Tuesday, August 22, 2006

Cool toy . . . NASA's World Wind

Not really security related but . . . for those into world wandering from the comfort of your office chair;

If you are a fan of Google Earth, then you may be interested in checking out NASA's World Wind open source project.

If you like what you see, and it works on your system (results vary) then definitely grab the Cache Pack and plug-ins available from the community World Wind Wiki site.

World Wind allows any user to zoom from outer space into any place on Earth. World Wind leverages satellite imagery and elevation data to allow users to experience Earth terrain in visually rich 3D, just as if they were really there. Virtually visit anyplace in the world. Look across the Andes, into the Grand Canyon, over the Alps or along the African Sahara.

Which sounds exactly like Google Earth . . . but then these details emerge:

Blue Marble - World Wind has a full copy of the Blue Marble, a spectacular true-color image of the entire Earth. Put together from data of a variety of satellites such as Terra and Aqua, the Blue Marble can be seen in all its glory at 1 km per pixel resolution. Blue Marble Next Generation is streamed from the NASA servers at 0.5 km per pixel and in 12 versions, one for each month of year.

Landsat - LandSat 7 is a collection of images from 1999-2003 at an impressive 15 m per pixel resolution. LandSat 7's resolution makes it possible to see your own city, neighborhood, or landmarks in your vicinity. Seeing the whole globe like this puts the world in context with scientifically accurate data. You can view LandSat imagery in visible colors or in False Color bands.

Highly recommended!

Edit: Ooooh, and it includes the Moon and Mars in the full install package. :grin:

Saturday, August 19, 2006

New IRS scams on the horizon

Since 2004 the IRS and Senate have been pushing new laws for approval that would allow them to outsource unpaid tax bills to private (non-government) collection agencies. In spite of resistance to the plan by the House of Representatives, it appears that the rules have been quietly approved by the Bush administration. (registration required on that last link)

In two weeks, the IRS will turn over some 12,000 names to the first three collection agencies with whom they have contracted. Approximately ten agencies in total are expected to be IRS approved by the beginning of 2008 - and they will be given at least 350,000 names.

Why is this a security related article? Because you know that the scammers and phishers will start coming out of the foul cesspools of the dark side of the Internet to try and spoof people into thinking they owe the IRS money, and of course they will make it look attractive to the victim by saying that they can reduce the tax-bill if said victim agrees to send a check or credit card payment "right-now" to the con artist. Meanwhile - if the victim does owe back-taxes to the IRS - they will still be liable to the IRS and authorized collection agencies. Being conned does not lessen ones legal obligation to pay the correct authority.

You should know the following facts to protect yourself from scammers while staying on the legal side of the real collection agencies:

1) The approved agencies are NOT allowed to communicate with you via the Internet. No email in other words. This means that ALL emails that purport to be IRS collection attempts are automatically phishing spam and should be summarily ignored and deleted.

2) The collection agencies may not ask you to send payment directly to them. Payments to satisfy in part or whole any back taxes owed will ALWAYS be sent directly to the United States Treasury. The authorized collection agencies are not allowed to collect funds directly, they can only pester the heck out of you until you pay.

3) The list of authorized collection agencies in 2006 (for now, will expand in 2007~08):

- Linebarger Goggan Blair & Sampson of Austin, Texas

- Pioneer Credit Recovery of Arcade, New York (a division of the SLM Corporation)

- CBE Group of Waterloo in Iowa

Hope this helps someone . . .

Weekend rambling thoughts

They who dream by day
are cognizant of many things
which escape those who dream
only by night.
In their gray visions
they obtain glimpses of eternity.

- Edgar Allan Poe

Friday, August 18, 2006

Microsoft patches patch - patchy schedule announced

Apparently a flaw in the much publicized MS06-040 Server component patch released this August is preventing some users from receiving more than 1 GB of data in size. It's impacting certain commercial software, like Microsoft Navision and Dynamics business applications.

This does NOT apply to 32-bit versions of Windows XP. Users of Windows Server 2003 x32, and XP x64 that deal in large file transfers or data requests might need it. Microsoft is recommending that you wait for the official release in September unless you are experiencing the problem.

If you are among the unlucky ones, get the MS06-040 "beta-quality patched patch" here - and good luck. (Windows Passport or Live login may be required.)

Additionally, there is a flaw impacting users of Windows 2000 SP-4 and Windows XP SP-1 that updated with the August MS06-042 patch which causes Internet Explorer to crash when visiting some sites using HTTP 1.1. Windows XP SP-2 and Server 2003 do not have the problem.

Microsoft plans to release the fixed version of this bug out of cycle on August 22nd.

Thursday, August 17, 2006

The worms crawl in, they don't crawl out

Please pass the message on to your friends to patch their Windows 2000, XP and Server 2003 machines. (Have I harped on this enough yet?)

You should also make sure your anti-virus solution is up-to-date and that your subscription to it is in good standing. As of this writing, only about one-third of all AV venders have updated signatures to catch this particular Trojan. Expect the rest to be up to date within the week.

A Trojan is spreading around the internet this week that exploits unpatched machines, specifically MS06-040, the server component vulnerability. Called W32.Wargbot, IRC-Mocbot!MS06-040, W32/Cuebot-L, Backdoor.Win32.IRCBot.st or WORM_IRCBOT.JL by various AV venders, on infection it immediately calls out over the Internet via IRC and receives instructions to download a spam bot or Trojan called Win32.Ranky.fv. Victims machines then become mass email spam servers for a large botnet. The victims machine also continues to check the IRC command center for additional instructions, which means that the criminal that created this mess could download almost anything, at anytime, to your machine.

Silently and without your permission.

Statistics (pulled out of my rear end just now) indicate that typically only 35% of all home or small office Windows users are on Automatic Updates. The rest either update manually - but not always timely, or have never updated at all. This does not include corporate domains, where updates are generally controlled via WSUS or SMS or the like, and are tested then rolled out to end-users on their own schedule.

The potential for damage is great. See my previous posts for links to more information on how to get yourself immunized against the attack.

Tuesday, August 15, 2006

Powerpoint flaw allows remote code execution

Another reason to patch up, but if you use the default settings for Windows Automatic Updates, you may not have this fix installed yet.

This is a serious flaw in Microsoft's PowerPoint, with several Trojans exploiting it already in the wild. One of the more "interesting" flavors is Win32/Fantador.E!Backdoor [Trojan]-- which drops a LSP into the victims Winsock TCP stack and allows complete remote administrative access to the system.

All versions of Powerpoint are vulnerable until patched, although Microsoft claims that the free Powerpoint 2003 Viewer does not have the flaw. So if you receive an unexpected PPT file it may be safer to open it in the viewer rather than Powerpoint.

The recommended methods to get this patch are:

Visit the Office Update site and install all available updates. You may have to go through the update process several times if you are behind on your Microsoft Office service packs. Repeat until you see that there are no remaining available updates. You may need your original office installation disks handy to successfully complete this process.

If you wish you may upgrade 'Windows Update' to the free 'Microsoft Update Service,' which turns on extended updates on the regular Windows Update site. That will allow you to install updates for Office in addition to the Windows patches from one place. Additionally - by turning on this feature - and if you use Automatic Updates, then Microsoft Office will be included in your automatic update schedule and silent downloads into the future. (Note that if you have already turned on this feature, you will only see the normal Update site when you click the link above.)

Monday, August 14, 2006

Windows flaw already under attack

"The bot, and a second variant detected Sunday, appear to use the Windows Server service flaw (MS06-040) to spread to computers that have not yet been patched for the issue. Microsoft fixed the flaw last week."

Again to all: if you have not yet verified that your Windows system is fully patched as of last week Tuesday - including the ultra-critical MS06-040 security fix - stop what you are doing and get it done now. If your automatic updates are working, then you should be okay.

The good news (so far) is that the attacks seem to be very limited in scope - not like the widespread worms that exploited past flaws.

Thursday, August 10, 2006

Homeland Security says patch your Windows (or else??)

The Department of Homeland Security released a special press release stating that everyone should apply the Microsoft MS06-040 security patch: Vulnerability in Server Service Could Allow Remote Code Execution (921883) released last Tuesday. You can also obtain that patch by ensuring you are updated via Microsoft's Express Update service.

"The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.

Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users."

Update 1

CNet reports: "Microsoft has seen a "very limited attack" that already used the newly disclosed flaw, the software maker said Tuesday.

Overnight, some hacker toolkits were updated with code that allows researchers to check for the flaw and exploit it, said Neel Mehta, a security expert at Internet Security Systems in Atlanta.

"This is a very serious vulnerability," Mehta said. "At the moment, this exploit is being used in targeted attacks to compromise specific systems. However, there is nothing about the nature of the vulnerability that prevents it from being used in a much more widespread fashion as part of a worm."

Update 2

It appears that Microsoft may be convinced that the next Really Big Worm - coming soon to a computer near you - will exploit this problem.

It's a good thing that many people now have firewalls that by default block ports 139 and 445. That will help reduce the propagation of any worm looking for this exploitable hole. We shall see . . .

Why commercial reviews of AV products are misleading

Windows Secrets just posted a rant about certain big-name commercial review sites and their lack of testing methodology when ranking Anti-Virus and Counter-Spyware products and suites.

One has to wonder just how objective these places are -- when they are taking huge advertising dollars from the software companies that produce the products they are reviewing?

But the real point revealed by the article is that signature based protection applications are no longer effective for zero-day attacks. And this last year, it seems that every day has been a zero day . . .

The latest greatest feature to mitigate this problem is so-called "behavioral protection." Certain AV products are adding real time analysis of suspicious actions to catch unknown viruses and malware, even before the signature is updated. Combined with signatures, this method should improve your chances of resisting attacks and new infections.

Only two products have this feature, more will have it in 2007. Those two are:

- Zone Labs OSFirewall

- Panda TruPrevent

Of note is that Zone Labs OSFirewall licenses CA's eTrust Anti-Virus as their virus component in the suite. Yet eTrust was not reviewed at all by these commercial sites. It also happens to be my personal favorite AV protection application based on real-world results for myself, my clients and my last big employer - who started using it on their entire corporate network right after they got "Blasterized" several years ago.

Wednesday, August 9, 2006

Humor: New Microsoft Bug Prevention and Correction Program (WSYP)

A little offbeat geek humor for your viewing pleasure.

Revenge of the end user?

More on the Blackberry handheld exploit


The malware researcher who announced that Blackberry handhelds could be used to gain access to corporate networks that support services for the device plans to release the exploit code to the public.

"Public" in this case means that script kiddies and online organized crime rings will most certainly pick up the code and begin to use it for their own gain. Hopefully Research in Motion will provide patches to their server products to mitigate the risk.

What should end-users do?

End users need to be very cautious about opening unexpected attachments in email received on their Blackberries - even if those attachments come from known contacts. They should also be sure that their device does not fall into someone else's hands - even for a short time, as the exploit can easily be installed with physical access to the handheld.

On the IT Admin side of the equation:

"By administering the various security tools available in its systems, IT administrators can greatly reduce the potential for any attack by banning or limiting the privileges of various types of applications, company officials said.

"I wouldn't characterize this as a flaw, but the ability to run a program on the network," said Scott Totzke, director of RIM's Global Security Group, in Waterloo, Ontario. "We have tools [that can be used] to manage and control third-party applications, and administrators can close the door to third-party applications completely, or use a whitelist approach that can allow them to be very granular in what they might allow."

So the question to all you IT folks, have you implemented strong security policies on your Blackberry servers?

Tuesday, August 8, 2006

It's that time . . .

My professional network security and computer consulting resource website is over two years old, it's stale and looks outdated. It's also not very well optimized for search engine placement. (Old theories tried and forgotten.)

I really like the look and feel of slick graphical buttons that change state when you mouse_over and on_click them. It's cool. But it's not good for my search sites, and I am losing out on traffic because I use them. Trouble is, I can't find a decent looking template for text links to pages within, they all turn out cluttered and confusing to the end-user.

One of the "modern" challenges SEO experts face is that internal site links really need to be in text for most search engines to crawl your site properly. If you use buttons, they generally (not always) skip those links. Worse, search engines give preferential treatment to longer descriptive text links like the first link above. They also seem to give higher scores for bold and heading formatted text. These tricks work great for links within the content, but not for site navigation. JavaScript and ActiveX are also out, for similar reasons. Somewhere between is a balance.

How have you solved this issue, assuming any of you have succeeded at reaching a clean looking, easily managed, slick text only navigation system that does not use graphical buttons, Java or ActiveX?

Sunday, August 6, 2006

Got Blackberry? Your network may be 0wn3d

Wired reports that Blackberry handhelds can be used as a backdoor to allow an intruder complete access to any network which "trusts" that Blackberry device.

Users of Blackberry devices should be careful about what attachments they open in their email . . .

Friday, August 4, 2006

The car of my dreams!

Oh. My. Gawd.

I am in serious lust with a cage. (Those that know me may remember that I have never lusted after anything with more than 2 wheels prior to today.)

"The Tesla Roadster has a range of 250 miles, says the company.

The Tesla's lithium-ion batteries can be raised from the dead to a full charge in 3 ½ hours. . . . Tesla will have its own portable charging pack so it won't be range-tethered to its home charging station.

Perhaps most important . . . the Tesla offers fun, in large, hair-raising voltages. The company claims 0 to 60 mph acceleration in 4 seconds and a top speed of 130 mph."

I want one!

Engineers have known for a long time now that electric motors are capable of much higher levels of torque and power than any reciprocating engine ever invented. The problem is not the motors, its the batteries. If we ever develop a portable electrical source for vehicles, our world will change drastically.

Imagine a car with a high-power motor on each wheel. Heck, the wheel itself would be the rotor for the motor, the inside would be the stator. Done right, you would not need pressure brakes . . . it could all be done electronically, which means better braking and no worn out pads - ever again. It would be the ultimate power horse and all wheel drive.

Blog RSS feeds pose risk to subscribers

And yes! You guessed it, even more cheerful news springing forth from this weeks Black Hat Conference in Las Vegas.

Turns out that several software applications that collate the popular RSS and Atom formats can pass malicious JavaScript, in some cases bypassing the local systems security settings. This allows the script to run with unfettered access to your machine. Attackers can even inject their attack code into the comments of trusted blogs!

"Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

( . . . snip . . . )

"A large percentage of the readers I tested had some kind of an issue," he said. In his presentation, Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable. As protection, people could switch to a nonvulnerable reader. Also, feed publishers could ensure that their feeds don't include malicious JavaScript or any script at all, Auger said. Some services, however, rely on JavaScript to deliver ads in feeds, he noted. "

Do you have my stapler?

Some nights you just wander aimlessly until you find strangeness to sooth the tattered sleepless soul.

I don't know why those stupid links are so damn amusing. Are they really that funny, or am I just in "one of those funky states?"

But then . . . just as one gives up hope for one's sanity, one finds this gem on the same site.

(Warning, possible long load times for the above links.)

Thursday, August 3, 2006

It's not just Wi-Fi drivers being newly exploited . . .

Apparently hackers are going after other system drivers - although the Wi-Fi hack is still one of the more frightening applications.

Your sound, video, and network card drivers are among the next big targets. Not only that, other software agents that are frequently ignored, often unused, but generally running on a default system installation have become the focus of malware developers for the next generation of spyware, rootkits and viruses.

This is why I so often tell people to turn off unused services. Black Vipers site (mirror - his main site appears to be down) has excellent coverage of that topic.

RFID, US Passports and more paranoia

Even more Black Hat Conference goodness for you today.

Wired reports that RFID embedded passports can be cloned, compromised, snooped . . . and worst of all, used as triggers for roadside bombs intended for US passport carrying citizens.

It's enough to make me believe in tin foil hats -- for my passport!

Critical Wi-Fi driver flaws expose laptops to infection

You arrive at your favorite coffee shop, turn on your laptop and order your coffee.  You have not yet connected to the public Wi-Fi hotspot sponsored by the shop.

Suddenly the performance on your laptop drops inexplicably.  When you initialize the connection to the Internet, aggressive popups begin appearing almost immediately.  Or unnoticed by you, your files are being uploaded somewhere . .. and your keystrokes are being logged as you access your bank statement - even though you use a secure SSL or VPN connection over Wi-Fi.

You've just been infected by a rootkit with a nasty trojan virus piggybacked onto the payload.  And it happened right after you powered up but before you connected to the Internet.  How is this possible?

This scenario is about to come true.

A pair of hackers at the Black Hat conference in Las Vegas demonstrated just such an attack this week, highlighting newly discovered exploits in the drivers for popular Wi-Fi adapters.  While their demo was conducted on a Mac Powerbook, they say that any PC with vulnerable Wi-Fi drivers is exposed to this risk.   As of this writing, no fixes have been released by any of the major Wi-Fi device companies.  The exploit is not yet in the wild - but it's a matter of time.  Now that the possibility of this attack is known, we are sure to see it in real life very very soon.  

More information at Security  IT Hub.

I will be watching this closely.

Wednesday, August 2, 2006

"The Cassini spacecraft orbiting Saturn and headed for a series of close encounters with Titan, the planet's largest moon, also appears aimed for an extended stay at the ringed planet, the mission's chief says. "

When I was a kid, I really wanted to be an astronaut.  No, really.

On my 18th birthday, I applied to the Air Force with dreams of becoming a crack pilot, which at that time was the best way to get into the space program as a flying crash-test-dummy.  Imagine my disappointment when I was informed that a) I was too tall and b) color-blind people need not apply.  Would I like a nice position in the USAF as ground crew for runway maintenance?

So I turned to computers.  Was one of the first kids in my town to have unfettered access to PDP-11 workstations at the local university.  I wrote programs that used composition rules to churn out really sick sounding computer generated music.  Vector analysis algorithms to solve stress versus force problems for my physics class.  You get the idea.  Never did get around to obtaining a CS degree (which hurt me later in corporate life).  But experience does count, and while turning a great hobby in computers into a full time career in computer security ruined a good hobby, it's been a rewarding career. 

More later . . ..

The Nigerian"-style scam letter is reborn?

Disgusting. See for yourself. :(

Beware the 'soldier' offering you riches (Seattle PI)

There appear to be no limits in the depths to which online crooks will stoop.

Social networking sites have (gasp!) open XSS vulnerabilities

Researchers at a well known anti-malware company checked out a few popular social networking sites to see how vulnerable they were. In 30 minutes they discovered more than half a dozen server side "worm-able" Cross Site Scripting (XSS) vulnerabilities.

What can end users do?

1) Patch your operating systems! Windows users should be aware that Microsoft generally releases critical updates every second Tuesday of the month. Setting your automatic updates to check once per week (the longest period you can select in the UI) is a great idea. I recommend selecting Wednesday early in the morning - before your work day starts. Leave your machine on Tuesday night . . .

2) Subscribe to good anti-virus protection

3) Subscribe to Malware/Spyware/Adware protection

AntiVirus products that tested well in recent reviews:

- eTrust 8.1 Corporate (Not the home or personal version.)

- Kaspersky

- NOD32

- F-Secure

Some not so good choices:

Symantec AV (over 30% tested infection rate with current signatures)

McAfee AV (over 33% infection rates, plus exploitable holes in their update service.)

While both of the above share the most market share - they offer abysmal protection. They are also system resource pigs. I tell friends that ask me which engine to choose that these two products will turn a perfectly good Pentium IV machine into a PII . . .

Malware Real Time Protection - Best products in order of effectiveness

- Sunbelt Software's CounterSpy (cousin of Windows AntiSpyware Beta 1 and distant relative of Microsoft Defender Beta - but much better!)

- Spysweeper

Malware scanners

Spybot Search & Destroy

Adaware Personal

(Links from this article will open a new browser window.)