Your Ad Here

Tuesday, December 30, 2008

Fake Windows Media Player Flaw

Microsoft says a vulnerability disclosed publicly last week in Windows Media Player was no security bug.

Source: DarkReading.com

Microsoft Security Advisory Notification - Dec. 30, 2008

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 30, 2008
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (961509)
- Title: Research proves feasibility of collision
attacks against MD5
- http://www.microsoft.com/technet/security/advisory/961509.mspx
- Revision Note: Advisory published

Monday, December 29, 2008

Mac OS Clone Systems Maybe a Reality with Psystar

I have covered Psystar’s attempt to provide customer with a Mac OS system not built by Apple Corp. In the past with the following links below:

http://kellepcharles.blogspot.com/2008/04/mac-clone-maker-psystar-closes-online.html

http://kellepcharles.blogspot.com/2008/04/defiant-psystar-back-selling-leopard.html

It seems they may have gotten the situation in hand by the result of their storefront page:
http://store.psystar.com/home/desktops/osx

Psystar Open Computers are capable of running Apple's OS X Leopard. View our computer models capable of running OS X Leopard as their native operating system.

I will be on this story more in 2009…

Sunday, December 28, 2008

Cyber-Security Status by Homeland Security Chief Michael Chertoff

Outgoing Department of Homeland Security Chief Michael Chertoff says the Bush administration's work on cyber-security leaves President-elect Barack Obama well-positioned for progress on securing the nation's IT infrastructure.

Source: eWeek.com

Wednesday, December 24, 2008

CEO of Software Company Sentenced for Hacking Competitor

An interesting story from CSO Online. About a Software Executive Hacking its competitor and how he got caught.

Source: http://www.csoonline.com/article/472416/Software_Executive_Sentenced_for_Hacking

Microsoft announces SQL-injection Exploit

On Monday Microsoft warned that a security researcher had published an exploit for an un-patched flaw in the SQL database software.

SecurityOrb.com researchers published:

"The information could allow malicious attackers the ability to compromise Web sites that use Microsoft's software to serve up dynamic Web pages. The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, the company said in an advisory."

Thursday, December 18, 2008

85% of All Crimes Leave a Digital Fingerprint

It has been stated that 85% of all crime leaves a digital fingerprint in electronic devices. This may occur from an internet intrusion, identity theft and traditional crime like murder. Computer forensics has aided in the investigation of these crimes. Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. The challenges facing many computer forensics examiners are an abundant of data that must be analyzed to produce a story or show correlation. Hard space are enormous and continue to grow. Hard disk space is inexpensive thus allow for more. In conjunction, RAID systems also provide additional challenges for the investigator. A simple case on a 200 GB hard drive can take weeks to review alone before any real assessment can occur. Issues such as terrorism and murder cases can prove to be fatal. By including Social network analysis (SNA), the time to locate correlation will be reduced. This will assist the examiner to focus his analysis on key area from the SNA results.

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 17, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS08-072 - Critical
* MS08-069 - Critical

Bulletin Information:
=====================

* MS08-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
- Reason for Revision: V1.1 (December 17, 2008): Changed the
Microsoft Baseline Security Analyzer deployment summary to
"no" for Microsoft Office Word 2000 Service Pack 3 in the
Detection and Deployment Tools and Guidance section. Also,
revised the bulletins replaced by this update for Microsoft
Office Outlook 2007 and Microsoft Office Outlook 2007 Service
Pack 1 in the Affected Software table. There were no changes
to the security update binaries.
- Originally posted: December 9, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V1.2 (December 17, 2008): Added log file
entries in the Security Update Deployment section Reference
table for Microsoft XML Core Services 6.0 when installed on
Windows Server 2003 Service Pack 1, Windows Server 2003
Service Pack 2, Windows Server 2003 x64 Edition, and Windows
Server 2003 x64 Edition Service Pack 2.
- Originally posted: November 11, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 17, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS08-072 - Critical
* MS08-069 - Critical

Bulletin Information:
=====================

* MS08-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
- Reason for Revision: V1.1 (December 17, 2008): Changed the
Microsoft Baseline Security Analyzer deployment summary to
"no" for Microsoft Office Word 2000 Service Pack 3 in the
Detection and Deployment Tools and Guidance section. Also,
revised the bulletins replaced by this update for Microsoft
Office Outlook 2007 and Microsoft Office Outlook 2007 Service
Pack 1 in the Affected Software table. There were no changes
to the security update binaries.
- Originally posted: December 9, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V1.2 (December 17, 2008): Added log file
entries in the Security Update Deployment section Reference
table for Microsoft XML Core Services 6.0 when installed on
Windows Server 2003 Service Pack 1, Windows Server 2003
Service Pack 2, Windows Server 2003 x64 Edition, and Windows
Server 2003 x64 Edition Service Pack 2.
- Originally posted: November 11, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

Tuesday, December 16, 2008

McColo Fallout Does Not Stop Spam Levels from Decreasing

Numerous reports have indicated email Spam volumes are increasing again since McColo a rouge hosting company was pulled off the Internet last month. Although there was a major drop in Spam, it seemed to have been short live as many reports are showing an up swing.

SecurityOrb.com consultants predicts, many bot-masters (an individual who is responsible for and maintains a malicious computer bots.) will take a more distributed approach in the future to prevent and defend against acts such as the McColo ISP disconnection.

Recent Internet Explorer Security Flaw Endangers Your Privacy


A programming bug in Microsoft’s Internet Explorer (IE), the default web browser on Windows-based computers, allows hackers to take control of users’ PCs by tricking them into visiting unsafe websites.

Microsoft admitted that a serious flaw in security has left the majority of the world’s Internet users exposed to attacks from hackers hoping to steal personal data and passwords.

Microsoft estimates two million computers have already been affected and that 1 in 500 Internet users may have been exposed.

Consultants at SecurityOrb.com advise computer users to switch to an alternative Internet browser, such as Firefox or Google Chrome, to avoid the hackers who have so far corrupted an estimated 10,000 websites.

Microsoft said that it is considering the release of an emergency update to correct the flaw.

Mac OS X 1.5.6 Security Update








Apple has released a major set of security patches for its Mac OS X operating system which fixes a number of critical flaws in the software.

The Mac OS X 10.5.6 update includes a critical update for Adobe Systems' Flash Player, fixing bugs that were disclosed last month. It also includes patches for several Mac OS libraries, the operating system kernel, and system utilities such as the BOM (Bill of Materials) archiving software. In total, 21 bugs are patched in the update.

Here are instructions on how to upgrade your Mac OS X to the latest update. Click Here or

http://support.apple.com/kb/HT1338

Monday, December 15, 2008

Window Snyder CSO of Mozilla Resigns


On September 24th of 2008, I profiled Mwende Window Snyder a.k.a Window Snyder of Mozilla in this posting: Click Here...

Last week, I discovered via twitter https://twitter.com/kellepc she was leaving her position as Mozilla’s Chief Security Officer with the following post on her blog:


“I will be leaving Mozilla at the end of the year. I am sad to be leaving, but I am excited to go work on something I have always been passionate about. I wish I could tell you about it now, but that will have to wait for a while.

You will still get Mozilla security information here. Johnathan Nightingale, Lucas Adamski, Brandon Sterne and Mike Shaver will all be posting on the Mozilla security blog to keep users informed about security issues and announcements. I leave you in their very capable hands and wish them the best of luck.”

Details of her next job has not been released as of yet. I will stay on it and report back. My feelings are she will either be starting her own venture or joining a start-up company. What ever it is, I wish her the best…

The Koobface Worm

The Koobface worm is spreading through Facebook. The Koobface worm is a worm designed specifically to spread over social-networking sites and it is spreading spam messages out to Facebook members. The motive is to enable hijacking and click fraud.

The messages offer subject lines like "You look so funny on our new video" and offer a link to a video site that pretends to have a movie clip. When the user follows the link, they are redirected to one of many different compromised hosts, according to SecurityOrb.com. Finally, the user is urged to download or open a file named flash_player.exe. That file is a new Koobface variant.

Recommendation, be aware and run an updated anti-virus software.

Sunday, December 14, 2008

IE Browser Security Update

An unpatched vulnerability found in Internet Explorer 7 also affects older versions of the browser as well as the latest beta version

The IE 7 exploit is spreading at a faster pace now due to at least one site that is exploiting the vulnerability is being SQL injected to other websites. More information can be found here.

Friday, December 12, 2008

SANS OnDemand Security Times Newsletter

SECURITY TIMES SPECIAL

As a thank you for receiving our SANS OnDemand Security Times
Newsletter, you may take an additional 5% off our listed current
specials through December 26.

For single courses, see http://www.sans.org/info/35939 for our current
offer. Use discount code "T1_add5" for a total of 30% off any OnDemand
course.

For groups or multiple courses, take an additional 5% off our lowest
listed pricing at http://www.sans.org/info/35944.

Check out our Free OnDemand Demos at http://www.sans.org/info/35949
************************************************************************
WHAT'S UPCOMING?

For courses currently being developed in OnDemand, take advantage of our
30% Development Discount. For a full list of upcoming courses, go to
http://www.sans.org/info/35954
************************************************************************
EARN REWARDS POINTS

Receive one OnDemand Reward Point for every dollar that you spend for
SANS OnDemand training, including the OnDemand Bundle. To begin
receiving reward points, visit http://www.sans.org/info/35959
************************************************************************
SECURITY TIP

Whether you are a small Mom & Pop shop or a multinational corporation,
your employees are almost certainly leveraging sites with user generated
content. User generated content sites (e.g. Myspace, Youtube, Facebook,
Craigslist, Blogger, and Flickr) are routinely in the top 20 most
visited websites.

From a numbers perspective, it goes without saying that your
employees/colleagues/superiors, and likely you, are users of these
popular sites. Although the most obvious risk posed by employee usage
of these sites is productivity loss [1], perhaps the more serious risk
is posed by the break-neck speed with which these sites are allowing
active user generated content and applications to flourish [2][3].
Therein lies part of the appeal, but so too, some of the risks. In order
for these sites to be useful, users configure their browsers to allow
this content to run virtually unfettered. However, the risk posed by
active content isn't the point of this article either [4]...

A somewhat less discussed "feature" of sites containing user generated
content is the significant information disclosure posed by users from
your organization. Imagine, if you will, that you were being targeted
by an attacker. Of course, _you_ aren't being targeted, but just bear
with me... Perhaps you have really done a bang up job hardening your
perimeter, patching systems, etc., such that you feel relatively secure
in your overall security program and architecture. If an attacker could
find a trusted insider that was willing to disclose details regarding
the products, programming languages, patch levels, etc., in use at your
organization, could it subvert some of those feelings of security? In
effect, social networking sites are a veritable treasure trove for
attackers wishing to gain this type of intelligence. What's more,
sometimes they are able to gain this information without engaging in
even the most rudimentary of social engineering attacks. For instance,
users with profiles on LinkedIn frequently list their resume, including
both specialties and employers, for the world to see. This and other
information is like gold to an attacker. This type of information,
coupled with attackers armed with information mining tools like Maltego
(i.e., Rapleaf and Spock transforms) can really lower the bar for a
successful targeted attack [5].

Now that the little thought experiment is over, let's think about the
primary assumption - you are being targeted by an attacker. Some of you
fully accept this as a given, but most of you likely dismiss this
without much thought (we are too small, no one has heard of us, why
would anyone come after us). Well, consider that restaurants in West
Monroe, LA (pop. 12,951)[6] were part of a group of restaurants in
Mississippi and Louisiana targeted by a ring of thieves harvesting
credit card numbers [7]. If something as innocuous as a family owned
diner can be targeted for an attack, then certainly any organization can
become a likely target.

The risks associated with websites, in general, and social networking
sites, in particular, are discussed in several SANS courses available
via OnDemand (AUD507, MGT512, SEC401 and SEC502). The social
engineering and reconnaissance exposure made possible by these sites is
explored in SEC560.

For more info on these courses, visit:
AUD507: Auditing Networks, Perimeters & Systems
(http://www.sans.org/link.php?id=1032&mid=6)
MGT512: SANS Security Leadership Essentials For Managers
(http://www.sans.org/link.php?id=1032&mid=62)
SEC401: SANS Security Essentials
(http://www.sans.org/link.php?id=1032&mid=61)
SEC502: Perimeter Protection In-Depth
(http://www.sans.org/link.php?id=1032&mid=17)
SEC560: Network Penetration Testing and Ethical Hacking
(http://www.sans.org/link.php?id=1032&mid=937)

Seth Misenar
SANS OnDemand Virtual Mentor

1: "Facebook 'costs businesses dear' " -
http://news.bbc.co.uk/2/hi/technology/6989100.stm
2: More than 33,000 Facebook applications -
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/23/BU7C11TAES.DTL
3: More than 400,000 registered Facebook developers -
http://www.facebook.com/press/releases.php?p=48242
4: "Elaborate Facebook Worm Spreading" -
http://www.techcrunch.com/2008/08/07/elaborate--facebook-worm-virus-spreading/
5: "Maltego Part I - Intro and Personal Recon" -
http://www.ethicalhacker.net/content/view/202/24/
6: U.S. Census Bureau, 2007 Population Estimates -
http://factfinder.census.gov
7: "Attacks Continue on Retail Stores, Restaurants" -
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201193

Wednesday, December 10, 2008

The CSIS Commission on Cybersecurity for the 44th Presidency has been Released

The CSIS Commission on Cybersecurity for the 44th Presidency has released its final report, "Securing Cyberspace for the 44th Presidency." The Commission’s three major findings are:
  1. Cybersecurity is now one of the major national security problems facing the United States;
  2. Decisions and actions must respect American values related to privacy and civil liberties; and
  3. Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
You can get a PDF copy of the report here or you can visit the CSIS website.

Insider Threat Still a Big Issue to Network Security

Internal users continue to be the torn in system and security administrator's side. This is the case for many reasons. One, they have knowledge of the networking recourses. Two, they have credentials to access various systems on the network and third, most security controls defend against external entities as compared to internal users. According to the Computer Security Institute (CSI), approximately 80 percent of network misuse incidents originate from inside the network.

Security Administrators should apply the “Defense in Depth” security model when it comes to protecting the network. This mean network firewalls, IDS, HIDS, host-based firewalls, patch management, security policies and vulnerability scanning.

Microsoft Security Advisory (960906)

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
Published: December 9, 2008
Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected as these operating systems do not contain the vulnerable code.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited.
We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Customers who believe that they have been attacked can obtain security support at Get security support and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at Internet Crime Complaint Center.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:

This issue does not affect Windows XP Service Pack 3, Windows Vista, and Windows Server 2008.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.

When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad. This file type can be blocked at the Internet perimeter.

Microsoft Security Bulletin Major RevisionsIssued: December 9, 2008

********************************************************************
Title:
********************************************************************
Summary=======
The following bulletins have undergone a major revision increment.Please see the appropriate bulletin for more details.
* MS08-052 - Critical

Bulletin Information:=====================
* MS08-052 - Critical
- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx - Reason for Revision: V3.0 (December 9, 2008): Added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Expression Web and Microsoft Expression Web 2, and Microsoft Office Groove Server 2007 as Affected Software. Also detailed a detection change for Microsoft SQL Server 2005 Service Pack 2 in the "Why was this bulletin revised on December 9, 2008?" entry in the Frequently Asked Questions (FAQ) Related to this Security Update section. - Originally posted: September 9, 2008 - Updated: December 9, 2008 - Bulletin Severity Rating: Critical - Version: 3.0

Monday, December 8, 2008

Terror Suspects Used 'Wardriving' and Un-Secure Wireless Access Points in India Bombing

Terror Suspects Used 'Wardriving' and Un-Secure Wireless Access Points in India Bombing

Securing wireless LANs has to be a priority to help protect the US national security posture. Insecure wireless networks allow malicious individual to access a communication media, conduct illegal activities and remain undetected.

Techniques like wardriving are prime examples on how this can occur. Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer.

Unfortunately, this technique in conjunction with non-secured wireless access points may have aided in the recent terrorist attacks in India.

A recent report stated:

After discovering that a militant group allegedly responsible for a series of bombings there recently may have sent their warning emails of the attacks via unsecured wireless LANs.

The police said the suspects used WiFi scanners to detect open WiFi networks and then remotely sent their email messages from those networks, claiming responsibility in advance of bombings in Delhi and Ahmedabad.

My view on this matter is employing better education and monitoring on wireless equipment at the user and ISP level. Also vendors should have the equipment shipped security closed as compared to open. This would allow the user to think about security as the equipment is being installed and configured.

Vulnerability Report

Vulnerability:aspportal
Published:2008-11-28
Severity:High
Description:SQL injection vulnerability in content/forums/reply.asp in ASPPortal allows remote attackers to execute arbitrary SQL commands via the Topic_Id parameter.
Recommendation: NA

Not Installing MS08-067 Cause for Growing Botnet

As I reported a few weeks back on both my blog and the SecurityOrb.com website, the worm titled WORM_DOWNAD.A continues to cause wide spread security issues in the Microsoft platform. It has been estimated that over 500,000 systems running MS Windows has been infected around the world and the amount continues to increase.

It is recommended that system administrators and users install the Microsoft patch MS08-067 update to protect against this worm.

Saturday, December 6, 2008

Mac OS X Boot Commands

I recently had to work on a Mac OS X that did not want to boot off of the CD ROM drive, I was able to conduct a work around. The following commands are helpful for you Mac OS X techs, Computer Forensics Examiners and Mac users. Enjoy...

****** Mac OS X Boot Commands *******

Command-S Boot into Single User Mode
Command-V Boot using "Verbose" mode (shows all kernel and startup console messages)
X Reset startup disk selection and boot into Mac OS X Server
Shift Boot into "Safe Boot" mode, which runs Disk First Aid. A reboot will be required afterward.
Option Boot into Open Firmware to select a boot device
Command-Option-Shift-Delete Bypass internal harddrive on boot
T Boot into Firewire target disk mode
C Boot from the internal optical drive
N Start from the Network (NetBoot)
Command-Option-P-R Reset Parameter RAM (PRAM) and non-volatile RAM (NVRAM)
(mouse button) Eject (internal) removable media

ALSO: if you use open firmware password... you'll need this:
Startup Manager -accessed by pressing the Option key during startup
Enter commands after starting up in Open Firmware -press Command-Option-O-F key combination during startup.

http://docs.info.apple.com/article.html?artnum=106482

How to troubleshoot a computer with Open Firmware Password enabled
If you cannot access the Open Firmware Password application and need to troubleshoot your computer by:

Resetting the PRAM
Starting up in Single-user mode
Starting up in Verbose mode
Starting from CD-ROM

Then follow these steps:

Start up into Open Firmware by pressing and holding the Command-Option-O-F key combination during startup.
At the Open Firmware prompt, type: reset-nvram
Press Return.
When prompted for your password, enter it and press the Return key. It responds OK.
At the Open Firmware prompt, type: reset-all
Press Return.

The computer restarts and you are now be able to reset the PRAM and startup in Single-user mode, Verbose mode, or from CD-ROM.

Friday, December 5, 2008

Firefox Malware - Trojan.PWS.ChromeInject.A

Firefox users are targeted by a new malware named Trojan.PWS.ChromeInject.A, which collects passwords from banking sites.

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Users could be infected with the Trojan either from a drive-by download.

Thursday, December 4, 2008

The Goals of the National Cyber Security Initiative

Even though many parts of the activities under the Cyber Security Initiative are classified, here are some of the outlined the initial goals of the initiative.

The Goals of the National Cyber Security Initiative:
* Reducing and consolidating the thousands of federal network Internet connections under the Trusted Internet Connections initiative. Reducing the number of connections to fewer than 100 could enable better control and monitoring of activities.

* Using the certification and accreditation authority of the Office and Management and Budget under the Federal Information Security Management Act to ensure that agencies establish watch-and-warning capabilities on their networks on a 24/7 basis, to improve cyber incident detection and response capabilities.

*Developing a faster process for detecting and responding to anomalous behavior on global networks, so that attacks can be spotted in a matter of minutes, not hours.

*Fully developing the potential of Einstein, the system used by US-CERT to spot problems on global networks.

Wednesday, December 3, 2008

Paraben's Device Seizure Field Kit

Paraben is pleased to announce the release of the Device Seizure Field Kit. Rugged, portable, and expandable, this comprehensive handheld forensic field kit allows you to take your lab out into the field to perform complete forensic exams of cell phones, PDAs, GPS devices, and related media (SIM cards, Micro SD Cards, Flash Drives, etc.).

The Device Seizure Field Kit Includes:

* One license of Device Seizure to acquire, analyze, and report on over 1,900 different devices
* All the components of the Device Seizure Toolbox including data cables, power management, a SIM card reader, and more
* A 1.6 GHz Laptop with 1 MB RAM and a 120 GB hard drive used to perform acquisitions and analysis
* One CSI Stick for even more convenient field acquisitions
* One license of Forensic Replicator to acquire data from different media you may encounter in the field
* One license of Case Agent Companion for quick analysis of non-device related data acquired in the field
* One license of P2 eXplorer to mount images as a virtual drive
* Various media card readers
* Rugged carrying case
* One year software and new cable subscriptions

This field kit is expandable, allowing you to add your other forensic tools for any type of digital examination anywhere, anytime. You can learn more about the Device Seizure Field Kit at http://www.paraben-forensics.com/catalog/product_info.php?products_id=501.

Do you already have Device Seizure and Toolbox? You can buy a conversion kit to upgrade your products to a Device Seizure Field Kit at http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=500.

Thank you,
Paraben Corporation

Apple quietly recommends using anti-virus software

Apple quietly recommends using anti-virus software as it gains market share, hackers could increasingly look to exploit the platform particularly if it is perceived as an easier target

Full story at infoworld.com

Tuesday, December 2, 2008

US Department of Defense's decision to ban the use of USB drives and other removable data storage devices

Classified US Systems Breached: Attacks on US War Zone Computers Prompts Security Crackdown

The Los Angeles Times is reporting that the US Department of Defense's decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.

http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story

Removable media causes security concerns

Removable media causes security concerns

The proliferation of portable media devices are increasing companies' security risks exponentially. In fact, endpoint security for laptops, PDAs and removable media is one of the most critical security issues facing companies today. USB drives, in particular, have a tremendous amount of private corporate content. To deal with the growing problems, CIOs must set up strict policies for how data on removable media is handled and where they can be taken and where they can't. Employees should also be monitored to some extent, ensuring that employees use removable media only for company-sponsored endeavors. It's also critical to make sure that the USB drives used by your company have appropriate encryption--not something that's standard on all USB drives. The same type of diligence should be applied to other mobile devices such as laptops.

Source: http://www.fiercecio.com/story/removable-media-causes-security-concerns/2007-03-19


Some interesting information pertaining to the security issues with removal drives:

The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.

Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc

The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.




http://www.gcn.com/online/vol1_no1/47646-1.html/?s=dailyNL


Pentagon spokesman Brian Whitman confirmed that the Defense Department is battling an ongoing malware attack within DOD's networks. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Whitman said in an official statement Nov. 21.

Last week, Strategic Command's mandated that users of the Global Information Grid not use removable media to prevent further spreading of a virus. Wired Magazine's Danger Room blog reported that an Army email alert had been sent out relaying the instructions from STRATCOM, banning the use of removable media -- thumb drives, external disks, CDs and DVDs -- effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations.


http://www.gcn.com/online/vol1_no1/47657-1.html/?s=dailyNL


NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.

New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.

The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.

Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”

The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.

Monday, December 1, 2008

Three Reasons for Security Issues

Technology Weaknesses
Each network & computing technology has inherent security problems.

Configuration Weaknesses
Even the most secure technology can be misconfigured exposing security problems.

Policy Weaknesses
A poorly defined, implemented or managed security policy can make the best security infrastructure open for abuse.

Defining Threat, Vulnerability and Attack

Threats - A threat is any potential danger to information or systems

Vulnerabilities - A vulnerability is a software, hardware or procedural weakness that may provide an attacker a way to access information or systems.

Attacks - An attack is a technique used to exploit a vulnerability.

Security Definitions - Risk Assessment

Risk Assessment - is a qualitative or quantitative review of the likelihood a threat agent taking advantage of the vulnerability. Some security related examples are:

  • Open ports on a firewall
  • Not upgrading to new OS version
  • Not applying a software patch
Basic Security Steps of Risk Assessments:
  1. Identify and prioritizing assets
  2. Identify vulnerabilities
  3. Identify threat and probabilities of it occurring
  4. Identify countermeasures
  5. Develop a cost benefit analysis
  6. Develop security policies and procedures

CDE DTLogin X-Windows XDMCP Double Free

CDE DTLogin X-Windows XDMCP Double Free
Affected Systems:
SystemOperating System


Solaris 8 **
Description:
A double free vulnerability exists in the X Windows Desktop Manager Control Protocol (XDMCP) service bundled with most X Windows implementations.
Recommendation:
For systems that do not require the X Windows system, dtlogin may be disabled. To disable dtlogin perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. move the file "dtlogin" out of the "/etc/init.d" directory


To disable handling of XDMCP requests sent from remote hosts perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. edit the file "/etc/dt/config/Xconfig" and uncomment the line reading "Dtlogin.requestPort:0"
3. restart dtlogin with the following command "/etc/init.d/dtlogin start"


Patches for this vulnerability may be obtained from the following locations:

IBM AIX 4.3.3, IBM APAR IY55362
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.1, IBM APAR IY55361
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.2, IBM APAR IY55360
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Sun Solaris 8.0 x86, Patch 108920-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-21-1

Sun Solaris 8.0, Patch 108919-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-20-1

Sun Solaris 9.0 x86, Patch 114210-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-114210-08

Sun Solaris 9.0, Patch 112807-09
http://sunsolve.sun.com/search/document.do?assetkey=1-21-112807-10-1
Observation:
The X Windows Desktop Manager Control Protocol (XDMCP) is used to manage X Windows sessions on remote computers.

A double free vulnerability exists in the dtlogin daemon responsible for handling XDMCP requests. By sending a maliciously crafted request to UDP port 177 of an affected system it is possible to cause the target to free a chunk of dynamically allocated memory more than once. Freeing of memory more than once results in corruption of heap memory and may allow for remote code execution.

Foundstone detected this vulnerability by sending a maliciously crafted request to the XDMCP service on UDP port 177 and then probing to see if the service continued to service requests.


Affected Systems:

Sun Solaris 7.0, 8.0, 9.0
HP-UX 11.x
IBM AIX 4.3.3, 5.1, 5.2
Common Desktop Environment (CDE) 1.0.1, 1.0.2, 1.1, 1.2, 2.0, 2.1,


For more information see:

CERT Vulnerability Note VU#179804:
http://www.kb.cert.org/vuls/id/179804

BID 9958:
http://www.securityfocus.com/bid/9958
Common Vulnerabilities & Exposures (CVE) Link:
CVE-2004-0368

CDE DTLogin X-Windows XDMCP Double Free

CDE DTLogin X-Windows XDMCP Double Free
Affected Systems:
SystemOperating System


Solaris 8 **
Description:
A double free vulnerability exists in the X Windows Desktop Manager Control Protocol (XDMCP) service bundled with most X Windows implementations.
Recommendation:
For systems that do not require the X Windows system, dtlogin may be disabled. To disable dtlogin perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. move the file "dtlogin" out of the "/etc/init.d" directory


To disable handling of XDMCP requests sent from remote hosts perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. edit the file "/etc/dt/config/Xconfig" and uncomment the line reading "Dtlogin.requestPort:0"
3. restart dtlogin with the following command "/etc/init.d/dtlogin start"


Patches for this vulnerability may be obtained from the following locations:

IBM AIX 4.3.3, IBM APAR IY55362
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.1, IBM APAR IY55361
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.2, IBM APAR IY55360
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Sun Solaris 8.0 x86, Patch 108920-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-21-1

Sun Solaris 8.0, Patch 108919-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-20-1

Sun Solaris 9.0 x86, Patch 114210-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-114210-08

Sun Solaris 9.0, Patch 112807-09
http://sunsolve.sun.com/search/document.do?assetkey=1-21-112807-10-1
Observation:
The X Windows Desktop Manager Control Protocol (XDMCP) is used to manage X Windows sessions on remote computers.

A double free vulnerability exists in the dtlogin daemon responsible for handling XDMCP requests. By sending a maliciously crafted request to UDP port 177 of an affected system it is possible to cause the target to free a chunk of dynamically allocated memory more than once. Freeing of memory more than once results in corruption of heap memory and may allow for remote code execution.

Foundstone detected this vulnerability by sending a maliciously crafted request to the XDMCP service on UDP port 177 and then probing to see if the service continued to service requests.


Affected Systems:

Sun Solaris 7.0, 8.0, 9.0
HP-UX 11.x
IBM AIX 4.3.3, 5.1, 5.2
Common Desktop Environment (CDE) 1.0.1, 1.0.2, 1.1, 1.2, 2.0, 2.1,


For more information see:

CERT Vulnerability Note VU#179804:
http://www.kb.cert.org/vuls/id/179804

BID 9958:
http://www.securityfocus.com/bid/9958
Common Vulnerabilities & Exposures (CVE) Link:
CVE-2004-0368

General Types of Digital Forensics

Network” Analysis
  • Communication analysis
  • Log analysis
  • Path tracing
Media Analysis
  • Disk imaging
  • MAC time analysis (Modify, Access, Create)
  • Content analysis
  • Slack space analysis
  • Steganography
Code Analysis
  • Reverse engineering
  • Malicious code review
  • Exploit Review

Green IT and Green Computing Technology

Green IT, also known as Green Computing, is the movement towards a more environmentally friendly and cost-effective use of power and production in technology. The crux of Green IT is to double or triple the bottom line investment costs by converting existing structures and systems to this more conservative mode of operation in green computing. Some common Green computing concepts are Virtualization, Recycling, Telecommuting and Power Management through the use of efficient devices. So help save the environment, save yourself some money and "go green" with green IT computing.

Vista Service Pack 2 in First Quater 2009


SecurityOrb.com researchers stated at an interview Microsoft will post a release candidate of Vista SP2 in first quarter of 2009 and finish the service pack next April.

According to Microsoft, Vista SP2 will include Windows Search 4, Bluetooth 2.1 wireless support, faster resume from sleep when a wireless connection has been broken and support for Blu-ray. Some of those features, including Windows Search and the Bluetooth support, have been available to Vista users for months through individual updates.

The service pack will update both Vista, the client version of Windows, and Windows Server 2008, the company's corresponding server software.

Vista SP2 will require SP1 as a prerequisite, a factor that played to Microsoft's ongoing recommendation that users deploy the first service pack as soon as possible.

Saturday, November 29, 2008

CCNA Secuity Certification



CCNA Security Certification meets the needs of IT professionals who are responsible for network security. It confirms an individual's skills for job roles such as Network Security Specialists, Security Administrators, and Network Security Support Engineers. This certification validates skills including installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices and develops competency in the technologies that Cisco uses in its security structure.

Students completing the recommended Cisco training will gain an introduction to core security technologies as well as how to develop security policies and mitigate risks. IT organizations that employ CCNA Security-holders will have IT staff that can develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

Exam Description

The 640-553 IINS Implementing Cisco IOS Network Security exam is associated with the CCNA Security certification. This exam tests a candidate's knowledge of securing Cisco routers and switches and their associated networks. It leads to validated skills for installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability of data and devices and develops competency in the technologies that Cisco uses in its security infrastructure.

Candidates can prepare for this exam by taking the Implementing Cisco IOS Network Security (IINS)course.

SANS OnDemand training free GIAC Certification attempt

Sign up for SANS OnDemand training before December 8, 2008, and you'll
receive the corresponding GIAC Certification attempt for free (a $499
value)! To register for this offer, go to
http://www.sans.org/info/35724 and use the discount code ODEY_GIAC.

Also for this limited time, receive free GIAC Certification attempts
with any OnDemand Flex Pass! Go to http://www.sans.org/info/35924 for
information on our OnDemand Flex Passes.

Sometimes the realities of limited travel budgets, or the difficulty of
being out of the office or home for a week, make it impossible to attend
a live training event. With SANS OnDemand online training and assessment
program, you have access to SANS' high quality, intensive, immersion
training at your convenience - anytime, anywhere. And according to
student feedback, OnDemand is simply one of the best tools to prepare
for GIAC exams.

"I have several GIAC certs. My highest exam scores are from when I use
OnDemand training." - Brad Fulton, SMS Data Products

Not sure online training is for you? Try any of our OnDemand course
demos at http://www.sans.org/info/35724
.

With SANS OnDemand, students receive:
- Up to 4-months access to our 24/7 online training and assessment system
- Full set of course books and hands-on CDs
- Synchronized online courseware and lectures
- Integrated assessment quizzes throughout the course
- Access to OnDemand Virtual Mentors
- Labs & hands-on exercises
- Progress Reports

If you have any questions about SANS OnDemand, write to
ondemand@sans.org or call us at (301)654-7267.

And remember that every SANS OnDemand purchase earns you points towards
future OnDemand training! http://www.sans.org/info/35729

Be sure to tell your friends and colleagues about this great
opportunity!

Kind Regards,

Kimie Cabreira
Director
SANS OnDemand

**************************

SANS is pleased to announce our new Training and Events Calendar - an
easy way to see what opportunities are available to you during the
coming month! The current calendars are now available for download from
http://www.sans.org/info/7926. For another option, consider SANS' seven
ways to Train Without Travel at: http://www.sans.org/info/28689.

SANS' Webcasts are free live Web broadcasts that allow you to hear a
knowledgeable speaker while viewing presentation slides that you
download in advance. To learn more or to subscribe to our Webcast
calendar go to http://www.sans.org/info/13271.

To change your subscription, address, or other information, visit
http://portal.sans.org. If you wish to have your name removed from our
mailing list, visit the site above, click on "update your account" and
check the box "Do not send any e-mail."

*******************************

Friday, November 28, 2008

10 Tips for Cyber Monday Safety

I have written and talk about the security issues associated with Cyber Monday which will occur on Dec. 1. 2008. Cyber Monday is the name given by online retailers and e-commerce experts to the Monday following the Thanksgiving holiday. With its Black Friday counterpart in actual store-based traffic, analysts have pointed to significant spikes in online shopping on Cyber Monday. Coined in 2005, Cyber Monday was fueled by promotions such as free gifts and free shipping as well as by the faster Internet connections many people had at home.

Here is an interesting article on how to stay safe this upcoming shopping year.

From: http://www.bankinfosecurity.com/

10 Tips for Cyber Monday Safety
November 28, 2008 - Linda McGlasson, Managing Editor


Financial institutions that want to help their customers avoid the season's thieves online will be ready & willing - ready with advice and willing to answer questions.

Here's a list of some of the top advice from computer security vendors and experts for those brave souls that will venture into Cyber Monday shopping expeditions.

1. Know Thy Seller. A good rule of thumb to follow is if the merchant isn't someone you've done business with before, be wary of them. If you got an unsolicited email touting their site, don't click on it or open it. A good way to check up on a merchant is to get information through the Better Business Bureau or through comparison shopping sites such as buysafeshopping.com.

2. Run a Clean Machine. Having the latest updated anti-virus, anti-malware installed on your PC should be a priority. A whopping 20 percent of computers don't run these software or even have a firewall in place. If you need help, ask. It's better to be protected than fearing you'll look like a dummy because you don't know how to update your PC. Good places to get information about security software include the Department of Homeland Security's US-CERT.gov, StaySafeOnline.info or OnGuardOnline.gov. Be sure to buy your software from reputable, well-known AV companies.

3. If In Doubt, Delete! When opening email, be smart. Most people can recognize spam mail or email that doesn't belong in their inbox. When in doubt, delete an email. Spam or unsolicited email can often contain links, which if clicked on, can infect a PC.


4. Look For Security Signs. When on a company's Internet site, check for the following security signals to ensure you're where you're supposed to be. Note if the web address begins with "https" -- this means you're on a secure server using SSL encryption. Also look for a padlock icon at the bottom of the browser page. Click on it and you'll see the site address. The address will match the web site address at the top of the page. If they don't match, get off the site immediately. Using the latest browsers including Microsoft Internet Explorer 7 or Firefox 3 will allow you to see "green" visual cues on websites with extended validation (EV) SSL Certificates.

5. Check Your Credit Report.This isn't just something you should do during the holidays, but year 'round, and at minimum at least once a year with all three of the credit reporting companies, Experian, TransUnion, and Equifax. Regularly monitoring your credit card and institution account transactions online keeps unapproved users from pilfering your money and reduces the chance of you falling victim to identity theft.

6. Password Sharing A BIG No-No. This is one of the biggest problems that security professionals face at corporations, and consumers are just as lax with friends and families sharing passwords. If you do happen to share a password to a website with your family or a friend or two, don't use the same password for your online banking account or other sensitive site.

7. Don't Fall For A Cheap Price. The old adage "There's a sucker born every minute" was said long before the Internet was invented, but criminals are still out there plying their fake designer watches, clothes, electronics and other items to foolish shoppers who think they're getting the real deal at a discount price. If a website is offering an item for a extremely low price, beware. That $20 iPod Nano isn't worth the box it will arrive in. Usually the end result is only the disappointment of getting a shoddy knock-off. But paying with a credit card could also open you up to fraud and other charges on your card you didn't expect, and may also open you to identity theft if you've given out other information.

8. No Address or Phone Means No Deal. If you do find a small merchant that has just the item you're looking for at an unbelievable price, see if they've got an address and phone number. Call and ask for more information or a catalog. Your call goes to voice mail? Watch out; you may have wandered onto a criminal's website. If you do get someone on the phone, ask questions about their privacy policy and refunds or resolution policy. If you don't like what you hear, go somewhere else. Print out and keep receipts of all transactions to back up any return requests.

9. Use Credit, Not Debit. Credit cards are the safest method for online purchases. Experts advise not to use debit cards for online purchases because they pull money directly from your bank account. If something goes wrong, or turns out to be fraudulent, it can take months to get your money back. If you are able to get it back. The Federal Trade Commission says federal law limits liability to $50 in charges if someone uses your credit card fraudulently. You could also use third-party escrow services such as PayPal.

10. Shop At Home. Avoid sharing computers, just like you should avoid sharing passwords. Performing sensitive transactions such as giving out credit card numbers or checking your online bank account should be done at a computer only you use. Logging in and doing these transactions on shared computers at libraries or other places where anyone can use them is dangerous. Hackers can easily install a keylogger onto the computer, and it captures everything that is typed onto the keyboard, including sensitive information like passwords, credit card numbers and bank account numbers.

Thursday, November 27, 2008

Wednesday, November 26, 2008

Hackin9 Security Magazin - FREE Down load

This is a good magazine, I recommend you download it...


Hakin9 is one of the greatest security magazine. It present in depth articles on security testing and general security issues.

As a Thanksgiving gift you can download an issue in PDF format for FREE.

Click here to download your FREE issue

Take advantage of this offer to discover what the magazine is all about.

I am sure you will enjoy it.

Best regards

Clement Dupuis
Maintainer of www.cccure.org
The CCCure Family of Portals

MS08-067 - Worm is Attacking Windows Security Hole

Security researchers at Microsoft Corp. Tuesday warned of a significant climb in exploits of a Windows bug it patched with an emergency fix last month, confirming earlier reports by Symantec Corp.

Microsoft again urged users to apply the MS08-067 patch if they have not already done so.

The new attacks, which Microsoft's Malware Protection Center said began over the weekend but spiked in the past two days, use the same worm Symantec first spotted last Friday.

Dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, the worm exploits the vulnerability in the Windows Server service, used by all versions of the operating system to connect to file and print servers on a network. Microsoft patched the bug in an out-of-cycle update five weeks ago after it discovered a small number of infected PCs, most of them in Southeast Asia.

Full article at InfoWorld.com

McColo Shutdown Does Not Stop Spammers

In the spirit of entrepreneurship, spammers are finding new ways to send out their junk mail just weeks after the shutdown of a major web-hosting firm took many of them off the map.

According to Message Labs , a division of Symantec , after Web-hosting company McColo Corp. was shut down two weeks ago, spam levels declined by 65 percent. Now new analysis finds spam levels are returning to two-thirds of what they were before the McColo Corp.

Full article at Infoworld.

Federal Tech News... [SecurityOrb.com]

Experts tackle guidance to stop cyber attacks

A group of information security analysts in government and industry plans to publish guidance in six months to identify the most effective protections against the vulnerabilities most often exploited in cyber attacks, according to John Gilligan, president of the Gilligan Group and former chief information officer of the Air Force and Energy Department. He leads the effort.

The ultimate goal of the organization, which has not yet been named, is to get the Office of Management and Budget to revise its security guidance and for agencies to incorporate those guidelines, Gilligan said Nov. 21 at a security conference sponsored by 1105 Government Information Group, which publishes Federal Computer Week.

Source: http://www.fcw.com/online/news/154505-1.html?topic=security


The Trusted Internet Connection

The Trusted Internet Connection initiative (also known as TIC, Office of Management and Budget (OMB) Memorandum M-08-05) is mandated in an OMB Memorandum issued in November of 2007. The memorandum was meant to optimize individual external connections, including internet points of presence currently in use by the Federal government of the United States. It includes a program for improving the federal government’s incident response capability through a centralized gateway monitoring at a select group of TIC Access Providers (TICAP).[1]

The initial goal for total number of federal external connections and internet points of presence was 50.[2]

National Cyber Security Initiative will have a dozen parts

President Bush's largely classified governmentwide cybersecurity initiative will have a dozen components designed to better protect computer networks and systems, and to improve information technology processes and policies, a Homeland Security Department official said on Thursday.

Comment on this article in The Forum.President Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23 — more commonly known as the Comprehensive National Cyber Security Initiative — in January, but few details have been made public. Work already is underway on some of the initiative's 12 components, said Steven Chabinsky, deputy director of the Joint Interagency Cyber Task Force, during a panel discussion at the Symantec Government Symposium.

Felony charges dropped against teacher in porn/spyware case

Interesting article from Elinor Mills at CNET.com about the recent ruling of a teacher accused of child porn. the actual link is here or you can read it below.

A Connecticut substitute teacher arrested four years ago for allegedly showing students porn on a classroom computer has been cleared of the felony charges--for now--after experts pointed the finger at spyware.

Julie Amero, 41, agreed to plead guilty to a misdemeanor count of disorderly conduct, pay a $100 fine, and surrendered her teaching license, according to the Hartford Courant. The ordeal left her hospitalized for stress and heart problems, the report said.

The Superior Court judge in Norwich on Friday tossed out the charges that she had endangered children by intentionally causing "pop-up" pornography to display on her computer and ordered a new trial after computer forensics experts presented evidence about the spyware. Judge Hillary B. Strackbein said the conviction was based on "erroneous" and "false information."

Despite the expert evidence, and the fact that state prosecutors never conducted a forensic examination of the hard drive, New London County State's Attorney Michael Regan said he remained convinced of Amero's guilt and was prepared to take the case to trial again.

The security expert who led a team of forensic volunteers in the case is outraged that officials are dismissing the evidence about the dangers of spyware.

"Regan's pronouncement of his certainty of her guilt speaks to his ignorance and unwillingness to learn the facts of this case, and the facts of what PC viruses can do to a computer and, in some cases, a life," Alex Eckelberry, chief executive of security firm Sunbelt Software, wrote on The Julie Blog, a site spawned by the Amero case and which is focused on seeking fairness in the intersection of law and technology.

"All of our forensic investigators felt it was a complete miscarriage. It was clear she was absolutely innocent," he told the Hartford Courant. "The mistakes and misinformation that occurred in that courtroom were astounding."

Amero suffered because the school system failed to keep the computer updated with software to block the pornography, experts said.

The case serves as an important lesson for everyone--use antivirus, antispyware, and other security software and update it regularly.

Linkedin Groups

Please join me in the following Linkedin groups below. I have additional information as well as free access to white papers, security presentation and much more...


SecurityOrb Group

or http://www.linkedin.com/e/gis/157386



Certified IT Security Practitioners

or http://www.linkedin.com/e/gis/1045907

Monday, November 24, 2008

Black Friday and Cyber Monday could bring disasters...

Black Friday and Cyber Monday could bring disasters...

The weekend after Thanksgiving marks the massive start of the holiday shopping season. But it’s also become the time when hackers come out to play, creating mischief and mayhem for unsuspecting computer users.

The term Cyber Monday refers to the Monday immediately following Black Friday, the ceremonial kick-off of the holiday online shopping season in the United States between Thanksgiving Day and Christmas. Whereas Black Friday is associated with traditional brick-and-mortar stores, "Cyber Monday" symbolizes a busy day for online retailers. The premise was that consumers would return to their offices after the Black Friday weekend, making purchases online that they were not able to make in stores. Although that idea has not survived the test of time, Cyber Monday has evolved into a significant marketing event, sponsored by the National Retail Federation's Shop.org division, in which online retailers offer low prices and promotions.

Saturday, November 22, 2008

Myspace and Facebook Privacy

Online social network sites such as MySpace, Facebook and even personal blogs have became part of the interviewing process when companies are making a decision on bring someone on board.

It seems like President–elect Obama’s administration is following suit.

President-elect Barack Obama’s transition team wants to know all about job candidates' lives before giving them a post in his administration by asking information about spouses' jobs and children’s lives. Applicants must include any e-mails that may embarrass the president-elect, any blog posts and even links to Facebook and MySpace pages.

Friday, November 21, 2008

Upcoming Security Conferences for 2009

Upcoming Security Conferences for 2009

ShmooCon 2009
Feb 6 - 8, 2009
Wardman Park Marriott, Washington DC, USA
https://www.shmoocon.org/

First Annual BOSS Conference & Sourcefire Users Summit!
February 8-10, 2009
Flamingo Las Vegas!
http://www.bossconference.com/

Black Hat DC Briefings 2009
February 16-19, 2009
Hyatt Regency Crystal City
http://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html

8th Annual Security Conference
April 15-16, 2009
Las Vegas, NV, USA.
http://www.security-conference.org/

Wednesday, November 19, 2008

Apache HTTP Server mod_rewrite Vulnerability

Apache HTTP Server mod_rewrite Vulnerability

Description
A vulnerability exists in Apache that may allow for code execution or a denial of service.

Observation
Apache is a popular, open source web server application. A vulnerability is present in Apache that may allow remote code execution or a denial of service attack. The flaws reside in the mod_rewrite module through 1) allowing control of a portion of a rewritten URL and 2) no flag control is available such as Forbidden, Gone or NoEscape. The default installation of Apache is not vulnerable as it does not include use of this rewrite module.

Recommendation
The vendor has made updates available for remediation here: http://httpd.apache.org/ Sun Microsystems has released patches for affected Solaris 8, 9, and 10 systems. Please refer to the vendor's advisories for more information: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1

CVE
CVE-2006-3747

SANS/FBI top 20
No

IAVA
No

Tuesday, November 18, 2008

CNN.com Cross-Site Scripting Vulnerability

CNN.com Cross-Site Scripting Vulnerability

I love CNN, so I am not hating on them at all…

Just an FYI - I would probably refrain from browsing CNN for the meantime and definitely don't click on any articles within the My Recently Viewed Pages due to a cross site scripting vulnerability...

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (wikipedia.com)


Version Summary:

A cross-site scripting vulnerability exists on CNN.com that could potentially allow unauthenticated, remote attackers to modify content on the website, which could lead to further attacks.

_______________________________________________________________________________________________________________________________________
Description

_______________________________________________________________________________________________________________________________________

CNN.com is susceptible to a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary server-side scripting code.

The vulnerability exists due to an input validation error on certain parameters passed to the server. Attackers could inject arbitrary server-side scripting code into these parameters to perform the attack. The flaw specifically exists within the tracking cookie in the js_memberservices.mrv variable, which is set whenever the user clicks on an article within the My Recently Viewed Pages section. The cookie values are stored in a URI-encoded string, which is not properly filtered. The values accept arbitrary HTML, JavaScript, and double quotes, which allows the attacker to inject server-side scripting code.

While there have been no reported attacks, an exploit could potentially allow the attacker to modify content on CNN.com, such as posting false news stories or performing drive-by download attacks. Attackers could leverage this flaw to aid in spamming and phishing type attacks using CNN.com.

Administrators are advised to review the Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors.

Monday, November 17, 2008

Spam drop could boost Trojan attacks

Interesting article from Infoworld.com

After rogue ISP McColo was taken offline global spam was estimated to have dropped from 50 to 80 percent, but spammers are starting to reconstitute botnets elsewhere

You can find the article here.

Obama BlackBerry Email Security Issue


President elect Obama may have to give up his Blackberry when he starts his new job at the White House. The concern comes in the form of e-mail security. In addition to concerns about e-mail security, he faces the Presidential Records Act, which puts his correspondence in the official record and ultimately up for public review, and the threat of subpoenas.

A decision has not officially been made on whether he could become the first e-mailing president, but aides said that seemed doubtful.

Friday, November 14, 2008

Security Tech Notes

SecurityOrb.com Security Tech Notes

Certified Information Systems Auditor (CISA) Exam

CISA Exam date is December 13, 2008.

Registration for the 2008 December CISA, CISM and CGEIT exams is now closed. Our next exam offering is 13 June 2009. Registration for the June exam is expected to open in December 2008, please check back then. Thank you for your interest.


Mozilla Updates

Mozilla on Wednesday released Firefox 3.04, a security and stability update to its popular open source Web browser.

The update addresses nine Security Advisories, some of which cover multiple vulnerabilities. Four are rated "critical," two are rated "high," two are rated "important," and one is rated "low."
Source: http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=212002397&subSection=OpenSource


Linux
Canonical announced it will port Ubuntu Desktop Linux to the ARMv7 architecture. Targeted at netbooks, the Ubuntu ARM distribution could set the stage for Intel to lose the "software advantage" that has enabled x86 to shrug off attacks from other architectures for the last 30 years.
Source: http://www.desktoplinux.com/news/NS8395222090.html

Google’s Chrome Update
After the recent updates from Firefox and Opera in the form of Firefox 3.1 Beta and Opera 9.6, its Chrome's turn to go under the knife. Most users might have noticed how Mozilla has concentrated on speed with the latest Firefox update. Opera, on the other hand, now has even more features under its belt, retaining its position as one of the most feature packed browsers available now - off the shelf. And yes, support for three Indian languages in Opera too has been a welcome addition.
Source: http://www.techtree.com/India/News/Chrome_Updated_Enhanced_Security_Performance/551-94643-643.html

Mac OS X
The Mac’s virtualization space for supporting Windows keeps progressing. Parallels Desktop Version 4, released on Tuesday, offers better performance, improved battery life, printer sharing and improved file management and access between the Mac and Windows desktops, the company said.
Source: http://blogs.zdnet.com/Apple/?p=2499




Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software

(1) CRITICAL: Microsoft XML Core Services Multiple Vulnerabilities (MS08-069)
(2) CRITICAL: Microsoft SMB Credential Stealing Vulnerability (MS08-068)
(3) CRITICAL: Mozilla Multiple Products Multiple Vulnerabilities
(4) CRITICAL: ClamAV Unicode Processing Buffer Overflow
(5) HIGH: Apple Multiple Products Multiple Image Processing Vulnerabilities
(6) HIGH: SAP GUI ActiveX Control Remote Code Execution Vulnerability

CRITICAL: Mozilla Multiple Products Multiple Vulnerabilities
Affected:
Mozilla Firefox versions 3.x
Mozilla SeaMonkey versions 1.1.x
Mozilla Thunderbird versions 2.x

Description: Mozilla Firefox contains multiple vulnerabilities in its
handling of a variety of inputs. Flaws in the processing of web pages,
script input, URIs, XML documents, JAR files, and other input can lead
to a variety of vulnerabilities including arbitrary code execution with
the privileges of the current user. Due to the shared codebase among the
various Mozilla products, Mozilla SeaMonkey and Mozilla Thunderbird are
also vulnerable to some of these issues. Full technical details for
these vulnerabilities are publicly available via source code analysis.

Status: Vendor confirmed, updates available.

References:
Mozilla Advisories
http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
Mozilla Home Page
http://www.mozilla.org
SecurityFocus BID
http://www.securityfocus.com/bid/32281