| Critical Security hole in Windows XP / Server 2003 |
[Jul. 6th, 2009|06:00 pm] |
Microsoft announced today that a nasty security vulnerability has been discovered but not yet patched that allows a malicious remote website to remotely control your machine. It is being actively exploited around the Internet.
From http://www.msnbc.msn.com/id/31766751
Microsoft Corp. has taken the rare step of warning about a serious computer security vulnerability it hasn't fixed yet.
The vulnerability disclosed Monday affects Internet Explorer users whose computers run the Windows XP or Windows Server 2003 operating software.
It can allow hackers to remotely take control of victims' machines. The victims don't need to do anything to get infected except visit a Web site that's been hacked.
Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability. People are drawn to these sites by clicking a link in spam e-mail.
I easily found a few of these sites by analyzing several spam emails containing links to rogue domains announcing things like eCards, or purporting to have news about recent events (M Jackson or Obama for example.)
If you still use Windows XP or Server 2003 and you use Internet Explorer (any version) then you are vulnerable . . . Vista, Server 2008 and Windows 7 Beta/RC users are not affected. Oddly enough, users of the venerable Windows 2000 with SP4 are also not affected.
There is a workaround for this issue, although using it will disable certain types of motion video in the browser. For end-user friendly workaround instructions (as well as a method to remove the workaround -- which you WILL want to do once this is patched) go to Microsoft's page on the topic at:
http://support.microsoft.com/kb/972890
Once you get to that page, use the Enable Workaround (*Fix it*) button in the middle of the page and follow the prompts. After you have successfully enabled the workaround make sure to close and re-open IE -- or reboot -- before you continue surfing the web . . .
For advanced users / IT Admins you can find out more about this issue at:
http://www.microsoft.com/technet/security/advisory/972890.mspx
. |
|
|
| April 1st may be a nasty day if your system harbors hidden malware |
[Mar. 13th, 2009|05:45 pm] |
. . . of course this has been true for the last few years. April 1 seems to be a favorite time for malware criminals.
This year it's "Conficker" aka "Downadup." Since my last post about this rapidly spreading piece of nastiness, the virus has seen (at least) two updates from it's authors. The most recent edition is more aggressive about spreading itself and more resilient against detection and cleanup than any virus I've personally seen in years.
It installs at least two rootkit variants and uses known Windows exploits to spread on local networks -- bypassing any user interaction (such as surfing a compromised website or opening infected email) altogether. It's still using USB devices to spread through AutoRun - which makes me wonder why Microsoft hasn't offered to disable that for everyone through Automatic Updates.
It's short-term purpose in life -- so far -- seems to be getting as many machines infected as possible. Long-term it's a botnet awaiting commands from the criminal owners. Those commands could be anything from an update to currently infected machines to make them harder to detect and clean, to a DoS attack on the Internet infrastructure or specific targets, or sending spam from millions of infected workstations, or activating/installing key-loggers to steal your ID/Bank accounts.
I'm betting a combination of the above -- with the twist that the whole botnet will be up for hire and thus will change it's mission frequently and randomly as underworld buyers subscribe to services.
I am very much concerned that after April 1st we will all know a lot more than we wanted to about Conficker.
So what can you do about this?
a) Don't rely on Windows Automatic Updates (it's been known to get into a stuck state on certain machines.) Visit Microsoft's Update site and verify that you are completely caught up on all critical updates. If you see any available critical fixes then you should install them, reboot, and check again. (Some updates stack on older updates and won't appear until you catch up a bit.) Repeat the check, install the next layer, repeat until you show zero critical hot fixes on the list. Get to the manual update check from IE, the Tools menu, and select Windows Update. Or you can take a huge risk and click this link while using Internet Explorer (and hope that this blog post can be trusted): http://windowsupdate.microsoft.com/
b) Make sure you're running a current anti-virus/spyware product, and that your subscription is active. I'm not trying to play favorites, but you get what you pay for in most cases. Free AV products have not generally been as effective as pay-for versions (even within the same company/product group where a free version is offered - no names here.)
c) Lock down your wireless network if you use such at work or home with WPA2 - someone that's infected could wardrive your LAN and infect your machines if you leave your wireless open to the world. (Not to mention all the other crap they can do to you if you leave your network unsecured.)
d) Change your firewalls password from the factory default. (See your owners manual . . . )
e) Turn off AutoPlay (yes I know, I rag on this a lot - Microsoft should pay attention already.)
f) Use IE in High Security Mode and (if you have IE 8) Enable Protected Mode. (Vista IE 7 users get this by default) or better yet use FireFox 3.x in combination with NoScript.
g) If you can't do the above . . . then on March 31 turn your computer off, go outside, and enjoy some sunshine. Go find some nightlife too - away from your computer. You can come back on April 2nd. Maybe. Seriously folks -- these things spread so easily because we get lax about our personal safety online.
Would you drive on sagging bald tires with an engine light showing low oil with no seat-belt at very high speed on the interstate highway system?
Wait . . . don't answer that. |
|
|
| Paul Harvey |
[Feb. 28th, 2009|09:47 pm] |
Paul Harvey died today, less than a year after his wife passed away.
http://www.msnbc.msn.com/id/29447376/
He was 90 years old.
I used to listen to him faithfully every day when I still listened to radio.
What a voice. What a life. And now he's off to discover the rest of the story . . . |
|
|
| Clyde Tombaugh's 16 inch telescope pictures at Pluto Park, NM |
[Feb. 7th, 2009|02:18 pm] |
|
Clyde Tombaugh's (discoverer of the planet Pluto) 16 inch telescope has been
restored and installed at Rancho Hidalgo aka "Pluto Park" near Animas, New Mexico.
The opening ceremony occurred Wednesday afternoon, January 28, 2009.
Approximately 50 people attended the ceremony. Some of the key attendees
included Jack and Alice Newton; Walter Haas; David Levy; Michael Bakich;
several members of the New Mexico State University physics and astronomy
faculties; various amateur astronomers from Tucson, Las Cruces and surrounds;
and Patsy Tombaugh, Clyde Tombaugh's wife.
For more pictures by other attendees and an excellent write up on the event see
the blog entry
on Astronomy.com by Michael Bakich:
On the road: Party in Pluto Park.
Click on any picture below to download a larger version.
Clyde Tombaugh's 16 inch telescope.
( More pictures under the cut. ) |
|
|
| Educational |
[Feb. 6th, 2009|01:22 pm] |
"I think TV is very educational,
every time someone turns on a TV
I go in the other room and read."
- Julius Henry "Groucho" Marx
|
|
|
| Mashup of this weeks ponderings |
[Jan. 24th, 2009|08:07 pm] |
Circuit City going bankrupt - and both they and the media still don't get the reason why. Too many articles blaming super-competitive behavior from Best Buy. That's not the reason. In fact BB should be watching closely because they are next to go under if they don't upgrade their act. Part of the problem is the economy, but CC's problems started well before we got into the current mess.
I believe that BB needs to start competing with online sales for computer and AV equipment, software etc. Look to Amazon, NewEgg, TigerDirect, CDW, and many other online retailers that are underselling BB. If BB fails to take online sales competition seriously - and by that I mean price matching and quality assurances - then BB will be out of business in a few years or less.
Windows 7 Beta - it looks like Vista, but feels and works MUCH better. I am a bit peeved about this. I think W7 should be the next service pack for those that purchased Vista. Don't take me for a MS hater - I'm not. Vista SP1 has its strengths, but it still feels unfinished and clunky. I personally think that there should be some consideration from MS for Vista adopters when W7 is released - and I don't mean their standard "Upgrade" discounted editions that won't let you do a clean install onto a system.
Windows 7 may entice most XP users to upgrade - assuming the economy rebounds in time. Vista users will want to upgrade so they can save what's left of their hair. Windows 7 combined with Windows Server 2008 is a powerful partnership for the enterprise.
Virus / worm / potential Botnet attack - still in progress. Downadup, Conflicker, call it what you will - is still spreading rampantly. Trouble is it doesn't seem to be doing anything. This has AV researchers worried, as it's entirely likely that all 12 Million plus infected computers may in fact be waiting for a specific date or deadline to activate and wreak havoc on the Internet. I am personally going out on a limb here, but it's almost beginning to look like a well funded terrorist attack in progress/preparation. This virus is sophisticated, but it's doing nothing ... yet! If whomever owns the botnet decides to use it as a Denial of Service attack machine, and assuming infections continue to increase at current rates, the infrastructure could be in trouble. See my previous post about this topic at http://netdef.livejournal.com/55150.html
I miss my kitty . . . been almost 18 months. Might be time to go find a new kitten. |
|
|
| I told you so! Conficker Worm spreading ~ 10 Million computers in a week. |
[Jan. 16th, 2009|05:13 pm] |
I always wanted a post title like that . . .
The Conficker Worm is making it's rounds and may very well become the most aggressive and fastest spreading malware in history with a truly nasty payload. I'm not going to count the Melissa Virus or the "I Love You" Virus of a few years ago, because as rampant as they were, their payload was relatively benign.
This new worm takes advantage of a multi-pronged attack to infect new victims. It's first intent is to create a new BotNet and "zombify" your computer. It's other mission is to steal passwords, personal info and account information in an attempt at mass identity theft.
It's using a vulnerability in Windows that was patched last month by Microsoft as the primary vector, then it attempts to use AutoRun on USB drives as well as a brute force Administrator account password hack once it gets inside a local area network.
So if you haven't yet, get patched completely to the most up to date versions you can, and turn off AutoRun on your clients and servers, and make sure all accounts on your systems that have Admin rights also have strong passwords. Even if you are using a home computer behind a firewall, make sure your account has a password.
More info here:
http://www.pcworld.com/article/157876/protecting_against_the_rampant_conficker_worm.html |
|
|
| Get your out-of-cycle critical IE patch now |
[Dec. 17th, 2008|11:02 am] |
The patch just went live on Windows Update. If you run Windows or Microsoft Updates manually via the browser or Vista Update program, look for references to any one of the following (depending on your OS):
MS08-078
KB961051
KB960714
"Security Update for Internet Explorer 7" (or 8, 6, etc.)
If you need to download and install the update manually (or have a lot of machines to update, or have older versions of IE), try this search query on Microsoft's site for MS08-078:
http://search.microsoft.com/Results.aspx?mkt=en-US&q=ms08-078
If you are otherwise current on updates, and use Auto-Updates, you will get this patch sometime during the next few days. Personally I would do a forced check to be sure. |
|
|
| Get traditional -- send paper cards via snail mail for the holidays |
[Dec. 7th, 2008|12:37 pm] |
. . . Or call your family/friends/loved ones. Better yet send them a nice gift.
Whatever you do - forget about eCards. I personally think eCards are tacky anyway, but the real problem is that too many email virus spammers use fake eCards during the holidays to propagate their infections. Lately it's become darn near impossible to tell the fakes from the "legit" eCards.
We see this every holiday season, so here's your paranoid reminder for 2008:
http://blogs.technet.com/mmpc/archive/2008/12/02/merry-malware.aspx
Every year the ne’er-do-wells trundle out the same set of tricks to distribute their malware and take advantage of people’s better nature, and the additional opportunities for sensitive data theft as shoppers flock to the Internet to purchase gifts and other festive treats. Regardless of the simplicity of this basest style of social engineering attack, it must be successful or I guess we wouldn’t see so much of it every year.
The basic holiday-themed attack has varied little, if at all, through the years and across various holidays. Generally, the attacker sends a malicious e-mail that appears to notify the target that they have received an e-card that says “Happy ”. The e-mail also contains a link that the target can use in order to ‘see’ their card. Clicking on the link downloads a malicious executable that compromises the user’s machine, often opening a backdoor that places the machine under the attacker’s control. Colourful animations and music tend to feature in these lures (and who doesn’t like dancing snowmen/candycanes/santas/Christmas trees/champagne bottles, etc?) Of course, Christmas isn’t the only popular theme for bait, the New Year also finds its share of fans in the malware distributing underground.
So, while musing about the delights of the coming festive season, spare a thought for your safety online, and don’t be fooled by the dancing Santas. |
|
|
| Home firewalls and routers vulnerable to hacking . . . still |
[Dec. 4th, 2008|03:04 pm] |
Old bug, old news, and apparently STILL not being corrected by the Internet Service Providers that distribute these things to their customers. Unknown at this time is whether some of the combo Cable-Modem and Fiber routers have the same issue. (My bet is -- yes!)
The short story: the default login to most firewall/routers browser based configuration panel from the LAN side is unsecured - we're talking a known admin user and no (or a factory default that's widely known) password. The customer almost never logs in to change or set a new password, and the service tech that installs the router doesn't either.
This issue has also been around for a loooong time for retail Wi-Fi or Wired firewall/routers: the admin passwords for all brands and models are well-known (and it's a very short list) and if never changed by the customer they are vulnerable to this hack.
See http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212201777 for the full article. Excerpts below:
~~~snip~~~
A deadly attack typically associated with Websites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF) vulnerabilities in devices used for AT&T's DSL service.
The vulnerability isn't isolated to Motorola/Netopia DSL modems. It affects most DSL modems because they don't require authentication to access their configuration menu, he says. "I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks," Hamiel says. The attack uses HTTP POST and GET commands on the modems, he says.
CSRF vulnerabilities are nothing new; they are pervasive on many Websites and in many devices. "CSRF, in general, is a very old issue," says Hamiel, who blogged about the hack this week. "Most of the vulns found today are old. That's the point: Nobody seems to learn lessons anymore."
A CSRF attack on a DSL router could be launched from a social networking site, Hamiel says, using an image tag on a MySpace page, for example. "Everyone who viewed my MySpace page with AT&T DSL and the Motorola/Netopia DSL modem would be owned," he says.
~~~ snip ~~~
What can a hacker do to you once they have access to your routers configuration page?
1) They can create false DNS entries that will point you to their site instead of -- say -- your banks.
2) They can login to your home or small business network and snoop on your shared files.
3) If your computer has no password, or an easy password, they may directly login to your computer behind your firewall and install backdoor Trojans and use your broadband to send out more virii, spam and malware to others.
4) They can use your system as a proxy while they go do really bad things on the Internet. Later you get served papers (or the officers kick down your door at midnight) for crimes you did not know were being done on your connection.
Etc. Etc. Etc . . .
Lesson for the day (and most of my direct readers already do this, so pass the word to your family, friends and neighbors):
When you buy or take delivery on a DSL, Cable or auxiliary Wi-Fi or Wired router, log onto it at least once and change the Administrator password. |
|
|
| List of reputable Anti-Malware/Virus suites that have free editions or fully functional trials |
[Dec. 3rd, 2008|01:15 am] |
My top list of reputable Anti-Malware/Virus suites for Windows that have free editions or fully functional trials.
They're in no particular order of effectiveness at the time of this writing . . . these are all genuine and are usually listed within the top 10 AV products as tested by VB100. I am posting this as a reference because there are way too many pop-up ads for so called free scanners that are actually Trojans in and of themselves.
Remember that you should only run ONE real-time protection product at a time on your system. Don't install two or more and expect your computer to be stable.
Links provided in clear text so you can examine them for funny business.
SunBelt Software: Vipre - 15 day free trial. (Fully functional, Virus, Rootkit, Malware/Spyware protection and cleanup. Very useful for emergency cleanups.)
http://www.sunbeltsoftware.com/Home-Home-Office/VIPRE/
ESET NOD32 AV - 30 day free trial. (Mostly fully functional, Virus, Malware/Spyware protection and cleanup.)
http://www.eset.com/download/free_trial_download.php
Kaspersky Anti-Virus 2009 - 30 day free trial. (Mostly fully functional, Virus, Malware/Spyware protection and cleanup.)
http://www.kaspersky.com/trials
Sophos AntiVirus - 30 day free trial. (Fully functional, Virus, Malware/Spyware protection and cleanup. Free Rootkit analyzer also available, see below.)
http://www.sophos.com/products/small-business/eval.html
Sophos Anti-Rootkit - Free version. (Fully functional within the scope of the intended use, that is to find and delete rootkits - but it's not going to go after other malware or viruses on your system.)
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Avira: AntiVir - Free version. (Good protection and system scans, but pops up nag screens from time to time asking you to upgrade to the pro version.)
http://www.free-av.com/
Avast!: Home Antivirus - Free version. (Good protection etc, free virus definitions seem to be about 4 days behind -- but I cannot prove that.)
http://www.avast.com/eng/avast_4_home.html
Grisoft: AVG - Free version. (Good protection etc, as with Avast the free virus definitions seem to be about a week behind -- but I cannot prove that.)
http://free.avg.com/
Since someone may ask -- I personally use the first on the list. It provides excellent scan and cleanup features including a special safe mode scanner and a boot-time rootkit scanner. Its real-time monitor has very low impact on system performance and the program has a very clean -- even simplistic -- UI. |
|
|
| New proof of concept script attack in all browsers bypasses AV detection |
[Nov. 22nd, 2008|01:19 pm] |
From http://www.eweek.com/c/a/Security/Script-Fragmentation-Attack-Could-Allow-Hackers-to-Dodge-AntiVirus-Detection/
Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines.
The attack works like this: Malware authors write benign client code and embed it in a Web page. The only content contained on the initial page will be a small JavaScript routine utilizing XHR or XDR. This code contains no actual malicious content, and the same type of code is found on all of the major legitimate Web 2.0 sites.
When a user visits the Web page, the JavaScript and the XDR or XHR will slowly request more code from other Web servers a few bytes at a time, thereby only allowing a user's gateway anti-virus engine to analyze a few seemingly innocuous bytes as it tries to determine whether or not the Web site is malicious.
Once received by the client, the bytes are stored in an internal JavaScript variable. The client will request more and more information until all the information has been transferred. Once it has been transferred JavaScript will be used to create a Script element within the DOM (Document Object Model) of the browser and add the information as text to the node. This in turn will cause a change to the DOM and execute the code in the script element.
According to Chenette, the entire process—from data being transferred over the network to triggering JavaScript within the DOM—can slip under the radar because no malicious content touches the file system. It's done completely in memory, and any content that is transferred over the network is done in such tiny fragments that anti-virus engines parsing the information don't have enough context or information to match any signatures.
The attack, which has not been seen in the wild by Websense, works on all the major browsers. Technically, however, it is not a browser vulnerability—it merely takes advantage of the way browsers work.
My initial thoughts: If this gets out into the wild, the only protection is to either turn off scripting entirely in Internet Explorer (which will cripple most legitimate websites), or use the excellent NoScript plugin for Firefox (and use it correctly.) |
|
|
| Rootkits, Trojans -- they may 'own' your USB thumbdrive |
[Nov. 20th, 2008|10:45 am] |
A topic that I might have brought up before (too lazy to go find it) and which really hit home over this last weekend - USB portable storage devices and current malware are a match made in virus heaven.
Friend of mine called me in a panic - his main computer slowed down so he thought he might clean it up a bit. Made a full backup of his photo's and documents to a portable USB drive. Started the cleanup, saw some odd behavior, downloaded an alternate virus scanner trial, found nasty nasty stuff that he could not clean up, rebuilt the OS after formatting the drive -- and started to restore his files from that backup.
Remember that backup? The one he took from what was likely an already infected system? The second he inserted that drive into a USB port - wham! Infected again. That's when he finally called me . . .
Much like virus infections that spread via 5.25 and 3.5 diskettes in days of yore, a new generation of backdoor Trojans, Rootkits, Keyloggers, Botnet/Zombie infections and other malware use USB drives as an infection vector.
This is exceptionally nasty for consultants that use USB drives as their portable toolkit. They stick their drive into an infected computer, which infects their portable drive, which in turn infects the very next computer into which they insert said drive if Autoplay is turned on . . .
Solutions do exist though. My personal solution - which I use in my business - is to use USB thumb drives with a Write Protection Switch (a physical slider switch on the side of the drive that sets the drive to read-only mode and cannot be bypassed by software) while in the field. I also keep a full redundant backup of my software toolkit in safe storage. (Not to mention I scan my thumb drives after every client visit.)
So you set the drive to read/write when copying data to it from a safe computer. Switch the thing to read only while using it in other computers.
The only trouble is that if you need to write/save a file to the drive while visiting another computer - you had better make darn sure that a) that other computer is running a current and trustworthy anti-malware suite and b) that your own computer at your home or office has autoplay turned off and c) that afterwards you think very hard about using that drive in any other computer before getting it scanned from a safe location.
The other problem is that finding a USB drive with a physical "Write Protection Switch" is fairly difficult. I've got two different brands in my toolkit now. It took some serious google-fu to locate them and even more effort to find a vendor that sold the models. (Iomega and Kanguru for those curious - the Kanguru is fast and secure, but much more pricy.)
I've said it before, here it is again (and updated for Vista users):
( Turn off Autoplay! ) |
|
|
| Long term data storage |
[Nov. 13th, 2008|03:58 pm] |
I've been subscribing to the theory for several years that the best way to safely store data for long terms was to use redundant hard drive spindles, and keep up with maintenance. That used to be valid, because no optical storage media had been invented that was rated for any kind of decent long term retention. (10 years max used to be the rule of thumb - with no assurances whatsoever.)
Sometime in the last few years optical technology greatly improved the longevity of certain media types. I missed that . . .
So the question today I started researching was "how do I store all my family digital photo's safely?"
So far it looks like (Edit: hypothetical - they don't appear to exist yet on the market) Gold Media DVD+R is the way to go. Proper storage in a cool, dry, dark place in acid free liners also seems to be critical.
One of the preferred SATA burners on the market for good quality burns:
Samsung SH-S223F
Found several good articles on the topic, but wondering if anyone here has direct experience with this problem. If you have some tips, please post them below!
Links of worth so far:
http://adterrasperaspera.com/blog/2006/10/30/how-to-choose-cddvd-archival-media
http://www.infinite0.com/archives/99
http://www.clir.org/pubs/reports/pub121/contents.html |
|
|
| November 2008 Patch Tuesday |
[Nov. 11th, 2008|03:22 pm] |
If you're not set to use automatic updates on Windows (XP and Vista), be sure to fully catch up your patching today.
There was a super-critical out of cycle patch released 2 weeks ago, plus several critical patches released today.
You really want these security fixes . . . two of these vulnerabilities are being actively exploited right now. |
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| [ |
go |
| |
earlier |
] |
| |
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
netdef's journal