September 2008 - Posts
Sunbelt is warning that a new variant of the Fake Antivirus 2008 family has emerged. Please be careful of any pop-up messages you might receive and keep AV protection updated.
eAntiVirusPro - New Fake AntiVirus pop-up variant emerges
http://sunbeltblog.blogspot.com/2008/09/rogue-mania.html
QUOTE: eAntivirusPro is a new clone of Antivirus XP 2008 rogue security product.
Microsoft has announced the the next version of its development platform as Visual Studio 2010 and .NET Framework 4.0. Some preliminary features are noted in the links below:
Microsoft Announces Visual Studio 2010 and .NET Framework 4.0
http://www.eweek.com/c/a/Application-Development/Microsoft-Announces-Visual-Studio-2010-and-NET-Framework-40/
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=210604432
QUOTE: Microsoft announces Visual Studio 2010 and .NET Framework 4.0, and says the overall development strategy revolves around five pillars. The first pillar involves the Visual Studio Team System (VSTS) 2010, formerly codenamed “Rosario.” In the announcement on Sept. 29, Microsoft also described the next release through the following five focus areas:
1. Riding the next-generation platform wave
2. Inspiring developer delight
3. Powering breakthrough departmental applications
4. Enabling emerging trends such as cloud computing
5. Democratizing ALM (application life-cycle management)
This article promotes the need for users to block all pop-out messages by using the latest version of browser software. However, even then sometimes pop-up dialogs can be successfully launched. When this occurs, it is a best practice to always read these carefully and safely exit out. One good approach for safely exit pop-ups is noted below. Finally, most users are not "idiots" as noted in the referenced link, but at times they may be unaware of the risks or careless in their behaviors.
NC State tests students on how they react to pop-up messages
http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html
Examples of pop-up messages
http://arstechnica.com/news.media/FakeDialog.png
http://media.arstechnica.com/news.media/malware_warning.png
QUOTE: The authors, who work in the Psychology Department of North Carolina State University, crafted a set of four fake dialog boxes. All of them contained the following warning: "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." One of the warnings was indistinguishable from the standard Windows XP system dialog, but the remaining three were had a number of warning signs that should tip off users to potential malware.
In all cases, mousing over the "OK" button would cause the cursor to turn into a hand button, behavior more typical of a browser control; all dialogs also had minimize and maximize buttons, while a second added a browser status bar to the bottom of the window. Finally, the most blatant one alternated between black text and a white background and a white-on-black theme. All of these should metaphorically scream, "This is not safe!"
Use of Task Manager to close pop-up messages more safely
http://msmvps.com/blogs/harrywaldron/archive/2008/08/22/malware-close-encounters-close-pop-ups-using-task-manager-to-safely-exit.aspx
Computer security has become more important than ever at both home or work. Technical security products, promptly applying security patches, and the user's actions are all vital. Years ago, many malware writers acted more as pranksters writing software to delete files or make the PC inoperable. The goal today is to trick users with highly realistic email or websites and then to hide on the PC in order to gain highly sensitive or confidential information over time.
Many attacks user social and technical engineering approaches that can deceive even highly experienced users. For example, malware authors use embed actual HTML from the real websites or simulate Windows dialog boxes (as noted in the article below). Security is so vital today, that it cannot be ignored.
For example, companies MUST have an active awareness program. It's true that some users will march to the beat of a different drum and ignore advice. Still, security awareness cannot be totally ignored. A good program would include:
1. User responsibilities, as most companies have "business use" and "information protection" policies. Users need to know what they can and cannot do at work.
2. Some general training on avoiding malware attacks is helpful in case innovative malware slips past the technical defenses. For example, the Help Desk should be contacted if there are questionable items.
3. Users must know their vital role in safeguarding customer and corporate information. Their laptops, passwords, and other resources could be compromised if safe practices are not followed.
4. Occasional brief all-employee bulletins and an Intranet website can help communicate and promote user responsibilities in the process
Security evangelism is achieved one step at a time and companies won't see immediate results. However, these small differences will add up over time. A train the trainer model may emerge, as technically savy users gain knowledgeable and act as leads in their departments or offices.
The tone and communications make all the difference in the world. While security sometimes requires a "thou shalt not" approach, it shouldn't be the primary theme. A more positive tone of "how to be safe at work and home" may help users become more receptive to learning the principles of protection.
Home and corporate users cannot be expected to become security experts. Conversely if someone totally ignores the many dangerous security exposures, they will most likely experience technical issues with their PC or they could even become a victum of fraud. Instead, users should be taught the basic principles of risk avoidance and where to go to for help.
Office 2003 SP3 has been reliable on all home and work PCs, as it installed as soon as it became available one year ago. Anyone on SP2 or earlier releases should update their systems to the latest version for improved security and to remain on active support.
Office 2003 - Move to Service Pack 3 as SP2 Support has ended
http://blogs.technet.com/office_sust...ack-2-sp2.aspx
http://blogs.pcmag.com/securitywatch...oaching_en.php
Office 2003 - SP3 Home and Download Site (118MB)
http://www.microsoft.com/downloads/d...displaylang=en
QUOTE: Microsoft® Office 2003 Service Pack 3 (SP3) represents a major evolution in security for Office 2003. It further hardens the Office suite against potential attacks and other security threats. This service pack also includes fixes that have been previously released as separate updates for Office 2003.
Trend Micro has documented a new bank phishing attack that appears to be a realistic message. This new attack may appear as a Wachovia (latest version) or Bank of America "connection or security update". It warns the user that they will loose their online banking privileges if this agent is not installed.
If users follow these directions, a rootkit will be installed. This is one of the worst forms of malware circulating, as it alters Windows settings so that it becomes completely hidden except by the best rootkit detection tools.
Please always avoid taking any direct actions from ANY email message that you may receive. Always confirm by phone or other more trustworthy sources to ensure any messages that might happen match your circumstances are truly legitimate. These attacks are so well done, that they can deceive experienced users.
Fake Wachovia Security Update installs Rootkit
http://blog.trendmicro.com/wachovia-security-certificate-installs-rootkit/
QUOTE: At 4:18 PM PST yesterday, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.
Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then siphon for their own use.
AVOID EMAIL MESSAGES WITH THESE SUBJECT LINES:
Wachovia Connection Update Alert.
Wachovia Connection Customer Support - Security Updates.
Wachovia Connection upgrade warning.
Wachovia Connection Emergency Alert System.
Sample email message currently circulating
http://www.trendmicro.com/vinfo/images/blog/wachovia_2.gif
Example of Fake Wachovia site can be found here
http://blog.trendmicro.com/phishers-hit-multiple-banks-with-one-stone/
For web based email accounts like Yahoo, Gmail, or Hotmail it is important to use complex passwords and keep them confidential. However, it's also important to safeguard those important "secret questions" that allow for password recovery, where the password would be emailed back to you in a different account after successfully answering all secret questions.
One safety practice, that can be used is to intentionally place "wrong or misspelled answers" for those secret questions so that the current password is not mailed back to someone trying to hack these type of email accounts.
How Sarah Palin's Yahoo email was Hacked
http://www.eweek.com/c/a/Security/Sarah-Palin-Hack-an-Example-of-Password-Recovery-Backfire/
QUOTE: The ease with which Republican vice presidential candidate Sarah Palin's e-mail was hacked is striking and underscores the importance of improving privacy questions for password recovery. A person claiming responsibility for the hack posted details of what he did Wednesday on a 4chan.org message board. The handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell.
Yahoo required the user provide Palin’s birthday and zip code, which the hacker said he found through Wikipedia and Google. The final security measure required him to answer a question regarding where Palin met her spouse; another Google search turned up the answer.
Good article noting that laptops are highly subject to theft or get misplaced by users 
like car keys do for some of us older professionals 
Users need awareness and training on how to properly safeguard laptops while traveling. More importantly, companies need to look at fully encrypting laptops to ensure any sensitive information is protected.
Why Your Laptop Is Definitely Lost
http://www.avertlabs.com/research/blog/index.php/2008/09/19/why-your-laptop-is-definitively-lost/
QUOTE: Laptop and notebook theft is a major problem; it rates at between 3 percent to 7 percent of reported thefts, according to experts. In 2006, a company making computer-tracking products estimated 750,000 pieces of equipment a year were being stolen.
This free PCI/DSS training course was downloaded and installed. So far in a brief review, it offers great advice for developers in creating more compliant and secure e-commerce applications.
Free Computer Based Traing class - PCI DSS for Developers (38MB download)
https://www.foundstone.com/us/resources/downloads/pci_compliance_developers.zip
QUOTE: Foundstone Professional Services, a Division of McAfee, has recently released a free 2-hour computer based training entitled "PCI DSS v1.1 Compliance for Developers." This hype-free CBT focuses on the PCI DSS requirements and sub-requirements that are most relevant to software developers and offers developer-to-developer technical advice to help achieve compliance. Software security best practices are also stressed throughout the presentation. This is not an advertisement for McAfee products or Foundstone services, just solid information that will help your development teams create more secure software.
During our tough economic times, fraudulent scams are at all-time high now. While this highly informative article discusses primary mail and phone scams, these soliciations are also being spammed by email as well. It is important to validate any potential contract and to use only major trustworthy firms for any type of financing or sale.
MILLIONS AT RISK OF FORECLOSURE FRAUD
http://redtape.msnbc.com/2008/09/post.html
QUOTE: There are many variations on the scams, but they all boil down to two types. There’s a simple fee-based racket, in which the criminal offers to help the homeowner stave off foreclosure, collects an up-front fee and then disappears. But the more lucrative scam involves seducing homeowners into complicated transactions that allow con artists to steal equity in the house or walk away from the closing table after netting thousands in phony payouts.
Consumers facing foreclosure can get help, but they should be very careful where they look. Experts recommend ignoring unexpected solicitations, whether through the mail, by phone or in person. Instead, enlist the help of a HUD-certified counselor. A state-by-state list is available at HUD’s Web site
A new exploit for the latest version of Apple's Quicktime and iTunes products has been publicly published. So far, this exploit is minor in scope, as it can only alter cookie files and cause the new product version to crash. Users should follow further developments and ensure the music and media files they are using are safe. AV protection is also emerging for this new exploit.
New QuickTime 7.5.5 and iTunes 8 Exploits
http://www.avertlabs.com/research/blog/index.php/2008/09/18/the-true-of-recent-0day-for-quicktime755itunes80/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114999
QUOTE: A 0day exploit for the latest Quicktime7.5.5/Itunes8.0 was released yesterday. The exploit author announced this as a Remote Heap Overflow so we decided to take a look and analyze it. After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points are:
1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.
2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns, If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime/Itunes application.
Hence, it is unlikely that code execution via this attack vector would be feasible. Users of these apps however should take them seriously and look at appropriate defenses.
Another variant of the shipping invoice attacks has emerged and should be avoided. AV protection is improving and folks expecting actual shipments should always use the phone instead email for contacting their shipping company, if there are any issues.
More Fake UPS Invoice Attacks
http://isc.sans.org/diary.html?storyid=5051
We received two reports of fake UPS invoice tracking Trojan zip files. This is similar to other invoice Trojans we have seen. This appears to be a two way conversation it was really just the spammer who created the whole thing.
EXAMPLE OF EMAIL TO AVOID
To: victims @ email.address
Subject: Re: missing package
From: John Henry <johnhenry.support @ ups.com>
Reply-To: johnhenry.support @ ups.com
Mr./Mrs. Victims First and Last name
I am sorry for this late reply, but we have good news.
We managed to track your package, and we have attached the
invoice you asked for to this reply.
The invoice contains the correct tracking# , since the one
you gave us was invalid.
You can use it on the ups website to track your shipment.
Thank you
John Henry
UPS Customer Care Department
ATTACHMENT: invoice.zip <--- Do not open this file
One might assume a prestigous site like Business Week would always be completely safe. However, a weakness in their website security was discovered by malicious individuals which allowed SQL Injection. These SQL Injection attacks would secretly route user requests or information back to fake sites hosted in Russia. However, these fake websites are currently offline.
SQL-Injection attacks are usually more of a weakness in programming rather than a security flaw in the supporting website software. While I'm certain Business Week will take measures to correct this issue, this example illustrates the need for all of us to be cautious when surfing the Internet. McAfee, Sophos, and other vendors have also added AV protection.
Business Week website attacked by new SQL Injection attack
http://www.net-security.org/malware_news.php?id=990
http://vil.nai.com/vil/content/v_150261.htm
http://www.theregister.co.uk/2008/09/16/businessweek_hacked/
QUOTE: Folks from Sophos have discovered that the website of BusinessWeek, the world famous weekly magazine, has been attacked by hackers in an attempt to infect its readership with malware.
Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server.
At the time of writing, the code injected into BusinessWeek’s website points to a Russian website that is currently down and not delivering further malicious code. However, it could be revived at any time, infecting hundreds of MBA students looking for high-earning jobs. Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.
A home based wireless LAN (WLAN) can provide convenient access to the Internet for all family members. Likewise, it is not locked down properly, it provides access to others. Most "visitors" would access a non-secured WLAN for free Internet connectivity. However, there are dangers where private information on the WLAN hard drive could be discovered or these visitors may access to highly inappropriate sites.
Likewise, a business must protect the privacy of their customer information. If a WLAN is setup, there is a need to use the latest equipment, safest security protocols, and take time to learn the key elements of wireless security. As the article from AVERT labs reflect, it's too dangerous to leave unsecured.
Wireless Security - Too Dangerous to ignore
http://www.avertlabs.com/research/blog/index.php/2008/09/15/the-perils-of-leaving-wi-fi-networks-unsecured/
QUOTE: People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.
Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.
Additional links and resources are noted below:
Example of failure that may cost $1 billion in Financial damages
http://blogs.zdnet.com/Ou/?p=485
How to Secure a Wireless LAN
http://www.dailywireless.com/features/secure-wireless-lan-021507/
Windows XP - Use WPA2 protocol (never use WEP)
http://en.wikipedia.org/wiki/WPA2
Wireless Security - 10 tips to secure your laptop
http://www.informationweek.com/news/showArticle.jhtml?articleID=203102748
George Ou - More on Wireless LAN security
http://blogs.techrepublic.com.com/Ou/?p=404
Simple Advice for Wireless Home Networking
http://blogs.techrepublic.com.com/Ou/?p=42
http://blogs.techrepublic.com.com/Ou/?p=43
Greek hackers were able to penetrate LHC web server security controls to deface their public website. The network control system remained secure, as this is usually isolated by design from the Internet. CERN is evaluating this incident further to ensure all critical access remains secure.
Large Hadron Collider security compromised with Website defacement
http://government.zdnet.com/?p=3996
http://www.telegraph.co.uk/earth/main.jhtml?view=DETAILS&grid=&xml=/earth/2008/09/12/scicern212.xml
QUOTE: A team of Greek hackers calling themselvses Greek Security Team has penetrated the Large Hadron Collider and defaced a public website. No real damage done, but the hackers got perilously close.
Scientists working at Cern, the organisation that runs the vast smasher, were worried about what the hackers could do because they were "one step away" from the computer control system of one of the huge detectors of the machine, a vast magnet that weighs 12,500 tons, measuring around 21 metres in length and 15 metres wide/high.
If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, "it is hard enough to make these things work if no one is messing with it." Fortunately, only one file was damaged but one of the scientists firing off emails as the CMS team fought off the hackers said it was a "scary experience".
To refine security methods Cern set up a working group called Computing and Network Infrastructure for Controls. One document written by the group said: "Recent events show that computer security issues are becoming a serious problem also at Cern."
Large Hadron Collider - Home Page (currently offline)
http://cmsmon.cern.ch/
More Posts
Next page »