Trend Micro Aquires Hijack This

Elevated Risk for the financial industry

I noticed that the SANS Institute has published  an entry in today's diary for an elevated risk to the financial industry. An article published on slashdot caught my eye yesterday. As stated from the article:

"Israeli computer security company say they have discovered a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks"

For those in the financial industry, it is well known that this month in particular has the highest number of transactions for the year, due to holiday shopping. Unfortunately, it is also a time when the industry is most vulnerable.

Off the top of my head, here are a few of my recommendations and reminders for members of the industry as a whole. The articles previously mentioned are at the bottom of the post.

IT Managers:

While the number of projects and responsibilities have been increasing in the first three quarters of the year, ensure systems administrators and security personnel stager vacations throughout the year to avoid having a shortage of key personnel on hand to respond to incidents that might occur during the peak transaction season.

Risk Managers:

While  Network freezes are common throughout the peak transaction season, and while it is very important to limit network changes, the patch management program should continue during this time frame. It is also important to ensure that members of the incident response team will be on hand to respond to any incidents during the peak season.

Network Administrators: 

While most network changes are limited during the peak season, Network and server monitoring should remain a top priority during this time. Immediately report any incidents or anomalies to the risk management team.

PC Techs:

While many users are on vacation and the work load slows, remember to be on the lookout for any signs of malware and use the time to educate users on the importance of reporting any strange or unusual network or computer behavior to the IT staff or Risk Management team.

Help desk technicians:

Keep a close watch on computer events and verify that any tickets are assigned to staff that are on duty and not out of the office during the holidays. This will allow the IT support staff to respond to incidents quickly. It is also very important to be very cognizant of social engineers that may be pretending to be someone else in order to gain information about the internal workings of your company.

Business system users:

Report any computer problems or network glitches immediately. Remember that there is usually no reason to give out your password to anyone including IT support staff, Network administrators, or information security. These personnel do not need your password as they should have the necessary rights and tools to correct issues without the need of your password.

ATM system called unsafe
http://redtape.msnbc.com/2006/11/researchers_who.html

US DHS Banking Alert
http://isc.sans.org/diary.php?storyid=1899&rss

How to ask a question the smart way

Rem sleep 17100

Rem (Rapid eye movement) is the stage of sleep characterized by rapid movements of the eyes, and 17100 is about the number of seconds it took for me to be through all of the stages of sleep and stumbling for the coffee pot. Of course if I were scripting, then the statement "Rem sleep 17100" would have done nothing for me.

rem - sets a remark in batch scripts

The Windows 2003 Resource Kit provides a 'sleep' command and many more needed commands if you are going to use batch files to manage systems.

sleep - will wait for a specific amount of time before the script continues.

sleep N
Replace N with the number of seconds for batch file to 'sleep'.

If I used this blog post title in my script, I would have remarked out the sleep command and would be very tired right now. Fortunately for me, sleep and rem were accomplished.

I also learned that according to wikipedia "People who regularly sleep between 4 and 7 hours live longer than people sleeping more or less than this, with serious differences between life span when people sleep less than four hours or more than 9."

He shells on the sea shore, or floor, or couch. Ouch, Neck, hurts now.

Ah, the wonderful world of shells. It's been over a year since I posted about trying out linux.

Im going to have to come out of the closet at some point (ha! not what you were thinking), but I have "switched to the dark side".  Ok, I haven't really switched. I have however, gained an entirely new respect for linux.  In the past, I used Linux to accomplish the things I was unable to do in windows, such as password recovery or removing malware entries from the registry.  Shortly after that post, I discovered Ubuntu Linux.  Since then, I have explored many other distro's and I really do like Linux.  It is simply a very powerful operating system.  What does this have to do with shells or my hurt neck?

Well, the power of linux is quite apparent once you start to do some shell scripting.  It also make you think about how you can accomplish some of the same things in windows.  Ok, shells made for a better title, but I needed something to segway into batch scripting and the power of being LAZY.  I am a lazy person.  I live by the theory of  "If you do it more than once, AUTOMATE it."  I posted this last month on using WMIC to manage McAfee, but WMIC is much more powerful than the examples I listed.  Matt Broadstock posted a comment stating that he loved to see folks using the FOR command, and that's because Matt knows the power of that command and scripting in general.  He has some great posts on his blog with many examples of the FOR command.  He would appear to be lazy also.  I say lazy, but it actually takes some practice to be lazy, much practice.  You will know you have been practicing enough when you only sleep a few hours per night and your neck is in pain from staring  at the screen for so long.  Ah, another segway, pun intended.  Your welcome segway, both of my readers will visit your link.  Lets get started on your hurt neck, but first lets ask Matt a question, if he is not busy with world of warcraft.  Hey Matt, or anyone who may stumble upon this post, what is the clipboard output of WMIC used for?  Yea, Yea, I know you can copy the output to the clipboard, but why?  What else could you do besides paste it into another document?  I'm just curious if there are some other uses or not.  Ok back to the hurt neck....

If you had the time to read this, then whats the next few months of neck injury going to matter?

Open a shell, um you know, start, run, cmd.exe.

Then type WMIC

Then /?

Good luck, life will never be the same.  If you have to physically go to the server room after that, and a HDD or a motherboard isnt shot, just bang your head against the nearest wall - just kidding.

If that doesnt peak your interest, then pick up Microsoft Windows Command-Line - Administrators Pocket Consultant ISBN# 0-7356-2038-5, its good stuff and will be great for your career administering Windows.

SANS - PDF Vulnerabilities

http://isc.sans.org/diary.php?storyid=1718&rss

Handler's Diary September 19th 2006

A answer to a question, and a bit more

Question: If I were doing a check upon logon to see if McAfee and ePO are
installed and running, would this be a good thing to check?

Answer:

What to Check for:

ePO

Check if key exists and return the values:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\Installed Path

Returned Value example:
C:\Program Files\Network Associates\Common Framework

Check if file(s) exist:
FrameworkService.exe

Check if service exists:

McAfeeFramework

Check if Process is running:

FrameworkService.exe

VirusScan

Check if key exists and return the values:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir

Returned Value example:
C:\Program Files\Network Associates\VirusScan\

Check if file(s) exist:

Mcshield.exe
scan32.exe

Check if service exists:

McShield
McTaskManager

Check if Process is running:

McShield.exe

WMIC examples of how to check for this (you could create a vb script or smsinstaller script to do the checks):

Let’s cut to the chase and see if the processes are running:

Click Start, then Run and Type cmd.exe

Then Type:

wmic process where (Name='FrameWorkService.exe') get name,processid
wmic process where (Name='McShield.exe') get name,processid

But maybe we want to check more than one machine:

Click Start, then Run and Type cmd.exe

Type cd \ and hit enter

Type Notepad.exe

Paste a line by line list of computers

For example:

Redrider1
redriderDC2
redridersms5
smsjackleg
smellyserver3

Then  hit the alt + f key
Then hit the a key
Save the document to the SystemDrive as computers.txt  (usually C:\computers.txt)
Exit Notepad.exe

Now Type in your cmd.exe window:

for /F %i in (computers.txt) do wmic /node:%i process where (Name='FrameWorkService.exe') get name,processid
for /F %i in (computers.txt) do wmic /node:%i process where (Name='McShield.exe') get name,processid

How cool, but you say that you dont want to just see it, you want to document it.
K, lets put all this in a document

for /F %i in (computers.txt) do wmic /node:%i process where (Name='FrameWorkService.exe') get name,processid /FORMAT:CSV >> Results.csv

Now open c:\Results.csv with excel:

Thats pretty cool too, because we now have an document we can open with excel. We love excel. Unfortunately, our boss wants a pretty document. So lets give her/him one.

for /F %i in (computers.txt) do wmic /node:%i process where (Name='FrameWorkService.exe') get name,processid /FORMAT:htable >> Results.htm

Now open c:\Results.htm with internet explorer:

It seems like the longer the command line the better the Results(.htm)  ;)

Did you notice?

 Probably not.

 My blog is missing something.

 Its last months Microsoft Security Updates.

 I hate my blog. Somewhere along the way I lost what wanted my blog to be.

 I forgot rule # 3

3) Most importantly, I will have have fun with my blog.

I got to the point that I was just propagating news, and I realy wanted to share some content.

Going forward, I will not forget about rule # 3 . If I do , and my blog gets boring again, please let me know.

Will myITforum be banned from schools and libraries?

I dont have the answer to that, but it could be subject to being banned if this broadly worded bill passes.

http://news.com.com/2100-1028_3-6099414.html?part=rss&tag=6099414&subj=news

Microsoft Security Updates 11JUL06

Voice Phishing

I am never surprised at how far scammers will go in order to get new victims. It seems they are now combining targeted spam with phone numbers that utilize voice recordings that prompt the user to provide account information.

http://www.theregister.co.uk/2006/06/26/voice_phishing/

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=534

How can you protect yourself? Here are three tips that might help:

1) Be suspicious of any email with urgent requests for personal financial information.

2) Don't use the links or phone numbers in any email to contact your online service provider. Instead, keep your online service provider's phone number, address, and website on record. Always verify the number with the one you have on record. In most cases, service providers never ask for account passwords.

3) Familiarize yourself with your online services provider (I.E. Banking, ISP, Utilities) and their methods of operation and privacy policies.

Microsoft Security Updates 13JUN06

Microsoft Security Updates 09MAY06

McAfee reports 700% increase in Rootkits

McAfee published the first of a series of whitepapers on rootkits. The following is an excerpt from their website.

"Comparing the first quarter of 2006 to that of 2005, we have witnessed an increase by 700% of the number of rootkits submitted to McAfee AVERT Labs. Our numbers further show that rootkits are getting more sophisticated and that rootkits have moved from Trojans into malware and Potentially Unwanted Programs. Follow the "Learn More" link for a copy of the paper."

Learn More

Microsoft Security Updates 11APR06