Your Ad Here

Tuesday, December 30, 2008

Fake Windows Media Player Flaw

Microsoft says a vulnerability disclosed publicly last week in Windows Media Player was no security bug.

Source: DarkReading.com

Microsoft Security Advisory Notification - Dec. 30, 2008

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 30, 2008
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (961509)
- Title: Research proves feasibility of collision
attacks against MD5
- http://www.microsoft.com/technet/security/advisory/961509.mspx
- Revision Note: Advisory published

Monday, December 29, 2008

Mac OS Clone Systems Maybe a Reality with Psystar

I have covered Psystar’s attempt to provide customer with a Mac OS system not built by Apple Corp. In the past with the following links below:

http://kellepcharles.blogspot.com/2008/04/mac-clone-maker-psystar-closes-online.html

http://kellepcharles.blogspot.com/2008/04/defiant-psystar-back-selling-leopard.html

It seems they may have gotten the situation in hand by the result of their storefront page:
http://store.psystar.com/home/desktops/osx

Psystar Open Computers are capable of running Apple's OS X Leopard. View our computer models capable of running OS X Leopard as their native operating system.

I will be on this story more in 2009…

Sunday, December 28, 2008

Cyber-Security Status by Homeland Security Chief Michael Chertoff

Outgoing Department of Homeland Security Chief Michael Chertoff says the Bush administration's work on cyber-security leaves President-elect Barack Obama well-positioned for progress on securing the nation's IT infrastructure.

Source: eWeek.com

Wednesday, December 24, 2008

CEO of Software Company Sentenced for Hacking Competitor

An interesting story from CSO Online. About a Software Executive Hacking its competitor and how he got caught.

Source: http://www.csoonline.com/article/472416/Software_Executive_Sentenced_for_Hacking

Microsoft announces SQL-injection Exploit

On Monday Microsoft warned that a security researcher had published an exploit for an un-patched flaw in the SQL database software.

SecurityOrb.com researchers published:

"The information could allow malicious attackers the ability to compromise Web sites that use Microsoft's software to serve up dynamic Web pages. The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, the company said in an advisory."

Thursday, December 18, 2008

85% of All Crimes Leave a Digital Fingerprint

It has been stated that 85% of all crime leaves a digital fingerprint in electronic devices. This may occur from an internet intrusion, identity theft and traditional crime like murder. Computer forensics has aided in the investigation of these crimes. Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. The challenges facing many computer forensics examiners are an abundant of data that must be analyzed to produce a story or show correlation. Hard space are enormous and continue to grow. Hard disk space is inexpensive thus allow for more. In conjunction, RAID systems also provide additional challenges for the investigator. A simple case on a 200 GB hard drive can take weeks to review alone before any real assessment can occur. Issues such as terrorism and murder cases can prove to be fatal. By including Social network analysis (SNA), the time to locate correlation will be reduced. This will assist the examiner to focus his analysis on key area from the SNA results.

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 17, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS08-072 - Critical
* MS08-069 - Critical

Bulletin Information:
=====================

* MS08-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
- Reason for Revision: V1.1 (December 17, 2008): Changed the
Microsoft Baseline Security Analyzer deployment summary to
"no" for Microsoft Office Word 2000 Service Pack 3 in the
Detection and Deployment Tools and Guidance section. Also,
revised the bulletins replaced by this update for Microsoft
Office Outlook 2007 and Microsoft Office Outlook 2007 Service
Pack 1 in the Affected Software table. There were no changes
to the security update binaries.
- Originally posted: December 9, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V1.2 (December 17, 2008): Added log file
entries in the Security Update Deployment section Reference
table for Microsoft XML Core Services 6.0 when installed on
Windows Server 2003 Service Pack 1, Windows Server 2003
Service Pack 2, Windows Server 2003 x64 Edition, and Windows
Server 2003 x64 Edition Service Pack 2.
- Originally posted: November 11, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 17, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS08-072 - Critical
* MS08-069 - Critical

Bulletin Information:
=====================

* MS08-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
- Reason for Revision: V1.1 (December 17, 2008): Changed the
Microsoft Baseline Security Analyzer deployment summary to
"no" for Microsoft Office Word 2000 Service Pack 3 in the
Detection and Deployment Tools and Guidance section. Also,
revised the bulletins replaced by this update for Microsoft
Office Outlook 2007 and Microsoft Office Outlook 2007 Service
Pack 1 in the Affected Software table. There were no changes
to the security update binaries.
- Originally posted: December 9, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V1.2 (December 17, 2008): Added log file
entries in the Security Update Deployment section Reference
table for Microsoft XML Core Services 6.0 when installed on
Windows Server 2003 Service Pack 1, Windows Server 2003
Service Pack 2, Windows Server 2003 x64 Edition, and Windows
Server 2003 x64 Edition Service Pack 2.
- Originally posted: November 11, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

Tuesday, December 16, 2008

McColo Fallout Does Not Stop Spam Levels from Decreasing

Numerous reports have indicated email Spam volumes are increasing again since McColo a rouge hosting company was pulled off the Internet last month. Although there was a major drop in Spam, it seemed to have been short live as many reports are showing an up swing.

SecurityOrb.com consultants predicts, many bot-masters (an individual who is responsible for and maintains a malicious computer bots.) will take a more distributed approach in the future to prevent and defend against acts such as the McColo ISP disconnection.

Recent Internet Explorer Security Flaw Endangers Your Privacy


A programming bug in Microsoft’s Internet Explorer (IE), the default web browser on Windows-based computers, allows hackers to take control of users’ PCs by tricking them into visiting unsafe websites.

Microsoft admitted that a serious flaw in security has left the majority of the world’s Internet users exposed to attacks from hackers hoping to steal personal data and passwords.

Microsoft estimates two million computers have already been affected and that 1 in 500 Internet users may have been exposed.

Consultants at SecurityOrb.com advise computer users to switch to an alternative Internet browser, such as Firefox or Google Chrome, to avoid the hackers who have so far corrupted an estimated 10,000 websites.

Microsoft said that it is considering the release of an emergency update to correct the flaw.

Mac OS X 1.5.6 Security Update








Apple has released a major set of security patches for its Mac OS X operating system which fixes a number of critical flaws in the software.

The Mac OS X 10.5.6 update includes a critical update for Adobe Systems' Flash Player, fixing bugs that were disclosed last month. It also includes patches for several Mac OS libraries, the operating system kernel, and system utilities such as the BOM (Bill of Materials) archiving software. In total, 21 bugs are patched in the update.

Here are instructions on how to upgrade your Mac OS X to the latest update. Click Here or

http://support.apple.com/kb/HT1338

Monday, December 15, 2008

Window Snyder CSO of Mozilla Resigns


On September 24th of 2008, I profiled Mwende Window Snyder a.k.a Window Snyder of Mozilla in this posting: Click Here...

Last week, I discovered via twitter https://twitter.com/kellepc she was leaving her position as Mozilla’s Chief Security Officer with the following post on her blog:


“I will be leaving Mozilla at the end of the year. I am sad to be leaving, but I am excited to go work on something I have always been passionate about. I wish I could tell you about it now, but that will have to wait for a while.

You will still get Mozilla security information here. Johnathan Nightingale, Lucas Adamski, Brandon Sterne and Mike Shaver will all be posting on the Mozilla security blog to keep users informed about security issues and announcements. I leave you in their very capable hands and wish them the best of luck.”

Details of her next job has not been released as of yet. I will stay on it and report back. My feelings are she will either be starting her own venture or joining a start-up company. What ever it is, I wish her the best…

The Koobface Worm

The Koobface worm is spreading through Facebook. The Koobface worm is a worm designed specifically to spread over social-networking sites and it is spreading spam messages out to Facebook members. The motive is to enable hijacking and click fraud.

The messages offer subject lines like "You look so funny on our new video" and offer a link to a video site that pretends to have a movie clip. When the user follows the link, they are redirected to one of many different compromised hosts, according to SecurityOrb.com. Finally, the user is urged to download or open a file named flash_player.exe. That file is a new Koobface variant.

Recommendation, be aware and run an updated anti-virus software.

Sunday, December 14, 2008

IE Browser Security Update

An unpatched vulnerability found in Internet Explorer 7 also affects older versions of the browser as well as the latest beta version

The IE 7 exploit is spreading at a faster pace now due to at least one site that is exploiting the vulnerability is being SQL injected to other websites. More information can be found here.

Friday, December 12, 2008

SANS OnDemand Security Times Newsletter

SECURITY TIMES SPECIAL

As a thank you for receiving our SANS OnDemand Security Times
Newsletter, you may take an additional 5% off our listed current
specials through December 26.

For single courses, see http://www.sans.org/info/35939 for our current
offer. Use discount code "T1_add5" for a total of 30% off any OnDemand
course.

For groups or multiple courses, take an additional 5% off our lowest
listed pricing at http://www.sans.org/info/35944.

Check out our Free OnDemand Demos at http://www.sans.org/info/35949
************************************************************************
WHAT'S UPCOMING?

For courses currently being developed in OnDemand, take advantage of our
30% Development Discount. For a full list of upcoming courses, go to
http://www.sans.org/info/35954
************************************************************************
EARN REWARDS POINTS

Receive one OnDemand Reward Point for every dollar that you spend for
SANS OnDemand training, including the OnDemand Bundle. To begin
receiving reward points, visit http://www.sans.org/info/35959
************************************************************************
SECURITY TIP

Whether you are a small Mom & Pop shop or a multinational corporation,
your employees are almost certainly leveraging sites with user generated
content. User generated content sites (e.g. Myspace, Youtube, Facebook,
Craigslist, Blogger, and Flickr) are routinely in the top 20 most
visited websites.

From a numbers perspective, it goes without saying that your
employees/colleagues/superiors, and likely you, are users of these
popular sites. Although the most obvious risk posed by employee usage
of these sites is productivity loss [1], perhaps the more serious risk
is posed by the break-neck speed with which these sites are allowing
active user generated content and applications to flourish [2][3].
Therein lies part of the appeal, but so too, some of the risks. In order
for these sites to be useful, users configure their browsers to allow
this content to run virtually unfettered. However, the risk posed by
active content isn't the point of this article either [4]...

A somewhat less discussed "feature" of sites containing user generated
content is the significant information disclosure posed by users from
your organization. Imagine, if you will, that you were being targeted
by an attacker. Of course, _you_ aren't being targeted, but just bear
with me... Perhaps you have really done a bang up job hardening your
perimeter, patching systems, etc., such that you feel relatively secure
in your overall security program and architecture. If an attacker could
find a trusted insider that was willing to disclose details regarding
the products, programming languages, patch levels, etc., in use at your
organization, could it subvert some of those feelings of security? In
effect, social networking sites are a veritable treasure trove for
attackers wishing to gain this type of intelligence. What's more,
sometimes they are able to gain this information without engaging in
even the most rudimentary of social engineering attacks. For instance,
users with profiles on LinkedIn frequently list their resume, including
both specialties and employers, for the world to see. This and other
information is like gold to an attacker. This type of information,
coupled with attackers armed with information mining tools like Maltego
(i.e., Rapleaf and Spock transforms) can really lower the bar for a
successful targeted attack [5].

Now that the little thought experiment is over, let's think about the
primary assumption - you are being targeted by an attacker. Some of you
fully accept this as a given, but most of you likely dismiss this
without much thought (we are too small, no one has heard of us, why
would anyone come after us). Well, consider that restaurants in West
Monroe, LA (pop. 12,951)[6] were part of a group of restaurants in
Mississippi and Louisiana targeted by a ring of thieves harvesting
credit card numbers [7]. If something as innocuous as a family owned
diner can be targeted for an attack, then certainly any organization can
become a likely target.

The risks associated with websites, in general, and social networking
sites, in particular, are discussed in several SANS courses available
via OnDemand (AUD507, MGT512, SEC401 and SEC502). The social
engineering and reconnaissance exposure made possible by these sites is
explored in SEC560.

For more info on these courses, visit:
AUD507: Auditing Networks, Perimeters & Systems
(http://www.sans.org/link.php?id=1032&mid=6)
MGT512: SANS Security Leadership Essentials For Managers
(http://www.sans.org/link.php?id=1032&mid=62)
SEC401: SANS Security Essentials
(http://www.sans.org/link.php?id=1032&mid=61)
SEC502: Perimeter Protection In-Depth
(http://www.sans.org/link.php?id=1032&mid=17)
SEC560: Network Penetration Testing and Ethical Hacking
(http://www.sans.org/link.php?id=1032&mid=937)

Seth Misenar
SANS OnDemand Virtual Mentor

1: "Facebook 'costs businesses dear' " -
http://news.bbc.co.uk/2/hi/technology/6989100.stm
2: More than 33,000 Facebook applications -
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/23/BU7C11TAES.DTL
3: More than 400,000 registered Facebook developers -
http://www.facebook.com/press/releases.php?p=48242
4: "Elaborate Facebook Worm Spreading" -
http://www.techcrunch.com/2008/08/07/elaborate--facebook-worm-virus-spreading/
5: "Maltego Part I - Intro and Personal Recon" -
http://www.ethicalhacker.net/content/view/202/24/
6: U.S. Census Bureau, 2007 Population Estimates -
http://factfinder.census.gov
7: "Attacks Continue on Retail Stores, Restaurants" -
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201193

Wednesday, December 10, 2008

The CSIS Commission on Cybersecurity for the 44th Presidency has been Released

The CSIS Commission on Cybersecurity for the 44th Presidency has released its final report, "Securing Cyberspace for the 44th Presidency." The Commission’s three major findings are:
  1. Cybersecurity is now one of the major national security problems facing the United States;
  2. Decisions and actions must respect American values related to privacy and civil liberties; and
  3. Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
You can get a PDF copy of the report here or you can visit the CSIS website.

Insider Threat Still a Big Issue to Network Security

Internal users continue to be the torn in system and security administrator's side. This is the case for many reasons. One, they have knowledge of the networking recourses. Two, they have credentials to access various systems on the network and third, most security controls defend against external entities as compared to internal users. According to the Computer Security Institute (CSI), approximately 80 percent of network misuse incidents originate from inside the network.

Security Administrators should apply the “Defense in Depth” security model when it comes to protecting the network. This mean network firewalls, IDS, HIDS, host-based firewalls, patch management, security policies and vulnerability scanning.

Microsoft Security Advisory (960906)

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
Published: December 9, 2008
Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected as these operating systems do not contain the vulnerable code.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited.
We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Customers who believe that they have been attacked can obtain security support at Get security support and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at Internet Crime Complaint Center.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:

This issue does not affect Windows XP Service Pack 3, Windows Vista, and Windows Server 2008.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.

When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad. This file type can be blocked at the Internet perimeter.

Microsoft Security Bulletin Major RevisionsIssued: December 9, 2008

********************************************************************
Title:
********************************************************************
Summary=======
The following bulletins have undergone a major revision increment.Please see the appropriate bulletin for more details.
* MS08-052 - Critical

Bulletin Information:=====================
* MS08-052 - Critical
- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx - Reason for Revision: V3.0 (December 9, 2008): Added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Expression Web and Microsoft Expression Web 2, and Microsoft Office Groove Server 2007 as Affected Software. Also detailed a detection change for Microsoft SQL Server 2005 Service Pack 2 in the "Why was this bulletin revised on December 9, 2008?" entry in the Frequently Asked Questions (FAQ) Related to this Security Update section. - Originally posted: September 9, 2008 - Updated: December 9, 2008 - Bulletin Severity Rating: Critical - Version: 3.0

Monday, December 8, 2008

Terror Suspects Used 'Wardriving' and Un-Secure Wireless Access Points in India Bombing

Terror Suspects Used 'Wardriving' and Un-Secure Wireless Access Points in India Bombing

Securing wireless LANs has to be a priority to help protect the US national security posture. Insecure wireless networks allow malicious individual to access a communication media, conduct illegal activities and remain undetected.

Techniques like wardriving are prime examples on how this can occur. Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer.

Unfortunately, this technique in conjunction with non-secured wireless access points may have aided in the recent terrorist attacks in India.

A recent report stated:

After discovering that a militant group allegedly responsible for a series of bombings there recently may have sent their warning emails of the attacks via unsecured wireless LANs.

The police said the suspects used WiFi scanners to detect open WiFi networks and then remotely sent their email messages from those networks, claiming responsibility in advance of bombings in Delhi and Ahmedabad.

My view on this matter is employing better education and monitoring on wireless equipment at the user and ISP level. Also vendors should have the equipment shipped security closed as compared to open. This would allow the user to think about security as the equipment is being installed and configured.

Vulnerability Report

Vulnerability:aspportal
Published:2008-11-28
Severity:High
Description:SQL injection vulnerability in content/forums/reply.asp in ASPPortal allows remote attackers to execute arbitrary SQL commands via the Topic_Id parameter.
Recommendation: NA

Not Installing MS08-067 Cause for Growing Botnet

As I reported a few weeks back on both my blog and the SecurityOrb.com website, the worm titled WORM_DOWNAD.A continues to cause wide spread security issues in the Microsoft platform. It has been estimated that over 500,000 systems running MS Windows has been infected around the world and the amount continues to increase.

It is recommended that system administrators and users install the Microsoft patch MS08-067 update to protect against this worm.

Saturday, December 6, 2008

Mac OS X Boot Commands

I recently had to work on a Mac OS X that did not want to boot off of the CD ROM drive, I was able to conduct a work around. The following commands are helpful for you Mac OS X techs, Computer Forensics Examiners and Mac users. Enjoy...

****** Mac OS X Boot Commands *******

Command-S Boot into Single User Mode
Command-V Boot using "Verbose" mode (shows all kernel and startup console messages)
X Reset startup disk selection and boot into Mac OS X Server
Shift Boot into "Safe Boot" mode, which runs Disk First Aid. A reboot will be required afterward.
Option Boot into Open Firmware to select a boot device
Command-Option-Shift-Delete Bypass internal harddrive on boot
T Boot into Firewire target disk mode
C Boot from the internal optical drive
N Start from the Network (NetBoot)
Command-Option-P-R Reset Parameter RAM (PRAM) and non-volatile RAM (NVRAM)
(mouse button) Eject (internal) removable media

ALSO: if you use open firmware password... you'll need this:
Startup Manager -accessed by pressing the Option key during startup
Enter commands after starting up in Open Firmware -press Command-Option-O-F key combination during startup.

http://docs.info.apple.com/article.html?artnum=106482

How to troubleshoot a computer with Open Firmware Password enabled
If you cannot access the Open Firmware Password application and need to troubleshoot your computer by:

Resetting the PRAM
Starting up in Single-user mode
Starting up in Verbose mode
Starting from CD-ROM

Then follow these steps:

Start up into Open Firmware by pressing and holding the Command-Option-O-F key combination during startup.
At the Open Firmware prompt, type: reset-nvram
Press Return.
When prompted for your password, enter it and press the Return key. It responds OK.
At the Open Firmware prompt, type: reset-all
Press Return.

The computer restarts and you are now be able to reset the PRAM and startup in Single-user mode, Verbose mode, or from CD-ROM.

Friday, December 5, 2008

Firefox Malware - Trojan.PWS.ChromeInject.A

Firefox users are targeted by a new malware named Trojan.PWS.ChromeInject.A, which collects passwords from banking sites.

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Users could be infected with the Trojan either from a drive-by download.

Thursday, December 4, 2008

The Goals of the National Cyber Security Initiative

Even though many parts of the activities under the Cyber Security Initiative are classified, here are some of the outlined the initial goals of the initiative.

The Goals of the National Cyber Security Initiative:
* Reducing and consolidating the thousands of federal network Internet connections under the Trusted Internet Connections initiative. Reducing the number of connections to fewer than 100 could enable better control and monitoring of activities.

* Using the certification and accreditation authority of the Office and Management and Budget under the Federal Information Security Management Act to ensure that agencies establish watch-and-warning capabilities on their networks on a 24/7 basis, to improve cyber incident detection and response capabilities.

*Developing a faster process for detecting and responding to anomalous behavior on global networks, so that attacks can be spotted in a matter of minutes, not hours.

*Fully developing the potential of Einstein, the system used by US-CERT to spot problems on global networks.

Wednesday, December 3, 2008

Paraben's Device Seizure Field Kit

Paraben is pleased to announce the release of the Device Seizure Field Kit. Rugged, portable, and expandable, this comprehensive handheld forensic field kit allows you to take your lab out into the field to perform complete forensic exams of cell phones, PDAs, GPS devices, and related media (SIM cards, Micro SD Cards, Flash Drives, etc.).

The Device Seizure Field Kit Includes:

* One license of Device Seizure to acquire, analyze, and report on over 1,900 different devices
* All the components of the Device Seizure Toolbox including data cables, power management, a SIM card reader, and more
* A 1.6 GHz Laptop with 1 MB RAM and a 120 GB hard drive used to perform acquisitions and analysis
* One CSI Stick for even more convenient field acquisitions
* One license of Forensic Replicator to acquire data from different media you may encounter in the field
* One license of Case Agent Companion for quick analysis of non-device related data acquired in the field
* One license of P2 eXplorer to mount images as a virtual drive
* Various media card readers
* Rugged carrying case
* One year software and new cable subscriptions

This field kit is expandable, allowing you to add your other forensic tools for any type of digital examination anywhere, anytime. You can learn more about the Device Seizure Field Kit at http://www.paraben-forensics.com/catalog/product_info.php?products_id=501.

Do you already have Device Seizure and Toolbox? You can buy a conversion kit to upgrade your products to a Device Seizure Field Kit at http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=500.

Thank you,
Paraben Corporation

Apple quietly recommends using anti-virus software

Apple quietly recommends using anti-virus software as it gains market share, hackers could increasingly look to exploit the platform particularly if it is perceived as an easier target

Full story at infoworld.com

Tuesday, December 2, 2008

US Department of Defense's decision to ban the use of USB drives and other removable data storage devices

Classified US Systems Breached: Attacks on US War Zone Computers Prompts Security Crackdown

The Los Angeles Times is reporting that the US Department of Defense's decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.

http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story

Removable media causes security concerns

Removable media causes security concerns

The proliferation of portable media devices are increasing companies' security risks exponentially. In fact, endpoint security for laptops, PDAs and removable media is one of the most critical security issues facing companies today. USB drives, in particular, have a tremendous amount of private corporate content. To deal with the growing problems, CIOs must set up strict policies for how data on removable media is handled and where they can be taken and where they can't. Employees should also be monitored to some extent, ensuring that employees use removable media only for company-sponsored endeavors. It's also critical to make sure that the USB drives used by your company have appropriate encryption--not something that's standard on all USB drives. The same type of diligence should be applied to other mobile devices such as laptops.

Source: http://www.fiercecio.com/story/removable-media-causes-security-concerns/2007-03-19


Some interesting information pertaining to the security issues with removal drives:

The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.

Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc

The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.




http://www.gcn.com/online/vol1_no1/47646-1.html/?s=dailyNL


Pentagon spokesman Brian Whitman confirmed that the Defense Department is battling an ongoing malware attack within DOD's networks. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Whitman said in an official statement Nov. 21.

Last week, Strategic Command's mandated that users of the Global Information Grid not use removable media to prevent further spreading of a virus. Wired Magazine's Danger Room blog reported that an Army email alert had been sent out relaying the instructions from STRATCOM, banning the use of removable media -- thumb drives, external disks, CDs and DVDs -- effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations.


http://www.gcn.com/online/vol1_no1/47657-1.html/?s=dailyNL


NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.

New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.

The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.

Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”

The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.

Monday, December 1, 2008

Three Reasons for Security Issues

Technology Weaknesses
Each network & computing technology has inherent security problems.

Configuration Weaknesses
Even the most secure technology can be misconfigured exposing security problems.

Policy Weaknesses
A poorly defined, implemented or managed security policy can make the best security infrastructure open for abuse.

Defining Threat, Vulnerability and Attack

Threats - A threat is any potential danger to information or systems

Vulnerabilities - A vulnerability is a software, hardware or procedural weakness that may provide an attacker a way to access information or systems.

Attacks - An attack is a technique used to exploit a vulnerability.

Security Definitions - Risk Assessment

Risk Assessment - is a qualitative or quantitative review of the likelihood a threat agent taking advantage of the vulnerability. Some security related examples are:

  • Open ports on a firewall
  • Not upgrading to new OS version
  • Not applying a software patch
Basic Security Steps of Risk Assessments:
  1. Identify and prioritizing assets
  2. Identify vulnerabilities
  3. Identify threat and probabilities of it occurring
  4. Identify countermeasures
  5. Develop a cost benefit analysis
  6. Develop security policies and procedures

CDE DTLogin X-Windows XDMCP Double Free

CDE DTLogin X-Windows XDMCP Double Free
Affected Systems:
SystemOperating System


Solaris 8 **
Description:
A double free vulnerability exists in the X Windows Desktop Manager Control Protocol (XDMCP) service bundled with most X Windows implementations.
Recommendation:
For systems that do not require the X Windows system, dtlogin may be disabled. To disable dtlogin perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. move the file "dtlogin" out of the "/etc/init.d" directory


To disable handling of XDMCP requests sent from remote hosts perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. edit the file "/etc/dt/config/Xconfig" and uncomment the line reading "Dtlogin.requestPort:0"
3. restart dtlogin with the following command "/etc/init.d/dtlogin start"


Patches for this vulnerability may be obtained from the following locations:

IBM AIX 4.3.3, IBM APAR IY55362
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.1, IBM APAR IY55361
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.2, IBM APAR IY55360
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Sun Solaris 8.0 x86, Patch 108920-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-21-1

Sun Solaris 8.0, Patch 108919-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-20-1

Sun Solaris 9.0 x86, Patch 114210-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-114210-08

Sun Solaris 9.0, Patch 112807-09
http://sunsolve.sun.com/search/document.do?assetkey=1-21-112807-10-1
Observation:
The X Windows Desktop Manager Control Protocol (XDMCP) is used to manage X Windows sessions on remote computers.

A double free vulnerability exists in the dtlogin daemon responsible for handling XDMCP requests. By sending a maliciously crafted request to UDP port 177 of an affected system it is possible to cause the target to free a chunk of dynamically allocated memory more than once. Freeing of memory more than once results in corruption of heap memory and may allow for remote code execution.

Foundstone detected this vulnerability by sending a maliciously crafted request to the XDMCP service on UDP port 177 and then probing to see if the service continued to service requests.


Affected Systems:

Sun Solaris 7.0, 8.0, 9.0
HP-UX 11.x
IBM AIX 4.3.3, 5.1, 5.2
Common Desktop Environment (CDE) 1.0.1, 1.0.2, 1.1, 1.2, 2.0, 2.1,


For more information see:

CERT Vulnerability Note VU#179804:
http://www.kb.cert.org/vuls/id/179804

BID 9958:
http://www.securityfocus.com/bid/9958
Common Vulnerabilities & Exposures (CVE) Link:
CVE-2004-0368

CDE DTLogin X-Windows XDMCP Double Free

CDE DTLogin X-Windows XDMCP Double Free
Affected Systems:
SystemOperating System


Solaris 8 **
Description:
A double free vulnerability exists in the X Windows Desktop Manager Control Protocol (XDMCP) service bundled with most X Windows implementations.
Recommendation:
For systems that do not require the X Windows system, dtlogin may be disabled. To disable dtlogin perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. move the file "dtlogin" out of the "/etc/init.d" directory


To disable handling of XDMCP requests sent from remote hosts perform the following actions:

1. stop dtlogin with the following command "/etc/init.d/dtlogin stop"
2. edit the file "/etc/dt/config/Xconfig" and uncomment the line reading "Dtlogin.requestPort:0"
3. restart dtlogin with the following command "/etc/init.d/dtlogin start"


Patches for this vulnerability may be obtained from the following locations:

IBM AIX 4.3.3, IBM APAR IY55362
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.1, IBM APAR IY55361
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

IBM AIX 5.2, IBM APAR IY55360
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Sun Solaris 8.0 x86, Patch 108920-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-21-1

Sun Solaris 8.0, Patch 108919-21
http://sunsolve.sun.com/search/document.do?assetkey=1-21-108919-20-1

Sun Solaris 9.0 x86, Patch 114210-08
http://sunsolve.sun.com/search/document.do?assetkey=1-21-114210-08

Sun Solaris 9.0, Patch 112807-09
http://sunsolve.sun.com/search/document.do?assetkey=1-21-112807-10-1
Observation:
The X Windows Desktop Manager Control Protocol (XDMCP) is used to manage X Windows sessions on remote computers.

A double free vulnerability exists in the dtlogin daemon responsible for handling XDMCP requests. By sending a maliciously crafted request to UDP port 177 of an affected system it is possible to cause the target to free a chunk of dynamically allocated memory more than once. Freeing of memory more than once results in corruption of heap memory and may allow for remote code execution.

Foundstone detected this vulnerability by sending a maliciously crafted request to the XDMCP service on UDP port 177 and then probing to see if the service continued to service requests.


Affected Systems:

Sun Solaris 7.0, 8.0, 9.0
HP-UX 11.x
IBM AIX 4.3.3, 5.1, 5.2
Common Desktop Environment (CDE) 1.0.1, 1.0.2, 1.1, 1.2, 2.0, 2.1,


For more information see:

CERT Vulnerability Note VU#179804:
http://www.kb.cert.org/vuls/id/179804

BID 9958:
http://www.securityfocus.com/bid/9958
Common Vulnerabilities & Exposures (CVE) Link:
CVE-2004-0368

General Types of Digital Forensics

Network” Analysis
  • Communication analysis
  • Log analysis
  • Path tracing
Media Analysis
  • Disk imaging
  • MAC time analysis (Modify, Access, Create)
  • Content analysis
  • Slack space analysis
  • Steganography
Code Analysis
  • Reverse engineering
  • Malicious code review
  • Exploit Review

Green IT and Green Computing Technology

Green IT, also known as Green Computing, is the movement towards a more environmentally friendly and cost-effective use of power and production in technology. The crux of Green IT is to double or triple the bottom line investment costs by converting existing structures and systems to this more conservative mode of operation in green computing. Some common Green computing concepts are Virtualization, Recycling, Telecommuting and Power Management through the use of efficient devices. So help save the environment, save yourself some money and "go green" with green IT computing.

Vista Service Pack 2 in First Quater 2009


SecurityOrb.com researchers stated at an interview Microsoft will post a release candidate of Vista SP2 in first quarter of 2009 and finish the service pack next April.

According to Microsoft, Vista SP2 will include Windows Search 4, Bluetooth 2.1 wireless support, faster resume from sleep when a wireless connection has been broken and support for Blu-ray. Some of those features, including Windows Search and the Bluetooth support, have been available to Vista users for months through individual updates.

The service pack will update both Vista, the client version of Windows, and Windows Server 2008, the company's corresponding server software.

Vista SP2 will require SP1 as a prerequisite, a factor that played to Microsoft's ongoing recommendation that users deploy the first service pack as soon as possible.