Web ADMINS should ensure the HTML text editor is secured as it may be automatically installed by default on some versions of Cold Fusion studio.
Large # of Cold Fusion web sites compromised in past 24 hours
http://isc.sans.org/diary.html?storyid=6715
QUOTE: There have been a high number of Cold Fusion web sites being compromised in last 24 hours. It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager.
The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting.
How to disable the HTML editor to improve safety
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
MOTB - Month of Twitter Bugs Begins
Security research testing of the Twitter API will be conducted during the month of July. The stated goal is to bring awareness to the need for strengthening security in this very popular and flexible social network messaging facility.
MOTB Daily Findings published here
http://www.twitpwn.com/
Security Researcher Aviv Raff shares mission statement
http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx
QUOTE: Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.
Below is the 1st documented vulnerability related to shortened URLs that may be shared in these micro-blog messages:
MoTB #01: Multiple vulnerabilities in bit.ly service
http://www.twitpwn.com/2009/07/motb-01-multiple-vulnerabilities-in.html
QUOTE: "bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck."
bit.ly has a large user base (who doesn't click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...
This informative article shares an awareness that credit card purchase patterns could be used as part of the analysis in determining whether someone is a higher credit risk.
What You Buy, Where You Shop May Affect Your Credit
http://www.walletpop.com/credit/credit-cards/article/what-you-buy-where-you-shop-may-affect/544639
QUOTE: As credit card companies continue to tighten their lending standards on card users, some are using purchasing data -- gleaned from millions of card transactions processed daily -- to weed out who may or may not be good credit risks.
Have you used your credit card at merchants specializing in secondhand clothing, retread tires, bail bond services, massages, casino gambling or betting? Your credit card issuer may be taking note -- and making decisions about your creditworthiness based on your purchasing behavior. The reason: Buying used clothing or retread tires may be an indication of financial distress and a preamble to missed credit card payments or defaults.
The recent credit crunch has placed greater emphasis on using the data to predict who may be a higher credit risk. Credit card issuers have said people living in states hard hit by foreclosures, such as Florida, Nevada and California (referred to as the "sand states") may be considered increased risks by virtue of the fact that they live there. People who shop at the same establishments where subprime borrowers shop also may be considered higher risk.
I use Firefox as a complementary browser and the latest new version became available today. The upgrade from 3.0.11 went well and so far there are no issues in using the new version
Firefox 3.5 Home Page
http://www.mozilla.com/en-US/firefox/
Firefox 3.5 Key Features
http://www.mozilla.com/en-US/firefox/features/
Malware writers often use tragic news events to trick users into opening malicious website links, YouTube video links, or attachments. While most AV vendors have coverage in place, please avoid these types of email messages that are now actively circulating.
Malicious SPAM related to passing of Michael Jackson and Farrah Fawcett
http://isc.sans.org/diary.html?storyid=6646
http://isc.sans.org/diary.html?storyid=6658
http://sanesecurity.blogspot.com/2009/06/michael-jackson-virus-already.html
http://www.avertlabs.com/research/blog/index.php/2009/06/25/bad-news-oportunity-to-spread-malware/
http://securitylabs.websense.com/content/Alerts/3426.aspx
http://vil.nai.com/vil/content/v_132277.htm
http://www.avertlabs.com/research/blog/index.php/2009/06/26/michael-jackson-news-affects-web-traffic/
QUOTE: michael jackson virus already 
Well, it didn't take long for the "them" to abuse the situation did it?
The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr
Scareware and other Rogue security programs
Below are some excellent articles and awareness on this popular form of attack. These programs are improving in their methods of emulating Anti-virus programs and should be avoided as they are difficult to clean.
Excellent Article on Scareware and other Rogue security programs
http://lastwatchdog.com/scareware-attacks-spreading-twitter-google-legit/
http://www.usatoday.com/tech/news/2009-06-09-cybergangs-scareware-hackers_N.htm
QUOTE: In some cases, the fake software you buy may actually provide you with some nominal protection. But mostly for your $30 to $80 the only thing you get is temporary relief from the obnoxious dialogue boxes, and misleading hard drive scans.
HOW SCAREWARE TRICKERY ENSNARES INTERNET USERS
1 Criminals buy blocks of ad space on websites, intermittently slipping in a tainted ad.
2 Just visiting a webpage with a tainted ad causes a fake warning box to appear.
3 Clicking "OK" or "Cancel" launches the same thing: a "free scan."
4 After you've been lured into a fake "free" scan of your PC:
5 The bogus scan will purport to find a virus infestation.
6 Ensuing boxes steer the user to activate "Personal Antivirus," on left.
7 The activation prompts take the user to a shopping cart.
8 Declining to place an order triggers endless fake scans.
What is Scareware
http://en.wikipedia.org/wiki/Rogue_software
http://whatis.techtarget.com/definition/scareware.html
QUOTE: Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software. Scareware, which generates pop-ups that resemble Windows system messages, usually purports to be antivirus or antispyware software, a firewall application or a registry cleaner. The messages typically say that a large number of problems -- such as infected files -- have been found on the computer and the user is prompted to purchase software to fix the problems. In reality, no problems were detected and the suggested software purchase may actually contain real malware.
Scareware programs produced by those companies include: DriveCleaner, WinAntivirus, ErrorSafe, WinFixer and XP Antivirus
As many folks realize Microsoft does not distribute updates by email. However, Microsoft will alert users who have signed up for Patch Tuesday notifications, that new updates are available.
In the links below, Trend Labs notes a highly deceptive email that contains authentic looking HTML and valid Microsoft site links. Even the wording appears to be legitimate. The email address is also spoofed to appear as if it originated from "Microsoft Customer Support".
Fortunately, spoofed email headers often end up in the spam or bulk mail folders automatically. As Trend Labs notes, a best practice of hovering over email links would reveal a different one than shown in the document.
Finally, when notified of any vendor updates it's always best to go to home site to check directly (rather than using the email link). However, this particular attack could trick some users as it has some resembles to a Microsoft security notification.
Trend Labs - “Critical Update” Leads to Critical Info Theft
http://blog.trendmicro.com/critical-update-leads-to-critical-info-theft/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZBOT%2EBTS&VSect=T
Spoofed “Critical Update” appears to originate from Microsoft
http://www.trendmicro.com/vinfo/images/blog/062209_fig1.gif
QUOTE: Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs. Close to the weekend, we identified spam claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”
A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.
Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server.
SPAM email should always be deleted without opening it or any accompanying attachments. Daily, I receive numerous copies of dating services and other SPAM in my personal email.
Some key dangers include tricking users to visit malicious websites or to reveal credit card or personal information
Trend Labs shares some dangers in a good awareness article below:
http://blog.trendmicro.com/deceitful-advertisement-thru-dating-spam/
QUOTE: Today we have noticed an increase in the amount of dating spam mails containing phrases such as:
I’m emailing you because I like you
wanted to let you know about my profile
you have been invited to join
The link in the spam points to an adult-dating web page, as well as a profile on the right corner of the screen with a huge clickable ad that says, CLICK HERE TO CHAT FOR FREE.
Following the link opens a page where the visitor is asked to register by providing an email address and password. Afterward the visitor’s browser opens a new site where he/she is prompted to create a preferred chat handle (username). Users tempted to correctly fill up the forms from the shown web pages provide a free service to the cybercriminals as they reveal their valid email addresses, passwords, and credit card information.
Please be careful with website visitations as malicious attacks continue to compromise some sites that may not be locked down well from a security standpoint.
Nine-Ball Mass Injection attack compromises 40,000 Websites
http://www.eweek.com/c/a/Security/40000-Web-Sites-Compromised-in-Mass-Attack-227486/
http://securitylabs.websense.com/content/Alerts/3421.aspx
http://vil.nai.com/vil/content/v_141590.htm
QUOTE: Websense Security Labs has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.
After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.
Several reports are circulating in the media for a new Microsoft consumer security product that will soon be announced. As sometimes early reports contain inaccuracies, the official announcements by the company should only be considered at this point.
Hopefully, MSE will successful in providing basic security protection. WGA validation also seems to be a reasonable requirement for the enhanced malware protection this product will offer. Once official Microsoft announcements are published, we'll know more regarding this new product.
Microsoft Security Essentials (MSE) Beta version to be released soon
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=913455
http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=218100195
http://www.pcmag.com/article2/0,2817,2348996,00.asp
http://news.cnet.com/8301-1009_3-10268040-83.html
http://www.windowslive.com/Connect/Post/14eb0c3e-78fc-4e21-8783-c4521a4d83a6
http://blogs.zdnet.com/microsoft/?p=3120
http://blogs.zdnet.com/Bott/?p=1067
PC Magazine - Early in-depth evaluation
http://www.pcmag.com/article2/0,2817,2348998,00.asp
QUOTE: Microsoft Corp. today said it will release a public beta of its free antimalware software, now called Microsoft Security Essentials, formerly "Morro," next Tuesday for Windows XP, Vista and Windows 7. "This is security you can trust," said Alan Packer, general manager of Microsoft's antimalware team, when asked to define how it differs from rivals, both free and not. "And it's easy to get and easy to use." He stressed the Security Essentials' real-time protection over its scanning functions, which are both integral to any security software worth its weight. "Rather than scan and clean, which it also does, it's trying to keep you from being infected in the first place," Packer said. Microsoft will not give Security Essentials to everyone who wants it, however. PCs running a copy of Windows that Microsoft decides is counterfeit or pirated -- "non-genuine" in its parlance -- cannot download a copy of the security software.
Hopefully, the Twitter site administrators can respond promptly to proof-of-concept vulnerabilities that are crafted by Aviv Raff, a highly experienced security research expert. Users should be alert for any major issues that surface. Most importantly, be careful with all forms of communication keeping a good focus on privacy and security.
Month of Twitter Bugs - July 2009
http://blogs.zdnet.com/security/?p=3632
QUOTE: A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem. The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff, a researcher known for his work on Web-based security issues. Raff, who previously warned that the Twitter API is ripe for abuse, says the project will disclose a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.
Microsoft is adjusting Autorun technology for XP to provide the improved safety Vista currently supports. AVERT Labs shares an awareness that any portable storage device (e.g., MP3 player, Digital Picture frame, Digital Camera, etc) may also be vulnerable to Autorun malware attacks. Additionally, these worms often infect unprotected network shares, as well as compromising accounts with weak passwords.
Autorun Worms - Infect more than just USB Flash Drives
http://www.avertlabs.com/research/blog/index.php/2009/06/11/worms-dig-further-than-thumb-drives/
QUOTE: Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?
Answer - Most USB devices that you can plug into your computer that have storage.
How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication. How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.” Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.
In almost all cases, Windows Update (or preferably Microsoft Update) works accurately. I usually update manually ASAP without waiting on Automated Updates to start. Windows Update can be immediately invoked by selecting the Windows Update option found in the Safety Shield icon for IE8 or other methods.
All my work PCs were updated without issues for the June 2009 security updates. However, I encountered a rare error on our family PC at home. A total 10 of 11 updates downloaded and installed properly. However after rebooting, security update MS09-025 continued to experience "Download Failed" message. I noted a temporary folder on C: created by the June updates that may have been a factor.
After 3 tries using Windows Update, I then went to Microsoft Download site to manually update MS09-025. As a starting point, I searched using keyword MS09-025 to locate the specific update that needed to be applied. After locating the XP security patch, I downloaded and installed this patch manually outside of the regular Windows Update process.
Microsoft's Download Site
Search by bulletin or KB # to find a specific security update for your O/S
http://www.microsoft.com/downloads/en/default.aspx
After successfully installing MS09-025 and rebooting, I reinvoked Windows Update to ensure were no updates left to be applied. This final step ensured the special manual update process was successful and we are now properly up-to-date at home
I've used Opera as a complementary browser since the free "ad-bar" version first surfaced several years ago. Thankfully the ad bar was later removed and Opera has enjoyed a good track record in security, innovation, and web standards support. While less popular than IE or Firefox, it offers a sophisticated and reliable browser environment. It is working well so far in early testing.
Opera 10 Beta - New Innovations
http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Opera-10-Beta-Adds-Turbo-Mode-Makes-Improvements-to-Tabbed-Windows-669426/
QUOTE: The Opera 10 beta includes new features—including a Turbo mode that aims to speed slow connections—that will likely find their way into rival browsers in the future. Ever wonder what features will be found in the next generation of Web browsers? Well, usually there’s one easy way to find out: Just check out the latest version of Opera. Opera may not be the best known or most used Web browser out there, but, over the years, it has been one of the most innovative. Often, features that become mainstays across browsers appeared first in Opera.
Opera 10 Beta - Features
http://www.opera.com/browser/next/
Opera 10 Beta - Download
http://www.opera.com/browser/download/?ver=10.00b1
Opera 10 Beta - Blog
http://my.opera.com/desktopteam/blog/
Opera 10 Beta - New Features
http://www.opera.com/docs/changelogs/windows/1000b1/
KEY NEW FEATURES
* Opera Turbo Mode
* Automatic updates
* Crash logging
* Inline spelling checker
* 100/100 and pixel-perfect on the Acid3 test
* Significantly improved performance, particularly on CSS/HTML rendering
* Opera Mail HTML Compose support
Every monthly update should be applied as soon as possible. Often we are racing against the clock to patch all systems to make them safer from exploits that will emerge or may already be found in-the-wild.
The June 2009 security release has 10 security updates that cover a wide range of MS Products (e.g., Windows, IE, Office, and IIS). So far these installed updates are working well and without issues on my PCs. As some of patched vulnerabilities have working exploits, it is important for everyone to PATCH NOW
Microsoft Security June 2009 Updates - IMPORTANT Patch Tuesday Updates
https://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
Excellent Analysis of updates
http://isc.sans.org/diary.html?storyid=6538
http://blog.trendmicro.com/june-2009-microsoft-and-adobe-security-updates/
MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-019 - Cumulative Security Update for Internet Explorer (969897)
MS09-020 - Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-023 - Vulnerability in Windows Search Could Allow Information Disclosure (963093)
MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege (970238)
MS09-027 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Microsoft asking for help with SysInternals Survey
http://isc.sans.org/diary.html?storyid=6544
QUOTE: Hands-down the best tools for determining what is going on on a Windows system are Mark Russinovich's and Bryce Cogswell's Sysinternals Tools. Frequent contributor Roseman has pointed out that Microsoft is asking for your help improving the Sysinternals tools. Over at the Microsoft Technet blog they are requesting Sysinternals users to take a short survey.
http://blogs.technet.com/sysinternals/archive/2009/06/08/short-sysinternals-customer-survey.aspx
QUOTE: Sysinternals Customer Survey – We could use your help. We're looking into who uses the Sysinternals tools and what other Microsoft tools you use. Please take this very short questionnaire (7 questions max. depending on how you answer). We won’t ask you who you are, your email or anything that can identify you. - Thanks
Recently, I saw articles stating that the Gumblar website injection attacks were gaining strength and could become worse than Conficker. Gumblar was a very sophisticated malware attack, that took off like wildfire a couple of weeks ago. Thankfully, this new threat has almost faded away, as the malware hosting websites were quickly shutdown by authorities.
Experts: Gumblar attack is alive, worse than Conficker
http://news.cnet.com/8301-1009_3-10251779-83.html
Gumblar Attacks Dying Off
http://blogs.pcmag.com/securitywatch/2009/06/gumblar_attacks_dying_off.php
Conficker is still alive and well, as it continues to infect up to 50,000 PCs daily. Users need to stay up-to-date on all security updates and AV protection. We should follow major evolving threats, as sophisticated stealth attacks continue to circulate.
Conficker still infects approximately 50,000 PCs daily
http://viewfromthebunker.com/2009/05/20/conficker-continues-to-spread/
http://www.networkworld.com/news/2009/052109-conficker-still-infecting-50000-pcs.html
QUOTE: The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.
Malware writes continue to use sophisticated new techniques to hide malware. This new Autorun worm variant can hide inside ZIP archives, which are sometimes difficult for AV products to locate malware infections that are embedded inside.
WORM_AUTORUN.JFZ injects a copy of itself into every ZIP archive
http://blog.trendmicro.com/autorun-worm-invades-zip/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.JFZ
QUOTE: TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.
When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR. The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.
Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.
The Government military standards for Wireless connectivity and security are very comprehensive. The 19 PDF documents found in the 6MB ZIP file below cover numerous wireless conventions and topics. They provide valuable guidelines for corporate IT in creating wireless security policies. They are an excellent educational resource for improving wireless security as well.
Wireless STIG, Version 6 TIM (UNCLASSIFIED)
http://iase.disa.mil/stigs/draft-stigs/index.html
TABLE OF CONTENTS FOR PRIMARY DOCUMENT
1. INTRODUCTION....13
1.1 Background 13
1.2 Authority ....13
1.3 Scope ...14
1.4 Writing Conventions ....14
1.5 Vulnerability Severity Code Definitions....15
1.6 STIG Distribution...15
1.7 Document Revisions ....15
2. HOW TO PERFORM A WIRELESS REVIEW...17
3. WIRELESS AND HANDHELD SYSTEM REQUIREMENTS...19
3.1 Wireless Policy – APPLICABLE to all Devices ...19
3.2 WLAN Compliance Requirements 19
3.2.1 WLAN Network Devices (WLAN Access Points, Controllers, Authentication Servers, &
WIDS).....19
3.2.2 WLAN Network Devices (WLAN Bridges) ...20
3.2.3 WLAN Clients .20
3.2.4 Classified WLANs.21
3.3 Wireless Metropolitan Area Network (WMAN) Compliance Requirements..22
3.4 Bluetooth ....23
3.5 Miscellaneous Wireless Networking Systems Compliance Requirements24
3.5.1 RFID Systems..24
3.5.2 Free Space Optic (FSO) Terminal Devices .....24
3.5.3 Wireless VoIP..24
3.5.4 Wireless Keyboards and Mice .25
3.5.5 ZigBee.25
3.6 PDA, Smartphone, and Non-wireless E-mail device Compliance Requirements .25
3.7 Compliance Requirements for Wireless Remote Access Connections to DoD Networks 26
APPENDIX A. REFERENCES ..29
A.1 Policy References...29
A.2 Technical References ...29
APPENDIX B. VMS PROCEDURES....31
APPENDIX C. LIST OF ACRONYMS.37
APPENDIX D. SRR WORKSHEETS ...43
This new security rogue program is socially engineered to mimic how a true Anti-Virus product would behave. The screens appear authentic and they are professionally done. This program could trick some users, as it's designed to take the user's money without truly cleaning any infections.
Malware Doctor - Another Rogue program to avoid
http://www.avertlabs.com/research/blog/index.php/2009/06/05/yet-another-rogue-security-program/
http://vil.nai.com/vil/content/v_140346.htm
QUOTE: As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.
We also noticed some new features in Malware Doctor. Once installed, it performs a system scan. Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.
Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only a few detections so users will not be very suspicious of it. Once this Trojan detects a supposedly malicious file, it will pop up a message. This Trojan even makes use of McAfee’s malware naming convention.
As noted in Sunbelt's log, Rod Trent kindly shared this important tuning guide that can improve performance for corporate AV product implementations
http://sunbeltblog.blogspot.com/2009/05/guidelines-for-antivirus-exclusions-for_30.html
QUOTE: Earlier in the week, I posted a good set of guidelines for enterprise administrators from Microsoft for antivirus exclusions. Unfortunately, the page that I linked to got pulled. However, Rod Trent was kind enough to share the document (see link below):
Anti-Virus Exclusion Guidelines for Microsoft Applications
http://www.sunbeltsoftware.com/alex/gblog/avguidelines.doc
QUOTE: WHY EXCLUDE -- It is important to achieve a balance between ensuring a secure and virus free server environment while also not interfering with reliability and performance of each server. A lack of exclusions with regards to virus scanning has traditionally been one of the main causes of outages with regards to applications and services. In addition, virus scanning is often a cause of performance issues.
Steve Friedl - Configuring Windows 7 for a Limited User Account
Another excellent illustrated guide by Steve Friedl that describes the value and setup procedures for UAC for the new Windows 7 Operating System.
Steve Friedl - Configuring Windows 7 for a Limited User Account
http://unixwiz.net/techtips/win7-limited-user.html
QUOTE: UAC was introduced with Vista and was widely maligned due to its in-your-faceness, and though it's calmed down some as Vista has been updated, it seems to have really hit its stride in Windows 7. I like UAC a lot. But even in its imperfect form, it was a good idea, attempting to brighten the terribly blurry line between administrative tasks and user tasks that has plagued Windows since the early days.
Table of Contents
* User Account Control explained
* Method 1: Configuring a new install
* Method 2: Demoting an existing install
* Disabling the Administrator account
* Picking a password
* Securing yourself out of your own machine
McAfee has published an in-depth and informative study on "the most dangerous search terms" that could lead to malware infected sites. Some of the riskiest terms include "free" "music", "lyrics", or "screensavers". For example, some folks may search for "free mp3 music" only to soon discover these sites that there is truly nothing free other than spyware or other malicious agents.
As search results are returned, be careful with the sites listed as malware writers can sometimes manipulate search engine ranking statistics to appear more prominently in the return order. Check the spelling, domain names, and look for any warnings that the site might be potentially dangerous. Keep your Firewall, AV, ASW, and other defenses updated and active.
Finally, recognize that there are "no free lunches" on the Internet. Avoidance and careful use of the facilities will complement good technical protection and allow for improved safety from those who wish to take advantage of others.
McAfee Study - Most dangerous search terms
http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf
QUOTE: The scammers—from solo operators to organized criminals—have quickly realized that the same search engines that enable legitimate businesses to reach more consumers can also be used by criminals to separate more victims from more of their money.
UNIX Turns 40
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133570
QUOTE: Forty years ago this summer, a programmer sat down and knocked out in one month what would become one of the most important pieces of software ever created. In August 1969, Ken Thompson, a programmer at AT&T subsidiary Bell Laboratories, saw the month-long departure of his wife and young son as an opportunity to put his ideas for a new operating system into practice. He wrote the first version of Unix in assembly language for a wimpy Digital Equipment Corp. (DEC) PDP-7 minicomputer, spending one week each on the operating system, a shell, an editor and an assembler.
These ATM attacks are professionally written and attack the Diebold software environment installed on ATM machines. So far, it appears that these attacks are occurring only in Eastern European nations.
Data-sniffing trojans burrow into Eastern European ATMs
http://www.theregister.co.uk/2009/06/03/atm_trojans/
http://vil.nai.com/vil/content/v_154358.htm
QUOTE: Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months. The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the information using the ATM's receipt printer, according to analysts from SpiderLabs, the research arm of security firm Trustwave. Since late 2007 or so, there have been at least 16 updates to the software, an indication that the authors are working hard to perfect their tool.
Card-sniffing trojans target Diebold ATM software
http://www.theregister.co.uk/2009/03/17/trojan_targets_diebold_atms/
A new JavaScript attack is injecting dangerous exploits into legitimate websites. Please keep AV protection updated and be careful with website visitations.
20,000 sites hit with drive-by attack code
http://blogs.zdnet.com/security/?p=3476
http://vil.nai.com/vil/content/v_130621.htm
http://vil.nai.com/vil/content/v_147268.htm
Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks. According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.
This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.
This is the best guidelines seen related to understanding and mitigating this new vulnerability, which hackers are actively exploring
Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability
http://unixwiz.net/techtips/ms971492-webdav-vuln.html
QUOTE: Most systems are likely not vulnerable, but unless the flowchart below leads to "You are not vulnerable", we strongly recommend seeking local expertise to help assess your situation properly.
MAJOR TOPICS
1. What is WebDAV?
2. How do I know if I'm vulnerable or not?
3. I'm vulnerable — What do I do?
4. How do I disable WebDAV?
5. What will this break?
6. Web Protocol Checks
7. References
Microsoft's new Bing Search engine is now operational
Home Page
http://www.bing.com/
Bing - Image Search
http://www.bing.com/images
Discovering Bing
http://www.discoverbing.com/tour/
I've applied the "Fix it" workaround and so far no issues noted. This workaround might help corporate and home users until a more permanent patch becomes available. There is also a disabling "Fix it" icon to undo the workaround also
Microsoft DirectShow is Vulnerable
http://www.f-secure.com/weblog/archives/00001692.html
QUOTE: The vulnerability exploits quartz.dll Quicktime parsing. However, you don't have to have QuickTime installed.
Update: Microsoft has published a "Fix It" tool that does the registry changes for you.
Microsoft Direct Show vulnerability (971778) - Fix it Workaround available
http://support.microsoft.com/kb/971778
QUOTE: To implement the workaround that disables QuickTime parsing automatically on a computer that is running Windows 2000, Windows XP or Windows Server 2003, click the Fix this problem link under Enable workaround. To undo the workaround, click the Fix this problem link under Disable workaround. In either scenario, click Run in the File Download dialog box, and follow the steps in the Fix it wizard.
MORE ON VULNERABILITY
http://www.microsoft.com/technet/security/advisory/971778.mspx
More Posts
Next page »