malicious Web sites without their knowledge.

Although a software fix is now available for most users of DNS software, it can take time for these updates to work their way through the testing process and actually get installed on the network. "Most people have not patched yet," Vixie said. "That's a gigantic problem for the world."

EXPLOIT DEVELOPMENTS: Second more critical exploit in the wild
http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html

QUOTE: We just added a second exploit which replaces the nameservers of the target domain. This is the bug people should actually care about, since it doesn't matter if anything is already cached. Regarding the cache situation (of the first exploit) -- it's not possible to do cache overwrites, but it is possibe to look up the cache timeout, wait for it, and then replace it. With the new exploit module, we just change the DNS server for the entire domain (regardless of what is cached), so it's much more effective for wide-scale hijacking.

Microsoft DNS Patch should be applied ASAP
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

CERT Advisory - Provides a detailed status report by vendor
http://www.kb.cert.org/vuls/id/800113

Vendor Status - Date Last Updated (see CERT advisory above for more recent updates)

3com, Inc. Unknown 10-Jul-2008
Alcatel-Lucent Unknown 23-Jul-2008
Apple Computer, Inc. Unknown 5-May-2008
AT&T Unknown 21-Apr-2008
Avaya, Inc. Vulnerable 16-Jul-2008
Avici Systems, Inc. Unknown 21-Apr-2008
Belkin, Inc. Unknown 13-Jul-2008
Blue Coat Systems Vulnerable 22-Jul-2008
BlueCat Networks, Inc. Vulnerable 22-Jul-2008
Check Point Software Technologies Not Vulnerable 23-Jul-2008
Cisco Systems, Inc. Vulnerable 10-Jul-2008
Conectiva Inc. Unknown 5-May-2008
Cray Inc. Unknown 5-May-2008
D-Link Systems, Inc. Unknown 2-May-2008
Data Connection, Ltd. Unknown 21-Apr-2008
Debian GNU/Linux Vulnerable 9-Jul-2008
djbdns Not Vulnerable 10-Jul-2008
dnsmasq Vulnerable 11-Jul-2008
DragonFly BSD Project Unknown 3-Jul-2008
EMC Corporation Unknown 21-Apr-2008
Engarde Secure Linux Unknown 5-May-2008
Ericsson Unknown 21-Apr-2008
Extreme Networks Unknown 21-Apr-2008
F5 Networks, Inc. Vulnerable 14-Jul-2008
Fedora Project Unknown 5-May-2008
Force10 Networks, Inc. Not Vulnerable 11-Jul-2008
Foundry Networks, Inc. Not Vulnerable 10-Jul-2008
FreeBSD, Inc. Vulnerable 14-Jul-2008
Fujitsu Vulnerable 18-Jul-2008
Gentoo Linux Vulnerable 12-Jul-2008
Gnu ADNS Unknown 5-May-2008
GNU glibc Unknown 5-May-2008
Hewlett-Packard Company Vulnerable 16-Jul-2008
Hitachi Unknown 21-Apr-2008
Honeywell Unknown 21-Apr-2008
IBM Corporation Vulnerable 12-Jul-2008
IBM Corporation (zseries) Unknown 5-May-2008
IBM eServer Unknown 21-Apr-2008
Infoblox Vulnerable 21-Jul-2008
Ingrian Networks, Inc. Unknown 5-May-2008
Intel Corporation Unknown 21-Apr-2008
Internet Systems Consortium Vulnerable 14-Jul-2008
JH Software Not Vulnerable 10-Jul-2008
Juniper Networks, Inc. Vulnerable 10-Jul-2008
Linux Kernel Archives Unknown 3-Jun-2008
Lucent Technologies Unknown 21-Apr-2008
Luminous Networks Unknown 21-Apr-2008
Mandriva, Inc. Vulnerable 22-Jul-2008
MaraDNS Not Vulnerable 10-Jul-2008
Men & Mice Unknown 5-May-2008
Metasolv Software, Inc. Unknown 5-May-2008
Microsoft Corporation Vulnerable 8-Jul-2008
MontaVista Software, Inc. Unknown 5-May-2008
Motorola, Inc. Unknown 21-Apr-2008
Multinet (owned Process Software Corporation) Unknown 21-Apr-2008
Multitech, Inc. Unknown 21-Apr-2008
NEC Corporation Not Vulnerable 18-Jul-2008
NetApp Unknown 3-Jul-2008
NetBSD Unknown 5-May-2008
Netgear, Inc. Unknown 21-Apr-2008
Network Appliance, Inc. Unknown 21-Apr-2008
Nixu Vulnerable 9-Jul-2008
NLnet Labs Not Vulnerable 10-Jul-2008
Nokia Unknown 21-Apr-2008
Nominum Vulnerable 10-Jul-2008
Nortel Networks, Inc. Unknown 21-Apr-2008
Novell, Inc. Vulnerable 14-Jul-2008
OpenBSD Vulnerable 24-Jul-2008
OpenDNS Not Vulnerable 10-Jul-2008
Openwall GNU/*/Linux Vulnerable 17-Jul-2008
PePLink Not Vulnerable 10-Jul-2008
Posadis project Unknown 14-Jul-2008
PowerDNS Not Vulnerable 10-Jul-2008
QNX, Software Systems, Inc. Unknown 5-May-2008
Red Hat, Inc. Vulnerable 10-Jul-2008
Redback Networks, Inc. Unknown 21-Apr-2008
Secure Computing Network Security Division Vulnerable 17-Jul-2008
Shadowsupport Unknown 5-May-2008
Siemens Unknown 8-Jul-2008
Silicon Graphics, Inc. Unknown 5-May-2008
Slackware Linux Inc. Vulnerable 12-Jul-2008
Sony Corporation Unknown 21-Apr-2008
Sun Microsystems, Inc. Vulnerable 10-Jul-2008
SUSE Linux Vulnerable 11-Jul-2008
The SCO Group Unknown 5-May-2008
Trustix Secure Linux Unknown 5-May-2008
Turbolinux Unknown 5-May-2008
Ubuntu Vulnerable 10-Jul-2008
Wind River Systems, Inc. Vulnerable 9-Jul-2008
ZyXEL Unknown 21-Apr-2008

Email This new malware threat is well done from an HTML and social engineering perspective.  Microsoft automatically includes MSRT with it's monthly Windows Update process, and never sends tools like this out using email.  These messages should be deleted. 

Windows Malicious Software Removal Tool Free Today
http://sunbeltblog.blogspot.com/2008/07/another-fake-ms-spam.html

QUOTE: As we all know, for quite some time now, spam has stopped just being a nuisance, and became a serious potential security threat.  It used to be that one wouldn’t get too upset if the occasional Viagra email got through a spam filter.  That’s no longer the case: Spam is a significant vector for malware infection through malicious links and social engineering, and if something gets through a spam filter — and then makes it past endpoint protection — one can have all kinds of nasty headaches.  

EXAMPLE OF EMAIL MESSAGE CURRENTLY CIRCULATING

Subject: Windows Malicious Software Removal Tool Free Today.

The content in text format.

Click Here! *** Malicious link removed ***

About this mailing:

You are receiving this e-mail because you subscribed to MSN Featured Offers.
Microsoft respects your privacy. If you do not wish to receive this MSN
Featured Offers e-mail, please click the "Unsubscribe" link below. This will
not unsubscribe you from e-mail communications from third-party advertisers
that may appear in MSN Feature Offers. This shall not constitute an offer by
MSN. MSN shall not be responsible or liable for the advertisers' content nor
any of the goods or service advertised. Prices and item availability subject
to change without notice.

2008 Microsoft | Unsubscribe <http://www.msn.com>  | More Newsletters
<http://www.msn.com>  | Privacy <http://www.msn.com>

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

Email McAfee and other AV vendors are highlighting this latest social engineering attack.  A well disquised email message appears to come from UPS.  It claims that a package cannot be delivered unless the fake waybill attachment is selected.  

Users selecting these attachments will be infected with malicious code from a downloader that originates from a Russian website

United Parcel Service - Fake email for package non-delivery 
http://vil.mcafeesecurity.com/vil/content/v_132901.htm
http://wcco.com/techcenter/ups.email.virus.2.771489.html
http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm
http://www.startribune.com/local/25464324.html
http://www.ups.com/content/us/en/about/news/service_updates/virus_us.html

QUOTE: United Parcel Service is warning of a computer virus circulating under the guise of an e-mail from UPS. According to a release from UPS, the virus is attached to an e-mail that warns readers they have a shipment that couldn't be delivered unless they click on the attachment. The e-mail claims the attachment contains a waybill that will allow the undelivered package to be picked up.

COPY OF EMAIL MESSAGE: (spoofed to appear from UPS)

"Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office. 
 
Your UPS"

The attached file is an executable which downloads files from the following server:

hxxp: //fixaserver (dot) ru / ldr / [Removed]

As applicable for their environment, corporate DBAs and system administrations should download, pilot test, and then install these critical security updates to better protect Oracle based applications.

QUOTE: The Critical Patch Update for July 2008 was released on July 15, 2008. Oracle strongly recommends applying the patches as soon as possible.

Oracle Security Update for July 2008
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Music Sometimes one bad apple can spoil the entire bunch.  A new injection based codec attack has surfaced which can infect all multi-media files on the hard drive.  For example, a malicious MP3 file can be downloaded and if the special fake codec routine is accepted, it will inject malicious code into every multi-media file that is processed.  Folks should continue to only use trusted sources for music or video.

Infectious Music, Malware-Style
http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files
http://blog.trendmicro.com/infectious-music-malware-style/

QUOTE: A malware that infects multimedia files, modifying them to require the download of a fake codec when played had recently been discovered. It infects widely used multimedia file formats such as MP3, WMA and WMV video files by injecting a malicious code. The said malware is also capable of converting files such as MP2 and MP3 into Windows Media Audio (WMA) format. When a user tries to play an infected file, a pop-up message is displayed, asking the user to download a certain codec in order to play the file. The downloaded codec is of course, nothing else but malware.

But this malware takes it to a new, and more dangerous level; it manipulates a person’s multimedia files and uses it against them. People normally keep thousands of multimedia files on their systems, especially MP3s. If each file is infected by the malware then shared through a P2P network, then the user unknowingly turns into a malware host.

Storm The social engineering tactices used by the Storm worm continue to be well engineered.  These deceptive messages attempt to trick folks into selecting malicious links that automatically download malware to vulnerable systems.   

Storm Worm - Avoid Tabloid headlines in Spam messages
http://redtape.msnbc.com/2008/07/no-presidential.html

Lightning QUOTE: No, spammers haven’t hired a bunch of former supermarket tabloid writers. They’re just doing what they do best – exploiting human nature.

The Storm worm is the Internet's version of Broadway’s “Phantom of the Opera” -- the longest running hit show around. Storm first appeared in January 2007, teasing users with a headline about deadly storms that hit Europe -- "230 dead as storm batters Europe," it said, offering a link to a full story. Clickers found themselves infected with the Storm worm.

Storm was an immediate hit for the hackers, who managed to trick hundreds of thousands of recipients into clicking on the booby-trapped link. That enabled them to build an enormous network of hijacked computers, called a botnet, which they use to send out more spam or commit other Internet crimes.

There have been hundreds of Storm variants since the first one, sent by a loosely affiliated gang of computer criminals. Some estimates say that up to 10 million PCs have been infected with Storm at one time or another.

But in April, Microsoft updated its malicious software removal tool, much to the chagrin of the hackers. About four-fifths of the vast Storm network was cut off, said Paul Wood, a security researcher at MessageLabs.

Comprehensive list of dozens of headlines from Message Labs
http://www.msnbc.msn.com/id/25680334

There are dangerous PDF files being circulated by spammers.  The new PDF based attacks typically use Javascript attacks within the document to infect vulnerable systems.  Users should always avoid opening any unexpected document or link in email messages.  Also, it is important to stay up-to-date on all security updates available from Adobe and other software vendors. 

Malicious PDF files - Death of the Internet in 2012
http://blog.trendmicro.com/death-of-the-internet-foretold/

The malware involved in this spam run is detected by Trend Micro as TROJ_PIDIEF.JT, a Trojan that arrives as a PDF file named DOC.PDF. This file promises more information regarding the alleged Internet death.

PIDIEF Trojans are known malware droppers or downloaders, so once users click on the attached PDF file — and whether or not they believe the theory — another malware is already up and running on their systems and doing malicious routines. The death of the Internet is going to be the least of their problems after that …

Internet Storm Center - PDF Javascript based exploits
http://isc.sans.org/diary.html?storyid=4726

More Posts Next page »