As recommended, these keys should be regenerated for better protection after applying the latest release. The links below can help explain some of the key issues:

INFOCon yellow: update your Debian generated keys/certs ASAP
http://isc.sans.org/diary.html?storyid=4421

QUOTE: Scripts that allow brute forcing of vulnerable keys (see this as rainbow tables for SSH keys) are in the wild so we would like to remind all of you to regenerate SSH keys ASAP. Please keep in mind that SSL certificates should be regenerated as well. This can be even more problematic if you had your certificates signed since you'll have to go through this process again (and possibly pay money again).

Update 2310 UTC: The new Debian package for SSH (ssh_4.3p2-9etch1) also applies a package called "openssh-blacklist". After this update, your SSH server will refuse keys from the compromised set. The package also installs a new tool called "ssh-vulnkey" that can help in hunting down key files that contain weak keys. Note that in combination with the existing ssh-keyscan, ssh-vulnkey can be used to easily identify servers that use weak host keys, so while these Debian patches help those who patch, they also make attacks easier against those who did not yet patch.

Additional Links
http://www.pcmag.com/article2/0,2817,2305554,00.asp
http://www.avertlabs.com/research/blog/index.php/2008/05/16/code-cleanup-gone-wrong/

H.D. Moore's Analysis
http://metasploit.com/users/hdm/tools/debian-openssl/

QUOTE: But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption

  While HP is working on a solution for the flawed IntelPPM driver used for certain AMD models, this neat solution will check for the presence of vulnerable PCs and disable the driver so that Windows XP SP3 can successfully load.

 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9085978

https://msinfluentials.com/blogs/jesper/archive/2008/05/08/does-your-amd-based-computer-boot-after-installing-xp-sp3.aspx

QUOTE: May 15, 2008 (Computerworld) A former Microsoft Corp. security manager has published a tool designed to detect and fix PCs that may be susceptible to "endless reboots" if updated to Windows XP Service Pack 3 (SP3).

Jesper Johansson, once a program manager for security policy at Microsoft and currently an MVP (Microsoft Most Valuable Professional) who works at Amazon.com, posted a link to the tool on his blog yesterday, beating his former employer and Hewlett-Packard Co. to the draw. Neither company has yet come up with a fix or patch for the weeklong snafu.

Johansson's small, 16K VBScript (Visual Basic Scripting Edition) file checks whether the PC is running a processor from Advanced Micro Devices Inc. (AMD), and if so, examines the Windows registry to see if a device driver meant for Intel-based machines is set to load.

"If it is, it will offer you an option to disable it," said Johansson in an update to a blog post where he has been summarizing reports of Windows XP SP3 problems and offering solutions. Users can run the script from the command line to check multiple machines on a network, Johansson added.

 This is EXCELLENT advice, as this process is often neglicated due to the need to start the next project right away.

Article: 10 things you should do near the end of a project
http://blogs.techrepublic.com.com/10things/?p=351

QUOTE: In either case, you probably go through the typical inception, elaboration, and construction phases of a project. But when it comes to the end of a project, many project managers come up just short of the finish line. Failure to handle the final steps can add confusion to an initiative and may lead to customer dissatisfaction, unhappy staff, and a project dragging on longer than necessary.

#1: Finalize testing
#2: Finalize training
#3: Validate deliverables
#4: Get project signoff
#5: Release the team
#6: Analyze actual vs. planned
#7: Archive documentation
#8: Ensure contract closure
#9: Conduct a postmortem meeting
#10: Perform a self assessment

As noted in the article, there are both advantages and disadvantages to using free security sofware instead of a purchased security suite.  Personally, I like using some of the freely available tools as they are efficient and as protective as competing products that require purchase.

Still, folks should do their homework and ensure any free products will meet their needs.  They should research free product offerings to understand what they will and will not be able to do functionally with these tools.

ADVANTAGES OF FREE SECURITY PRODUCTS
-- Free product offerings are better than having no protection at all (especially for folks on a tight budget)
-- There are actually many great free firewalls, AV products, and anti-spyware tools available (some free products are often as good or better than competing paid products - but you have to do your homework)
-- Sometimes a simple "no frills" solution is all you need and it might even offer better performance than a full featured product offering lots of "whistles and bells"
-- You can try adding a new layer of protection and if you find there's not a compelling need you can uninstall it and it hasn't cost you any money (e.g., if you rarely get spyware and wanted to test out a free product offering)

DISADVANTAGES  OF FREE SECURITY PRODUCTS
-- Security suites may cover more areas of exposure for improved protection (so there are no gaps)
-- Some free products may not be as comprehensive in their scope of protection when compared to paid products (e.g., AV protection may be limited to just files and may not cover exploits, rootkits, or other risks)
-- Some free security products may try to upsell folks with occasional popup messages to the more comprehensive paid versions
-- Very limited user support may be available, where full technical support may be available for
-- Most free products are only available for personal use and these must not be used on a free basis in a corporate environment

Below is an analysis of some of the most recent product offerings.  Both AVG and Avast have been well rated as basic AV products.  They often provide protection for leading edge threats more quickly than even some of the mainstream solutions.  

PC Magazine - Updated list of Free Security Software
http://blogs.pcmag.com/securitywatch/2008/05/free_security_software.php
http://www.pcmag.com/article2/0,1759,2304349,00.asp

QUOTE: Sometimes free security is worth what you pay for it. But if you know what to look for, you can get a an excellent buy when it comes to protecting yourself—without dropping a lot of cash. You may be better off with a full-scale commercial Internet security product, but you're far better off with a free product than with no security product at all.  You may be surprised at how much protection you can get at no cost. The latest versions of the popular free antivirus products from avast! and AVG both now include spyware protection as well, and they're quite effective.

SPECIFIC PRODUCTS REVIEWED INCLUDE
==================================
avast! antivirus 4.8 Home Edition
AVG Anti-Virus Free 8.0
Spybot Search & Destroy 1.5
Spyware Terminator 2.0
ThreatFire 3.5 

This is an interesting article as the majority of the thefts were conducted using non-technical approaches.  Folks should be careful in storing or discarding sensitive documents as criminals will use any means to steal from others

US Attorney seeks 5 years for the Bonnie and Clyde of ID theft
http://blogs.pcmag.com/securitywatch/2008/05/us_attorney_seeks_5_year_terms.php
http://www.philly.com/inquirer/home_top_left_story/20080513__Poster_children__for_ID_theft.html

QUOTE: While they used professional Internet tools to facilitate some of these thefts, the bulk of their identity theft was low-tech: "Purse snatching, burglarizing apartments and mailboxes with stolen keys, breaking into gym lockers, soliciting information over the telephone by false pretenses, picking up documents while visiting." With what they obtained they ran down others' credit cards, established new ones in the victims' names and ran those down, created accounts with banks and spent from those. They transferred a lot of money around to cover tracks.

The moral, other than that some people have no morals, is that online identity theft isn't the only way you can get ripped off. It may not even be the most likely way. Keep an eye on other vehicles, like what's in your mailbox or purse.

While the installation of the XP SP3 upgrade has went well for me and it should for most users.  A service pack represents a major upgrade of operating system or product binaries and should be performed in a cautious manner. 

It's important to read an research all pre-requisites prior to installing.  For example, in testing Internet Explorer 8 beta, I discovered it must uninstalled, then apply the XP SP3 upgrade, and then IE 8 beta was reinstalled.  

Internet Explorer Prerequisites - A must read for XP SP3
http://blogs.msdn.com/ie/archive/2008/05/05/ie-and-xpsp3.aspx

Excellent resource for Windows
http://www.wilderssecurity.com/showthread.php?t=208460

Microsoft Forums - XP SP3 issues
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=2010&SiteID=17

Below is a good overview from the 25th anniversary.  Spam remains a major problem with email today and folks should always be careful in avoiding taking any actions other than deleting it.

http://www.templetons.com/brad/spam/spam25.html

QUOTE: In fact, the earliest documented junk e-mailing I've uncovered was sent May 3, 1978 -- 25 years ago this month. (It was written May 1 but sent on May 3.) And in a surprising coincidence (*), just a month ago marked the 10th anniversary of March 31, 1993, the first time a USENET posting got named a spam

The DEC marketer, Gary Thuerk, identified only as "THUERK at DEC-MARLBORO" (There were no dots or dot-coms in those days, and the at-sign was often spelled out) decided to send a notice to everybody on the ARPANET on the west coast. In those days there was a printed directory of everybody on the Arpanet which they used as source for the list. The message trumpeted an open house to show off new models of the Dec-20 computer, a foray into larger, almost mainframe-sized systems.

This was a spam, though the term would not be used to refer to it for another 15 years. Thuerk had his technical associate, early DEC employee Carl Gartley, send the message from his account after several edits. Alas, at first he didn't do it right. The Tops-20 mail program would only take 320 addresses, so all the other addresses overflowed into the body of the message. When they found that some customers hadn't got it, they re-sent to the rest.

More on the History and Types of SPAM
http://en.wikipedia.org/wiki/E-mail_spam

While this is more applicable to home users, I haven't seen a threat rated as MEDIUM for a while. This one is apparently circulating extensively. It appears to affect folks participating on P2P networks, which are always dangers with respect to malware and copyright concerns.

All users need avoid the site: fastmp3player (dot ) com

Avert Medium Threat Advisory -- Fake MP3 malware attacks
http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/
http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/
http://blastmagazine.com/2008/05/mcafee-identifies-downloader-uah-first-medium-risk-malware-in-three-years/
http://vil.nai.com/vil/content/v_144503.htm

QUOTE: Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago. Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone. Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with *** MALIOUS URL REMOVED ***

When a user attempts to load one of these MP3 and MPG files, they don’t get the music/video they were hoping for; instead they’re directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

A new series of these continuing attacks have been sent to company executives. While they appear to be authentic, the BBB, government agencies, or banks never perform official business via email (or when in doubt, always call the sender first to ensure it's from them)

BBB Case #947344536
http://www.f-secure.com/weblog/archives/00001431.html

QUOTE:  We're seeing some new BBB trojan attacks going around. This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.  This would be fairly convincing to most recipients, especially since the real company and individual names are used.

Example of the new email scam
http://www.f-secure.com/weblog/archives/bbb0.png

Microsoft recently introduced it's new SteadyState facility, which can capture all relevant configuration settings as of a specific point-in-time to create a "gold image" copy of the system.  This facility can be helpful for libraries, colleges, and even certain work settings where a standardized and locked-down system image can rolled out in a consistant manner to several workstations. 

It may be desirable for home users, (especially where multiple accounts are used by different members of the family). It is also useful as an recovery method, when problems occur where users can bring back the complete "gold image" in a much more comprehensive manner than the System Restore function currently permits.

Windows XP - SteadyState Facility
http://isc.sans.org/diary.html?storyid=4367

QUOTE: Ever wish your Windows XP computer could return the way it was when it worked correctly? That would be great, right? We can all recall some point when a particular system worked just right. Enter a utility from Microsoft that does just that, and more than a 'System Restore'. It is called SteadyState and it can retain a golden image and revert to that state at will. It is designed to lock down shared computers that do not have a full time sysadmin, however it can be used in a number of scenarios. VMs are not always the environment of choice for malware researchers for example.

Microsoft Windows -- SteadyState Information
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
http://www.microsoft.com/windows/products/winfamily/sharedaccess/whatis/default.mspx

QUOTE: Windows SteadyState, successor to the Shared Computer Toolkit, is designed to make life easier for people who set up and maintain shared computers.

An easy way to manage multiple users -- You can manage whole groups of users as single user accounts. The new Windows SteadyState console makes it easier than ever to create and modify user profiles.
 
A locked-down platform for stable shared computing -- Not every computer user should have access to every software capability. Your system can be more stable and consistent when you limit user access to control panel functions, network resources, and other sensitive areas.
 
Set it and forget it -- Once you have everything set up the way you want it, you can share the computer and rest easy. Any changes a user might make to the configuration or hard disk can be undone by simply restarting the machine.

  Stephen Wynkoop, founder of SSWUG (SQL-Server World-wide Users Group) shares an interesting update in today's SSWUG Newsletter, related to the recent SQL Injection attacks. Over 500,000 web pages were infected with malware related scripts.

The attacks were due to web developers taking short-cuts (e.g., not fully editing input sent to the SQL-Server environment). While the website might work with normal input from the user, it's also important to have safeguards in for malicious injection attempts as well.

QUOTE: SQL Injection Hack Attack -- Poor Coding Techniques to Blame

There are SO many people writing about this whole IIS hack attack that I wrote about yesterday. What's odd is the very few of them that get it. I've seen the issues blamed on everything from SQL Server not having granular-enough permissions controls to flaws in the OS. I don't get it. This is just about coding techniques, nothing more. It's not a "feature" or "bug" being exploited.

When you accept input from a user and pass it blindly to the database engine, you are asking for trouble. When you don't control the input, don't control how it's presented to the engine for processing, you're asking for trouble. It really is that simple.

It's too easy for people to build sites with "dynamic SQL" - making changes to the SQL statements on the fly. "Select * from " + user_input is asking for trouble.

It's simple. if your applications accept input from users, you need to make sure you've taken steps to properly pass information from your application to the server and back again as you display it. If you're not doing this now, if you have not built this into your application design, review and development processes, you're asking for people to exploit your system. If you're not sure - find out. Learn what was built into the application. Consider using a tool to stay on top of new techniques and approaches.

Hacker Safe is one such tool - take a look at what they're doing and you'll get a great idea of the types of things to be aware of. (Not affiliated)

McAfee's "Hacker Safe" - Site Verification Tool
http://www.hackersafe.com/site/en/security/intro/

SQL-Server World-wide Users Group (SSWUG) - Home Page
http://www.sswug.org

Yesterday, Sunbelt issued a warning for several sites that are spelled closely like the true Microsoft related sites. Most of the URLs are plural (e.g., microsofts or microsoftes). Please do not attempt to go to these sites, as malware could be automatically and silently installed on vulnerable PCs. 
 
These URLs could be used in future phishing or targeted attacks, as they closely ressemble the true Microsoft naming conventions. Always be careful of URLs and performing any actions as a result of email or visiting a website.
 
Sunbelt Blog - Fake Microsoft-like sites
http://sunbeltblog.blogspot.com/2008/04/microsoft-like-scam-sites.html

The e-Week cartoon above is excellent in illustrating the dangers of using a "good worm" to clean-up perhaps the top botnet infection in the world.  While DV Labs might be able to accomplish this, there are always dangers that the bad guys might be able to manipulate this worm, plus if something were to go wrong with either individual PCs being cleaned there might be unintended consequences, even for a good deed.

A better idea is for DV Labs to work with MSRC and share the Kraken encyption techniques so that it may be included in a future version of MSRT ... And as previously shared, there is no such thing as a good worm  

http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration

QUOTE: We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In  our specific case however we have the ability to cease at any point. It is simply a one to one relationship.

A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents.

A major wave of automated SQL Injection attacks are occurring.  These have been designed and coded for the IIS and SQL-Server environments.  There are no new vulnerabilities in these projects, as the attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the website)  
 
Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best developmental practices.  Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.

Huge SQL Injection attacks infect 500,000 pages
http://www.f-secure.com/weblog/archives/00001427.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580
http://hackademix.net/2008/04/26/mass-attack-faq/

QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages.  We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

IIS Blog - SQL Injection Attacks on IIS Web Servers
http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.

MSRC Blog - Questions about Web Server Attacks
http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database.  To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.

BEST PRACTICES - How to protect against SQL Injections
http://msdn2.microsoft.com/en-us/library/ms998271.aspx

-- Learn how SQL injection attacks work.
-- Constrain input to prevent SQL injection.
-- Use type safe SQL command parameters to prevent SQL injection.
-- Use a least privileged account to connect to the database.
-- Learn additional countermeasures to further reduce risk.

What are SQL Injection attacks?
http://en.wikipedia.org/wiki/SQL_injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
http://msdn2.microsoft.com/en-us/library/bb671351.aspx

QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

The most recent Government Computer newsletter is warning of a new well-designed IRS phishing scam. This attack appears to related to the upcoming IRS rebates that are part of the 2008 Government Stimulus Package. While the email looks official and the social engineering is well done, it is important to recognize that the IRS and banks do not use email as a method of contacting individuals. They usually will call or conduct official business by mail only. Please avoid these attacks, as entering your bank account information into the realistic but false website could mean real losses of money from these criminals. It could also take months to clean up activity after an individuals credit or bank account information has been compromised.

Phishing scam uses IRS rebate line to reel in victims
http://www.gcn.com/online/vol1_no1/46153-1.html
http://www.mxlogic.com/itsecurityblog/1/20...us-Payments.cfm
http://mxlogic.com/itsecurityblog/1/2008/0...shing-Twist.cfm

QUOTE: The tax filing season is past, the economic stimulus rebate season is upon us, and the phishers are changing their bait. The lure this time is the $600 rebate ($1,200 per household) that the Internal Revenue Service will begin sending to taxpayers in May and a supposed opportunity to speed up the process. E-mails purporting to be from the IRS are arriving in inboxes with instructions to recipients that if they visit the linked Web site and provide bank account and routing numbers their rebate can be deposited directly to the account more quickly. To add an element of urgency, the message includes a deadline — April 24 — for providing information, but that is likely to change.

Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.



EXAMPLE OF NEW PHISHING ATTACK:

TO: ***************
FROM: service@irs.gov
SUBJECT: 2008 Economic Stimulus Refund.

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

 The IT Security website features a good categorized list of free security utilities. Some of these a trial versions, limited versions of the full product, or web based facilities. Even folks on a very tight budget can protect their systems well with many of these free tools.
 
 IT Security website - 103 Free Security Utilities featured
 http://www.itsecurity.com/features/103-best-free-security-utilities-041608/
 
 QUOTE: Competition drives prices down, regardless of the industry. With a crowded field of vendors jockeying to be the trusted source of computer security for your home and office, prices for many of the essential elements of your security system have reached zero. Free downloads, free trials, free scans and freeware is everywhere. If you’re willing to go without premium features like phone support, you can have a simple version of powerful software that large companies pay big bucks for.

Hackers use XSS flaw to attack Barack Obama's web site

XSS scripting flaws are a common weakness in many websites.  From a web development standpoint, secure designs and programming techiques are essential.  It is always important to keep IE and all other browsers on the latest version and security patches.  This is especially important, as phishing attacks are increasing and may even appear geniune at times.
 
Hackers use XSS flaw to attack Barack Obama's web site
http://blogs.pcmag.com/securitywatch/2008/04/a_hack_we_can_believe_in.php
http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html

QUOTE: A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.

The Obama hack used a cross-site scripting flaw in the site to redirect users from Obama's Community Blogs section to HillaryClinton.com. XSS bugs are getting far more attention lately than they had been in the past, perhaps because they are so widespread. And since the answer to them is good programming practices rather than running some security product, they can be difficult to snuff out.

Good overview of XSS redirect issues
http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

The storm worm attacks continue to change change as they use malicious blog or U-tube like streaming video links in order to trick users.  Everyone should be as cautious with URLs found in an email attachment as they are with attachments.  Clicking on these links can lead to possible infections, as the malware agent is advanced (e.g., root kit) and highly polymorphic (i.e., MD5 based signatures change almost hourly).   

Storm Worm - Blog Attacks
http://www.f-secure.com/weblog/archives/00001415.html

Storm has once again turned its eye to the blogging community, specifically the Blogspot.com community. Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.

Visiting these sites will lead you to another page, while keeping the Blogger menu at the top. Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.

Storm Worm - Codec based Video Attacks
http://blog.trendmicro.com/storm-now-on-video/

QUOTE: Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business.  Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.

TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

Adobe Photoshop - Unpatched BMP image vulnerability

Adobe is working to promptly correct this security issue.  Users should be careful in loading image files into the Photoshop environment (esp. from email, USB devices, or any other untrusted sources)

Adobe Products BMP Handling Buffer Overflow Vulnerability 
http://secunia.com/advisories/29838/

QUOTE: Successful exploitation may allow execution of arbitrary code via a specially crafted BMP file. Reportedly, the vulnerability can also be exploited when a malicious storage device (e.g. USB drives, cameras) is being attached to a vulnerable computer. The vulnerability is reported in Adobe Photoshop Album Starter Edition 3.2 and Adobe After Effects CS3. Other versions may also be affected.

Solution: Do not process untrusted BMP files using the affected applications. Do not connect untrusted storage devices to the local computer.

Original Advisory - Adobe:
http://www.adobe.com/support/security/advisories/apsa08-04.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0551.html

The latest versions of the Internet Information Services (IIS) facilities have enjoyed an excellent track record in the area security.  Recently, a new vulnerability was discovered that could allow user privileges to the manipulated and escalated in an unauthorized manner.
 
Additional resources are noted below, including a highly technical overview on Token Kidnapping.  Thankfully, the details related to this exposure have been confidentially shared with Microsoft in a responsible manner.  Currently, there are no known exploits related to this vulnerability circulating in the wild. 

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/advisory/951306.mspx

QUOTE: Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

IIS Vulnerability Documented by Microsoft - Includes Workarounds
http://isc.sans.org/diary.html?storyid=4306

Token Kidnapping and Impersonation - by Cesar Argeniss
http://www.argeniss.com/research/TokenKidnapping.pdf

I enjoyed this article and agree in principle with most of the recommendations. While leaders must manage by walking around and inspecting work, they should also allow the team members some space as professionals to do their job well.

Folks who are constantly watched and critiqued on every move they make will become nervous and less effective in their work. They may withdraw ideas and participation from the manager and team, that can help make essential differences on the project.

Article: If you micromanage, no one wins
http://blogs.techrepublic.com.com/career/?p=297

QUOTE: So do you want to break the micromanaging habit? The Dallas Morning News offers this list of tips to avoid micromanaging:

Part 1 - Methods to change leadership styles

* Focus on communication and trust.
* Assign tasks that include clear, specific, and time-bound expectations.
* Allow employees to figure out how they’ll accomplish the task.
* Set up status reports that fit the scope of the assignment but aren’t too burdensome.
* Let employees know that you’re trying to change and give them a safe way to point it out if you slip.

Part 2 - Be a leader

Leadership skills bring more value and will increase satisfaction for everyone, including you. Options include:

* Investing in each employee through coaching, challenging work, and development.
* Removing barriers to success that your team members face.
* Expressing a meaningful vision to your employees.

Below is also an additional related article:

Article: Can a Micromanager be cured
http://blogs.techrepublic.com.com/career/?p=196

Apple has just released critical security updates for the Windows version of Safari that should be applied promptly for folks using this complementary browser in the Windows environment.

Apple Safari 3.1.1 for Windows - Critical Security Release
http://secunia.com/advisories/29846/
http://support.apple.com/kb/HT1467
http://www.apple.com/downloads/

Windows XP or Vista Safari -- CVE-ID: CVE-2007-2398

Impact: A maliciously crafted website may control the contents of the address bar

Description: A timing issue in Safari 3.1 allows a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems.
 

Windows XP or Vista Safari -- CVE-ID: CVE-2008-1024

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.

As Firefox is a popular complementary or stand-alone browser, users should apply this fix and stay up-to-date.  Most users will be automatically updated and they should apply this update if prompted.

Firefox 2.0.0.14 - Security release
http://www.mozilla.com/en-US/firefox/2.0.0.14/releasenotes/

Fixed in Firefox 2.0.0.14

MFSA 2008-20 Crash in JavaScript garbage collector
http://www.mozilla.org/security/announce/2008/mfsa2008-20.html

QUOTE: Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.

 The good news in this annual survey approach is that folks are more aware of the dangers of password disclosures, as the percentages of folks who would be willing to disclose their password has dropped when compared to prior years.     

However, I do have a weakness for chocolate
   

People still give passwords for chocolate
http://sunbeltblog.blogspot.com/2008/04/people-still-give-passwords-for.html

QUOTE: A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy.

Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

This new facility provides tracking of malware developments and is recommended to be added to Favorites or Bookmarks for folks in the security profession.

Malware Threat Center - General Information
http://www.msnbc.msn.com/id/24049307/
http://mtc.sri.com/about_mtc/

MAIN SITE FOR MONITORING MALWARE DEVELOPMENTS
http://mtc.sri.com/

QUOTE:  MENLO PARK, CA - SRI International, an independent nonprofit research and development organization, today announced the launch of the Malware Threat Center (http://mtc.sri.com), a website dedicated to fighting malware. SRI's Malware Threat Center posts daily updates of firewall filters, malware-related domain name system (DNS) names, antivirus statistics, intrusion detection system (IDS) signatures, and malware binary data to help network administrators understand current and emerging computer security threats and provide key network defense information that can be configured into security products to help network administrators fend off the latest malware threats.

DBAs and Admins should deploy these patches expediently after lab testing, to ensure the best levels of security and information protection

http://isc.sans.org/diary.html?storyid=4283
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html

QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 41 new security fixes across all products.

Based on ISC and Symantec's warnings below, it appears that MS08-021 is being actively exploited in the wild   It is advised that folks apply the April updates as quickly as possible using the Windows Update process

Microsoft April Security Updates - MS08-021 Exploit in-the-wild
http://isc.sans.org/diary.html?storyid=4274
www.symantec.com/security_response/threatcon/index.jsp

QUOTE: The ThreatCon is currently at Level 2. The DeepSight honeynet has observed in-the-wild exploit attempts targeting a GDI vulnerability patched by Microsoft on April 8, 2008. The malicious image appears to target the Microsoft Windows GDI Stack Overflow Vulnerability (BID 28570).

At least three different sites are hosting the images; two different malicious binaries are associated with the attacks. Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability.

We are still investigating as to why this may be the case. Users are advised to apply the MS08-021 patches immediately. These attack attempts highlight the severity of this issue -- it is only a matter of time before new images that successfully trigger the issue are observed in the wild.

AV researchers have recently discovered a new botnet that may be as large and as sophisticated than the Storm Worm network.  This new botnet uses some of the following advanced techniques:

-- encrypted communications (to evade firewall, IDS, and AV detections)
-- encrypted payloads (to evate AV detections)
-- polymorphic droppers (malicious web based downloads that constantly change)
-- multi-threaded spam engine (over 500,000 spam entries observed to be sent from one "zombie" PC owned by this network)
-- command-and-control server redundancy (when a master server is taken offline by authorities, new master servers are automatically re-hosted)

There are still many unknowns at this point.  Only 20% of AV vendors are estimated to have coverage at this point, but this is expected to improve as more technical details of this new threat emerge. 

Kraken - Large sophisticated botnet discovered
http://www.symantec.com/enterprise/security_response/weblog/2008/04/kracken_to_out_do_storm.html
http://en.wikipedia.org/wiki/Kraken_botnet
http://isc.sans.org/diary.html?storyid=4250
http://www.f-secure.com/weblog/archives/00001418.html
http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_1
http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/
http://www.theregister.co.uk/2008/04/09/kraken_disagreement/

QUOTE: There is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA.

The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.

"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

Kraken's bots and command and control servers communicate via customized UDP and TCP-based protocols, he says, and the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. "And the actual payload is encrypted," Royal says.

Kraken is thought to be infecting computers by using social engineering methods similar to those used by Storm. The malicious code is believed to be posing as an image file to the user, although this has yet to be confirmed. At the time of writing, the Trojan is serving up debt consolidation and gambling-related spam linking to Chinese sites.

Security is always a predominant concern for any Internet or Intranet hosted application.  Corporate developers should carefully research how information, web applications, and users would be protected in this environment.  While security controls are built into the new facility, Google is one of the attacked sites on the Internet due to it's popularity.  

Below are some recent security concerns:   

1. Google needs to continue improving privacy protection:

http://arstechnica.com/news.ars/post/20070611-google-named-worst-privacy-offender-in-study.html

2. Sunbelt continues to note recent issues, as Google is one of the most popular sites on the Internet and it is subject to constant attacks:

http://sunbeltblog.blogspot.com/2008/04/google-groups-continues-to-be-inundated.html

3. Google poisoning attacks have taken place, where the cloud has been seeded with malicious web links.  Google has quickly cleaned these up in the past.

http://redtape.msnbc.com/2007/12/virus-experts-w.html

-----------------------------------------

Google’s App Engine lets you run your apps in the Google cloud
http://blogs.techrepublic.com.com/hiner/?p=654

QUOTE: Google on Tuesday launched its App Engine, which allows developers to run their Web applications on the search giant’s computing cloud. With Google App Engine, developers can write web applications based on the same building blocks that Google uses, like GFS and Bigtable. Google App Engine packages those building blocks and provides access to scalable infrastructure that we hope will make it easier for developers to scale their applications automatically as they grow. This means they can spend less time dealing with system administration and maintenance, and more time building and improving their applications.

Google App Engine - Home Page
http://code.google.com/appengine/

Google App Engine - New Blog
http://googleappengine.blogspot.com/2008/04/introducing-google-app-engine-our-new.htm

Google App Engine - Details including Security controls
http://code.google.com/appengine/docs/whatisgoogleappengine.html

QUOTE: SANDBOX SEUCRITY CONTROLS -- Applications run in a secure environment that provides limited access to the underlying operating system. These limitations allow App Engine to distribute web requests for the application across multiple servers, and start and stop servers to meet traffic demands. The sandbox isolates your application in its own secure, reliable environment that is independent of the hardware, operating system and physical location of the web server. Examples of the limitations of the secure sandbox environment include:

* An application can only access other computers on the Internet through the provided URL fetch and email services and APIs. Other computers can only connect to the application by making HTTP (or HTTPS) requests on the standard ports.

* An application cannot write to the file system. An app can read files, but only files uploaded with the application code. The app must use the App Engine datastore for all data that persists between requests.

* Application code only runs in response to a web request, and must return response data within a few seconds. A request handler cannot spawn a sub-process or execute code after the response has been sent.

Microsoft has released several important monthly updates that improve the security of Windows, IE, and Office.  These should be applied promptly to protect against malicious exploit developments that could surface later. So far, these updates are working well on my two XP based systems at work.

Microsoft Security Bulletins - April 2008
http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx

Microsoft Security Bulletins - Additional Resources
ISC provides excellent updates on issues or exploit developments
http://isc.sans.org/diary.html?storyid=4264
http://www.f-secure.com/weblog/archives/00001417.html

MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)

Summary: This security update resolves a privately reported vulnerability in Microsoft Office Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical
Impact: Remote Code Execution
Affected Software: Project 2000, 2003
http://www.microsoft.com/technet/security/Bulletin/MS08-018.mspx

MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution (948590)

Summary: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows
http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx

MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)

Summary: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows
http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx

MS08-023: Security Update of ActiveX Kill Bits (948881)

Summary: This security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer.
http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx

 
MS08-024: Cumulative Security Update for Internet Explorer (947864)

Summary: This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer. 
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx

MS08-020: Vulnerability in DNS Client Could Allow Spoofing (945553)

Summary: This security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.

Rating: Important
Impact: Spoofing
Affected Software: Microsoft Windows.
http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx

MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)

Summary: This security update resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

Rating: Important
Impact: Elevation of Privilege
Affected Software: Microsoft Windows.
http://www.microsoft.com/technet/security/Bulletin/MS08-025.mspx

MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)

Summary: This security update resolves privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Important
Impact: Remote Code Execution
Affected Software: