February 2011 - Posts

So far the latest beta version is working well in early testing

Firefox 4 Beta 12 released
http://isc.sans.edu/diary/Firefox+4+Beta+12+released/10459

Firefox 4 Beta 12 - Release Notes
https://www.mozilla.com/en-US/firefox/4.0b12/releasenotes/

QUOTE: For those of you who would like to contribute to the future of Firefox, while not quite ready for final release, Firefox 4 Beta 12 is considered "stable and safe to use for daily browsing".  There are still some known issues and the Mozilla people do warn that if you are a add-on user there may be some issues with your add-ons, but with the Add-on Compatability Reporter you can assist the add-on developers as well.

Star An Excellent resource for early Windows 7 SP1 issues:

Microsoft Technet Blogs - The Servicing Guy
http://blogs.technet.com/b/joscon/

QUOTE: Tips and tricks from a Windows support engineer on issues related to servicing

Windows 7 SP1 is now available and should install properly in most cases.  However, the "Early Issues" link below is beneficial to review and adjust settings as applicable to avoid potential issues

Windows 7 Service Pack 1 HOME
http://technet.microsoft.com/en-us/library/ff817622(WS.10).aspx

Windows 7 Service Pack 1 for IT Professionals
http://technet.microsoft.com/en-us/library/dd349342(WS.10).aspx

Internet Storm Center - Early issues
http://isc.sans.edu/diary.html?storyid=10453

QUOTE: Right now, there is no urgent reason to install this service pack and it should be tested first. A few areas to watch:

- Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1

- Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.

- Disk Encryption: In particular full disk encryption that modifies the boot process may find that some of the changes it did are undone by the SP install

- Custom hardware: If you are using drivers other then those that are included in Windows 7 (or 2008 R2), be careful.

While Windows Update or Firefox's automatic update systems help keep browsers patched, there are components within that often need patching.  Keeping Adobe Flash and JAVA patched are also important security safeguards.

Browser Security - Up to 80% may need one or more patches
http://sunbeltblog.blogspot.com/2011/02/researcher-at-rsa-80-percent-of.html
http://www.computerworld.com/s/article/9209958/Bulk_of_browsers_found_to_be_at_risk_of_attack

QUOTE: Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company’s BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.  "I really thought it would be lower," said Kandek of the nearly 80% of browsers that lacked one or more patchesBrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, including Adobe's Flash and Reader, Oracle's Java and Microsoft's Silverlight and Windows Media Player.

Just as it's difficult to completely erase data from a hard drive, it's even more difficult for some of the newest solid state storage devices.  There are some military grade programs that will erase the contents of a hard drive (changing everything to binary zeroes).  These should be used for disposal or equipment resale purposes.

Solid State Drives - Difficult to erase deleted data
http://blogs.pcmag.com/securitywatch/2011/02/solid-state_memory_is_hard_to.php

QUOTE Even most novices know that erasing a file doesn't necessarily remove it for good. Fully erasing data can be much trickier than it seems. And now it seems that the newest forms of storage are the hardest to erase. At this week's Usenix FAST 11 conference on File and Storage Technologies in San Jose, California researchers published a paper examining the effectiveness of different secure erasure methodologies on Solid State Disks (SSDs). It turns out to be tricky.

Kim Komando offers free utilities to safely delete all hard drive information
http://www.komando.com/downloads/categories.aspx?cat=Security

Digital Certificates should only be loaded from trusted sources as they are sometimes used in advanced malware attacks

Malware Digitally Signed With Fake Certificate
http://blogs.pcmag.com/securitywatch/2011/02/malware_digitally_signed_with.php
http://techblog.avira.com/2011/02/21/malware-signed-with-fake-avira-certificate/en/

QUOTE: German security software company Avira has uncovered a malware sample digitally signed with a fake certificate listing them as the signer. The certificate is issued to Avira GmbH and is valid from 2011-02-10 until 2039-31-12.  The malware itself is a member of the well-known Zbot/ZeuS malware family, and is spread via spammed e-mail. Its behavior is not new in any way. After running it deletes the original executable, sets itself to run when Windows starts, and contacts a command server for further instructions.

An excellent article outlining SOX 404 compliancy testing and controls

Sarbanes-Oxley - How to assess Company Level Controls
www.journalofaccountancy.com/Issues/2005/Jun/AssessingCompanyLevelControls

QUOTE:  What are company-level controls? How do CPAs go about evaluating their effectiveness? As the compliance deadline for section 404 of the Sarbanes-Oxley Act approaches for some companies, many have yet to face a critical hurdle: the assessment of their company-level controls. The Public Company Accounting Oversight Board says public companies must assess the design and operating effectiveness of company-level controls in addition to examining detailed control activities at the process and transactional levels.

EXECUTIVE SUMMARY 

* THE ASSESSMENT OF COMPANY-LEVEL CONTROLS is a critical part of complying with section 404 of Sarbanes-Oxley. The PCAOB says public companies must assess the design and operating effectiveness of these controls in addition to examining detailed process- and transactional-level control activities.
 
* COMPANY-LEVEL CONTROLS ARE THOSE THAT PERMEATE an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself including the tone at the top, corporate codes of conduct and policies and procedures.

* CPAs CAN FOLLOW SIX STEPS TO HELP ENTITIES comply with company-level control requirements. These steps are defining the project plan and key milestones, building a structure to assess the controls, obtaining input on the design of company-level controls, documenting and assessing the controls, testing their effectiveness, and engaging in gap remediation and continuous improvement.

* THESE STEPS ARE REQUIRED OF PUBLIC COMPANIES, but private companies and not-for-profit organizations also can benefit by looking at the process as a best practice that leads to stronger governance and better financial results.

Below are a great list of best practices to help corporations mitigate outside hacking attacks.

Federal Hacking Incident - Some Lessons Learned
http://isc.sans.edu/diary/HBGary+hack+lessons+learned/10438

QUOTE: Unless you’ve been living under a stone for last couple of weeks, you will have heard about the HBGary Federal hack. Seeing everything published about this probably makes every security professional think for at least a second, 'Could this happen to me too? ... So what can we learn from this hack? A lot of things that we already preach (or should be preaching):

* Do not use same passwords for multiple applications/sites. A lot of free, good utilities, such as Password Safe exist that will allow you to automatically generate strong passwords and store them in an encrypted key chain.

* No matter the size of your company, you should have change management processes that require all changes to be approved by appropriate personnel. While a CEO can request to open a port on the firewall, a security person in charge should approve any such request. If you don’t have multiple roles for this then make sure that appropriate authentication is in place – i.e. verifying such critical requests through other channels.

* You should regularly test your web applications – not only external, but also internal. While this does not guarantee that you will identify and eliminate all security vulnerabilities, it will certainly raise the overall security.

* Encrypt your backups and think twice if you need all those e-mails at one place. Gmail is certainly attractive for storing years of e-mails and searching through them quickly, but imagine what would happen if someone gets access to all your e-mail.

* While we’re on encryption – encrypt sensitive e-mails too - it may seem a nuisance, but it could save the day. PGP Encryption is not difficult to use, there are downsides, of course, so you should balance between usability and security.

* If you are a web-application developer, and have a need to store (hashed) user passwords remember that algorithms such as MD5 were built for speed! By using today’s GPUs, it is possible to crack hundreds of millions of MD5 passwords per second. Remember to use passwords salts to make rainbow tables useless (otherwise it’s usually a matter of seconds before a password is cracked).

* Finally on storing hashed passwords, try to use multiple algorithms to store passwords – something like - sha1(sha1(sha1(password))) will be unnoticeable for the end user, but will make rainbow tables useless and increase the time needed to crack a password (and increase the likelihood an attacker will have to make a custom cracking module for their purpose).

Malware continues to use highly polymorphic attacks, so that each new wave becomes a unique variant within the malware family. AV pattern recognition techniques alone may not detect early waves (usually a 30% coverage ratio of day one),   However, signature based AV may be more useful for cleanup and restoration actions.  Heuristic or behavioral based AV products can help improve protection.  Malware defenses cannot rely on a single defense system, as complementary layers of protection are always required in corporate environment.

RSA 2011 - Signature Based Anti-Virus may not be effective
http://blog.trendmicro.com/from-rsa-2011-last-nail-in-the-coffin-for-signature-based-av/

QUOTE: Signature-based antivirus will continue to be a necessary but insufficient element of security measures. However, insofar as using it as the singular strategy to combat malware in the foreseeable future, its heyday is very much over. As Trend Micro CTO Raimund Genes said, signature-based technology is only good for system cleanup and in identifying the specific system modifications made in order to restore the system to its original state. Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.

Microsoft's security team has published information related to security fixes that aren't referenced with CVEs.  These types of changes represent special code that go beyond fixing specific routines within the patched product family. As bi-directional Firewalls or code management systems can often determine ususal activity, Microsoft explains these special situations as noted below.

How Microsoft Does Undocumented Security Patches
http://blogs.pcmag.com/securitywatch/2011/02/how_microsoft_does_undocumente.php

QUOTE: I came to realize that Microsoft never in their security bulletins identified patched vulnerabilities as internally discovered. I pressed them on it and they were somewhat elliptical in their response, but offline others pointed out that obviously Microsoft was patching other vulnerabilities silently.

Additional Fixes in Microsoft Security Bulletins
http://blogs.technet.com/b/srd/archive/2011/02/14/additional-fixes-in-microsoft-security-bulletins.aspx

QUOTE: From time to time we receive questions regarding fixes not documented in security bulletins. Some call these “silent fixes.” We hope this blog post answers those questions and helps clarify Microsoft’s process in fixing and documenting all vulnerabilities and addressing internally discovered variants.  Much of the security community is aware that Microsoft security updates sometimes contain additional code fixes to address issues beyond the originally reported vulnerability.  This process that ensures a comprehensive update was first publicly documented in a Microsoft TechNet magazine article from June 2006.

Example from 2006
http://technet.microsoft.com/en-us/magazine/2006.05.behindthescenes.aspx

As Egypt and Libya recently shutdown Internet service on a national basis, these links reflect proposed changes in current law for the USA

PC Magazine - Senators Kill Off the "Kill Switch"
http://blogs.pcmag.com/securitywatch/2011/02/senators_kill_off_the_kill_swi.php
http://www.politico.com/news/stories/0211/49798.html

QUOTE: Fed up with being associated with censorship and repression, Senators Joe Lieberman, Tom Carper and Susan Collins have introduced a cybersecurity reform bill that explicitly prohibits the president from shutting down the Internet. The group are among the leaders of those in congress pushing for legislation to give the government authority over parts of the Internet in event of an emergency.

The Cybersecurity Freedom Act of 2011 adds language explicitly stating the president can't shut down the Internet. Senator Collins noted in her remarks that this change was a direct result of President Mubarak's actions in Egypt. It also permits owners of assets deemed critical infrastructure by the federal government, and therefore subject to additional Department of Homeland Security regulations, to appeal that decision in a federal court.

A new security release for Word Press has just been released:

ISC - New versions of Word Press
http://isc.sans.edu/diary.html?storyid=10387

Word Press - version 3.0.5 Security release
http://wordpress.org/news/2011/02/wordpress-3-0-5/

QUOTE: This release is shown as a security release and contains a number of fixes for security issues. WordPress is one of the favourite targets, so all are encouraged to upgrade and get the benefits of the security fixes included (make sure you test before throwing it into production).

This process should be automatic for all ... Just in case, there are some "Patch Now" advisories noted by the ISC that will protect users better -- if they haven't recently patched.

Internet Storm Center - Excellent Analysis
http://isc.sans.edu/diary.html?storyid=10375

Microsoft Security Updates - February 2011
https://www.microsoft.com/technet/security/bulletin/ms11-feb.mspx

While exploitation may be difficult to achieve, active Firewall protection should help mitigate this new risk until a security patch emerges.

Windows 0-day SMB mrxsmb.dll vulnerability
http://isc.sans.edu/diary.html?storyid=10423
http://www.vupen.com/english/advisories/2011/0394
http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx
http://seclists.org/fulldisclosure/2011/Feb/285

QUOTE: A new vulnerability has been discovered exploiting SMB component of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver. The vulnerability is known to be able to cause DoS and fully control of vulnerable machines. Proof of concept code for DoS had been released. There are reports that this exploit only work on local network segment (this hasn't been verified).

The general practice of block port 137, 138, 139 and 445 should be observed especially with this 0-day. MS SRD has posted a blog on this vulnerability stating that remote exploit leading to code execution is highly unlikely.

While there are constantly new attacks circulating, some of the most popular methods are the older attacks that are well established. Many of these older attacks continue as they open up the PC's security more extensively than some of the newer attacks that are difficult to exploit.  While the M86 report may not completely reflect the malware landscape, it still illustrates the value of staying up to date with all software installed (including all non-MS patches)

Which Old Vulnerabilities Are Still Exploiting Our PCs?
http://blogs.pcmag.com/securitywatch/2011/02/which_old_vulnerabilities_are.php

QUOTE: There have been many stories in the last few days reporting data released by M86 Labs which shows that the list of vulnerabilities being exploited by the "most observed threats" was dominated by those patched many years ago. The implication of the reports is that there are still a lot of people out there who haven't patched their systems in years.

Top 5 Most Observed Vulnerabilities - January 2011
http://www.m86security.com/labs/malware-statistics.asp

QUOTE: Anonymized feedback from M86 filtering installations showed most observed threats were based on the following vulnerabilities:

Vulnerability / Year Disclosed / Year Patched
1. Microsoft Internet Explorer RDS ActiveX 2006 2006
2. Real Player IERPCtl Remote Code Execution 2007 2007
3. Office Web Components Active Script Execution 2002 2002
4. Microsoft Access Snapshot Viewer ActiveX Control 2008 2008
5. Microsoft Internet Explorer Deleted Object Event Handling 2010 2010

More Posts Next page »