February 2009 - Posts
On Friday, I had a close encounter with another driver who was either checking messages or actually texting beside me on her cell phone. I was in the right lane and as a defensive driver I noticed her car kept moving closer to mine and she gradually crossed over into my lane. I tapped on the horn which startled her and she quickly corrected. I didn't get angry as we all make mistakes occassionally. At the next light, the phone was most likely put away with lessons learned.
Some common sense tips on driving and mobile phone use include:
-- If you do need to call frequently on the road, use a hands-free setup
-- Focus on not becoming distracted, by avoiding complex or highly emotional calls
-- Pull off the road, if you have a call that might be involved
-- If you're in a traffic jam or long light, use that opportunity only to check your phone quickly if you need to -- but be attentive primarily to being safe on the road
-- Keep calls brief while driving
-- Never check messages, manually dial, text, or any other operation that would take your eyes off the road.
This article offers excellent advice for professionals applying for IT positions:
Seven mistakes to avoid when applying for Technology Jobs
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128198
QUOTE: In this economy, even having the experience may not be enough. Always follow résumé best practices -- proper spelling, good organization, consistent font and so on. Realize, too, that if you simply do not meet the required minimum experience, it's very unlikely that you will win the job. Beyond that, if you avoid these all-too-common mistakes that I have seen over years of filling network administrator positions, you'll boost your chance of landing the job.
SUMMARY OF MISTAKES TO AVOID
Mistake 1: Your objective is unclear
Mistake 2: You've listed old skills
Mistake 3: You've created an 'alphabet soup' explosion
Mistake 4: You misuse industry jargon
Mistake 5: You're unclear what 'network administrator' means (know full responsibilities of position to see if your skills fit, esp. if you've only had partial experience)
Mistake 6: You're vague about your experience, or you're just downright confusing
Mistake 7: You lose sight of the goal (Do not forget your goal. Get your foot in the door for a face-to-face interview)
Apple Safari Browser version 4.0 beta
I always enjoy exploring new technology. Earlier this week, I installed version 4 on an XP SP3 system at home for a test drive. So far, this new beta version represents a significant improvement over version 3, which had weaknesses. A beta product from any vendor should be used on test systems and by experienced users only.
Below are observations so far in testing:
POSITIVE FINDINGS
-- Fast rendering and performance
-- UI is much improved (chrome, tabbing, controls)
-- Good output presentation (crisp presentation of text)
-- Passes new Acid3 tests on 100% basis
-- Security improved (new phishing filter, pop-up blocking, "privacy mode", etc)
-- Intuitive easy-to-use interface
AREAS FOR FURTHER IMPROVEMENT
-- Limited in advanced functionality compared with IE8, Firefox, or Opera
-- Tailoring of options and preferences are limited
-- Security needs to be proven for this build as with new product
Review: Apple's Safari 4 browser beta is innovative, fast, fun
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128660
Safari 4.0 Beta - Summary of FeaturesFull Pass of Acid3
http://webkit.org/blog/280/full-pass-of-acid-3/
Apple goes public with security in Safari 4:
http://www.securityfocus.com/brief/915
QUOTE: The security features are not new, however. The company quietly added anti-malware and phishing protection, as well as support for extended validation certificates with its Safari 3.2 update last November. The quiet release of the security features in the previous version of Apple's browser explains why the company did not mark any of its list of 19 security features as new.
Safari 4.0 Beta - Home page
http://www.apple.com/safari/
http://www.apple.com/safari/download/
Safari 4.0 Beta - Summary of Features
http://www.apple.com/safari/features.html
Safari 4.0 Beta - What is new
http://www.apple.com/safari/whats-new.html
Microsoft has created "release candidate" builds which should be close to the final version for these important service packs.
Vista SP2 and Windows Server 2008 SP2 release candiates
http://windowsteamblog.com/blogs/windowsvista/archive/2009/02/25/announcing-the-service-pack-2-for-windows-vista-and-windows-server-2008-rc.aspx
http://www.eweek.com/c/a/Windows/Microsoft-Ships-Service-Pack-2-for-Windows-Vista-and-Windows-Server-2008-RC
QUOTE: This week we are announcing that Service Pack 2 for Windows Vista and Windows Server 2008 has hit an important milestone in development: Release Candidate (RC). Starting today, the RC of SP2 for Windows Vista and Windows Server 2008 will be available to TechNet and MSDN subscribers to test prior to final release. In the very near future, we will be making the RC broadly available for anyone to download and test. You can expect another blog post from me when that happens.
Summary of Key Changes
http://windowsteamblog.com/blogs/windowsvista/pages/notable-changes-in-sp2-rc-for-windows-vista-and-windows-server-2008.aspx
Some excellent analysis on security exposures and corporate recommendations are presented in these detailed PDF documents.
NIST - Guidelines on Cell Phone and PDA Security
http://www.gtiscsecuritysummit.com/pdf/CyberThreatsReport2009.pdf
http://www.networkworld.com/newsletters/sec/2009/022309sec1.html
http://www.pcworld.com/article/152330/botnet_spam_attacks_to_target_cellphones_report_warns.html
QUOTE: The cell phone is becoming an entirely new tool— especially outside the U.S., where accessing the Internet from a mobile device can provide a better experience than traditional fixed computing. VoIP technology also continues to improve and will rival landline and mobile communications in terms of reliability and call quality. As Internet telephony and mobile computing handle more and more data, they will become more frequent targets of cyber crime.
NIST Guidelines on Cell Phone and PDA Security (51 pages)
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
SECURITY RISKS: The Executive Summary presents a succinct overview including a list of vulnerabilities leading to risks for corporate security from cell phones and PDAs:
• The devices are easily lost or stolen and few have effective access controls or encryption;
• They’re susceptible to infection by malware;
• They can receive spam;
• Wireless communications can be intercepted, remote activation of microphones can eavesdrop on meetings, and spyware can channel confidential information out of the organization;
• Location-tracking systems allow for inference;
• E-mail kept on servers as a convenience for cell-phone/PDA users may be vulnerable to server vulnerabilities.
RECOMMENDATIONS: The key recommendations, which are discussed at length in this 51-page document, include the following (quoting from the list on page ES-2 through ES-4):
1. Organizations should plan and address the security aspects of organization-issued cell phones and PDAs.
2. Organizations should employ appropriate security management practices and controls over handheld devices.
3. Organizations should ensure that handheld devices are deployed, configured, and managed to meet the organizations’ security requirements and objectives.
4. Organizations should ensure an ongoing process of maintaining the security of handheld devices throughout their lifecycle.
This interesting discussion in the Sarbanes-Oxley forums shares some the reasons why Bernie Madoff was able to avoid detection for so long. There are numerous security and audit "lessons learned" from this major financial scandal of over $50 billion.
http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=2622
Some security firms have labeled this as B++, as it a minor variation of "B" designed to work around controls associated with DNS
New Conficker variant emerges
http://blogs.pcmag.com/securitywatch/2009/02/confickerb_aka_c.php
http://www.pcadvisor.co.uk/news/index.cfm?newsid=111098
http://mtc.sri.com/Conficker/
http://blogs.technet.com/mmpc/archive/2009/02/20/updated-conficker-functionality.aspx
QUOTE: The new technique in B++ allows bots to pull and verify signed executables from a URL provided by a remote agent A second new technique uses named pipes to pull the executables; this is a technique that probably can't work out to the Internet generally, but only inside a firewall.
The SRI report says, clearly the Conficker authors are trying to get around the DNS changes limiting their distribution capability, but it remains to be seen if B++ will do that. To quote the Microsoft report "this change may allow the author to distribute malware to machines infected with this new variant...However, there doesn't appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant."
What should you do? What you always should have done: Apply security updates to all systems (especially, in this case, Windows XP and earlier systems), use a firewall and anti-malware software and keep them updated.
In further research, this new vulnerability can be mitigated by turning off JavaScript. AV protection is also available from most vendors at this point. Always be careful handling any suspicious attachment or weblink found in email.
Adobe PDF - Zero Day Exploit (how to turn off Javascript)
http://isc.sans.org/diary.html?storyid=5902
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.IN
http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/
http://vil.nai.com/vil/content/v_153842.htm
QUOTE: The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8), and 9.0.0 (latest release of 9). We have not confirmed via testing that the exploit actually works on Adobe Acrobat (non-Reader) but believe that it will also affect it as well.
HOW TO DISABLE JAVASCRIPT IN ADOBE READER (from menu bar)
Edit -> Preferences -> JavaScript -> uncheck Enable Acrobat JavaScript
As I've personally seen a couple of these recently, please note that the IRS will not contact you by email, as it's not something they capture in tax returns. Please delete these messages and do not reply to them or your personal information may be misused.
MSNBC Article - Latest 'phishing' scam lures you with tax return
http://www.msnbc.msn.com/id/29266355/
http://www.irs.gov/newsroom/article/0,,id=202865,00.html
QUOTE: Cyber-thieves are clever crooks. They know an e-mail that looks like it’s from the IRS will get your attention. So they send out fake e-mail that says you are about to be audited or are due a big refund. Who could ignore a message like that? This is just another clever twist on the old “phishing” scam, designed by identity thieves to steal your personal information.
Right now, the most popular IRS phishing scam deals with a substantial tax refund. The wording and refund amounts vary depending on which crook sends the bogus message.
It’s very easy to determine if that e-mail really is from the Internal Revenue Service – and chances are it’s not. Here’s all you need to remember: The IRS never initiates contact with taxpayers via e-mail if it has to do with your account or private information.
“We’re not going to send you a notice out of the blue that asks for very sensitive information,” says IRS spokesman Eric Smith. “We don’t ask for your PIN and we don’t ask for passwords. That’s just not the way we do business.”
F-Secure shares this interesting analysis of Mebroot, one of the most advanced malware attacks circulating in-the-wild:
Mebroot - Advanced and Stealthy MBR based Rootkit
http://www.f-secure.com/weblog/archives/00001610.html
QUOTE: One of 2008's most interesting research cases proved to be the Mebroot rootkit. Mebroot has been characterized as possessing a "commercial-grade framework" and as being a "malware Operating System". The most notable of its features is the fact that the rootkit replaces the infected computer's Master Boot Record (MBR). Mebroot therefore compromises the computer at a very low level.
The malware has apparently gone through some extensive quality assurance. It rarely ever crashes the systems it infects, even though it runs at the kernel level. It's even been designed to send crash dumps back to its authors, so that they can improve upon their code if required.
Details of Mebroot functionality uncovered in the presentation included:
• Mebroot is the most advanced and stealthiest malware seen so far
• It operates at the lowest level of the Windows operating system
• Mebroot writes its startup code to the first physical sector on the hard drive
• When an infected machine is started, Mebroot loads first and survives through the Windows boot
• Mebroot hides all changes made to the infected system
• It heavily uses undocumented features of Windows
• It creates a complex network communication system, involving pseudo random domain names
• Large parts of the code is highly obfuscated
• Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
• All botnet communication is encrypted with advanced encryption mechanism
• The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
• The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
• The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
• As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines
Mebroot - Additional Information
http://www.f-secure.com/weblog/archives/00001393.html
http://www.f-secure.com/weblog/archives/00001510.html
http://www2.gmer.net/mbr/
http://www.prevx.com/blog/75/Master-Boot-Record-Rootkit-is-here-and-ITW.html
Several security sites are highlighting MS09-002 exploits in the wild. while this is an attack on Internet Explorer security, this malware attack is embedded in a malicious Word document to potentially trick individuals. It is anticipated that other forms of attack on unpatched systems will continue to surface as this bulletin has a high exploitability rating.
MS09-002 IE Exploit in the wild
http://isc.sans.org/diary.html?storyid=5884
http://blog.trendmicro.com/another-exploit-targets-ie7-bug/
http://blogs.pcmag.com/securitywatch/2009/02/malware_targets_recentlypatche.php
http://www.avertlabs.com/research/blog/index.php/2008/12/17/ie-7-exploit-reloaded-the-new-face-of-drive-by-attacks-using-doc-files/
http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/
QUOTE: Several AV vendors reported about MS09-002 exploits in the wild. We can confirm this – the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working as charm on an unpatched Windows XP machine.
Initially there was some confusion about this attack as most AV vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document. That being said; there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon).
PATCH NOW -- PLEASE ENSURE YOU HAVE APPLIED MS09-002 SECURITY PATCH
http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx
Microsoft Security Updates - February 2009 PATCH NOW
Microsoft and other security firms are warning that IE could be soon exploited based on reserved engineering techniques used by malware writers. It's important to apply these security updates expediently to ensure protection.
Microsoft Security Updates - February 2009
http://www.microsoft.com/technet/security/bulletin/ms09-Feb.mspx
http://isc.sans.org/diary.html?storyid=5836
http://www.f-secure.com/weblog/archives/00001604.html
Microsoft have released details of this month's patches as part of February "Patch Tuesday".
The 4 patches that have been released are as follows:
Critical:
MS09-002 - Cumulative Security Update for Internet Explorer (961260)
Affects: Internet Explorer 7
Link: http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx
MS09-003 - Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
Affects: Microsoft Exchange Server 2000/2003/2007
Link: http://www.microsoft.com/technet/security/Bulletin/MS09-003.mspx
Important:
MS09-004 - Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)
Affects: SQL Server 2000/2005 (Inc Desktop/Express Editions)
Link: http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx
MS09-005 - Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634)
Affects: Visio 2002/2003/2007
Link: http://www.microsoft.com/technet/security/bulletin/MS09-005.mspx
The ISC podcast below shares that Conficker not only deletes system restore points, but it will actually apply the MS08-067 patch as one sophisticated technique for evading detection.
Conficker will actually apply the MS08-067 patch in MEMORY ONLY. Then as soon as you clean the worm, you have a chance of being infected again because MS08-067 isn't fully applied in your Windows registry environment. This could make it harder to find in that you think you're patched or it could show up as patched in a scan -- and yet you're still infected. As shared in my cleaning tips, you must clean, apply patch, and then reboot.
ISC Podcast - includes comments on Conficker
http://isc.sans.org/podcast/podcast25.mp3
Conficker - Cleaning Tips for Corporate Users
http://msmvps.com/blogs/harrywaldron/archive/2009/01/27/conficker-cleaning-tips-for-corporate-users.aspx
This is a highly technical and detailed analysis of how the Conficker attacks work
SRI Report - Excellent indepth Analysis of Conficker
http://mtc.sri.com/Conficker/
QUOTE: In this paper, we crack open the Conficker A and B binaries, and analyze many aspects of their internal logic. Some important aspects of this logic include its mechanisms for computing a daily list of new domains, a function that in both Conficker variants, laid dormant during their early propagation stages until November 26 and January 1, respectively. Conficker drones use these daily computed domain names to seek out Internet rendezvous points that may be established by the malware authors whenever they wish to census their drones or upload new binary payloads to them. This binary update service essentially replaces the classic command and control functions that allow botnets to operate as a collective.
The ISC has just posted an EXCELLENT list of additional cleaning tools and informational links:
Internet Storm Center - Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860
More Posts
Next page »