Blog Moving

This blog can be found in updated form at www.cepheus.us

Internet Security Bad Day

The Internet Storm Center went to level yellow today based on a number of fairly serious exploits, vulnerabilities, and worms roaming around the internet. This includes:

• Internet Explorer exploit on the loose (what's new?) that allows for arbitrary code execution (not good). Microsoft's original response was to disable active scripting and only surf to safe sites (to their defense, they have put out an advisory), which is not the easiest advice.
• Sendmail has put out a patch and is strongly urging users to patch their mail systems.
• Mambo/Joomla software has a worm out created to take advantages in the 1.0.7 version (the 1.0.8 patch resolves this and has been out for 3 weeks).

Windows users - keep a real eye on this. Today's proof of concept is fairly benign, but can be morphed to a more vicious exploit.

Citibank uncovers debit card fraud

Chicago Tribune | Citibank uncovers debit card fraud

Looks like Citibank has had many fraudulent losses due to lax security at some PIN based retailer or processing company. The fraudulent debit cards are being used in U.K., Canada, and Russia.

This really is not an unusual location for the transactions to occur. There is a great deal of fraud, stolen credit cards, and debit cards where either the cards get located in Eastern Europe or Central Asia.

Botnet Operator "Interview"

Invasion of the Computer Snatchers

Brian Krebs from the Washington Post has posted a great interview with a hacker that operates a botnet and takes a look at the darker sides of the internet.

Steal data, get prison time

Data thief gets eight years

The price for stealing personal data from the Axciom Corp - 8 yrs.

The scary part of the article is that this may not have been the first time it has happened to Axciom.

419 scammers caught

12 Nigerians arrested in Holland for Internet scam

Finally, 12 Nigerian 419 scammers have been arrested in Amsterdam. Supposedly, they have scammed people for over $2.4 million dollars.

What should be done with those dregs of society?

What is the liability of Financial institutions

Strict liability for data breaches?

How much protection must be taken to protect personal data by different types of financial institutions? This is an article about unencrypted data on a stolen laptop from a student loan firm.

Postage Is Due for Companies Sending E-Mail - New York Times

Postage Is Due for Companies Sending E-Mail

AOL and Yahoo apparently are looking to send out their "heavys". These two companies are proposing to have a preferred message system where the sender spends .25 to 1 cent per message to bypass the spam filters of their users. Between this and phone companies like AT&T (formerly SBC) and BellSouth which are looking for multitiered bandwidth solutions both from the end users, but also from the web providers.

All of these models go against the initial concept of the internet and the freedom of information. The internet was created to share information between universities, government entities, and other individuals. Let's hope that people react and let these providers know that this tiering and preferential treatment for those that will pay the "protection" system that this will not be acceptable on the Internet.

Illusions of Security

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

In the January 18th diary entry, Swa Frantzen gives a great diatribe about the illusion (or disillusions) that some people in the industry have about security on the Internet.

You never can be 100% assured of security. The best you can do is layer your security posture so that if one level is breached, you have several layers of protection to protect your personal data.

WMF "flaw" intentional?

Security Now! Transcript of Episode #22

Steve Gibson, in his Security Now podcast with Leo Laporte, is explaining the WMF flaw and the possibility that this was an intentional backdoor put into the system.


Update (1/20/2006) - In his episode 23, Steve Gibson backs off some of the backdoor talk and further expands on the issues (or lack thereof) in the Windows 9X line of OS.

Is WMF Vulnerabilities dead yet?

Microsoft Windows Graphics Rendering Engine Multiple Memory Corruption Vulnerabilities

Announced over Bugtraq this weekend (published today), two more functions may be vulnerable to Metafile issues.

Internet Free Speech at Risk

Create an e-annoyance, go to jail | Perspectives | CNET News.com

Could your first amendment rights be at risk on the internet? See this article about changes in federal law about "annoying" someone on the internet, you cannot do so anonymously.

I wonder if what might be the first test case and the legality could be.

Microsoft Out of Cycle Patch

Microsoft Security Bulletin Advance Notification

Microsoft is releasing (GASP Out of Cycle) MS06-001, it's fix for the WMF file issues announced last week. It is supposed to be available after 5pm ET.

DOWNLOAD IT ASAP, even if you load Ilfak's patch.

Thank you Microsoft for releasing it when testing was done, not in the regular cycle.

MetaFile Problems Continue..

The SANS Institute's Internet Storm Center (ISC) has raised the infocon level back to yellow, based on the metafile issues that were announced December 28. F-Secure has announced the discovery of using .jpeg attachments in email to propogate this virus/vulnerability and the irresponsible disclosure by FRIST.

There is a temporary patch that is being recommended by the ISC written by Ilfak Guilfanov that will mitigate the problem. The patch can be downloaded at http://handlers.sans.org/tliston/wmffix_hexblog14.exe.

You are still HIGHLY recommended to unregister the dll I listed on December 28th in addition to this patch.

SECURE YOUR COMPUTER. I will be testing it at home and will let post if there are any problems noticed.

Update - 1/3/06 - I have had no issue with the patch so far. Microsoft is scheduled to release their patch on 1/10/06, depending on the results of their testing. The patch put out by Ilfak can be easily uninstalled and should be when Microsoft releases their patch.

WMF File Exploits

The WMF file exploits are in the wild. For those who don't know what they are, a metafile is a collection of structures that store a picture in a device-independent format (according to Microsoft). Security professionals have been hearing rumors of the vulnerabilities in these metafile for probably the next month, but now the vulnerability is in the wild.

What can it do to your computer? See this link to open a Windows Movie about what happens to your computer. From what I understand, the only real way to irradicate this intrusion is to rebuild your machine.

The SANS Institute has moved their infocon level to yellow, indicating an increased vulnerability level on the internet. See the daily diary for more information.

One workaround being passed around the internet is as follows:
---
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32

/u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
---

There still may be metafiles not associated with this dll, so YMMV.

Update - 2200 ET - Microsoft has confirmed much of this information with the following advisory: http://www.microsoft.com/technet/security/advisory/912840.mspx

RED HERRING | The Business of Technology

RED HERRING | The Business of Technology

Red Herring Magazine has their top security trends for 2006. Highlights include phishing at lower levels, worms targeting businesses, and wireless security focus.

MSNBC - Let's see some ID, please

MSNBC - Let's see some ID, please

This is an article about the possible release to consumer PC that is called the Trusted Platform Module (that will be integrated with the chipset). I have mixed feelings about this, as does the article.

However, security expert Bruce Schneier has much concern in a recent blog entry.

Tips for helping remove and or prevent spyware.

READ & RUN ME FIRST Before Asking for Support - MajorGeeks Support Forums

spyaxe removal

SpyAxe is a real pain when it comes to possible spyware/scumware. Here are some sites that might help remove this PITA.

Spyaxe removal - Tech Support Guy

Geeks to Go SpyAxe Removal

CastleCops Spyaxe Removal

Pay up or lose out

Pay up or lose out

Consumers are now beginning to be willing to pay extra for more security on important web sites, like home banking.

Microsoft Patch Cycle

Time to remember to patch your Windows PC's. Microsoft released its "Black Tuesday" Advisory for October, with 9 patches (8 for a client PC). Don't forget to patch your machines.

National Cyber Security Awareness Month.

October is National Cyber Security Awarness month. In this digital age, it is great to have as much information to keep you safe. Check out the following site for more information on a joint site with a non-profit site and DHS (or at least the cyberwing).

Stay Safe Online. National Cyber Security Alliance

California phish fighting

California Enacts Nation’s First Anti-Phishing Law

California Governor, Arnold Schwarzenegger signed a bill last week making Internet phishing identity theft scams punishable by law.

The bill is the first of its kind in the United States and makes phishing a civil offense.

Phishing is the practice of getting people to divulge personal information via email by representing oneself as a business without the approval or authority of the business. Phishing usually involves the use of legitimate banks, retailers, and financial institutions to convince recipients of bogus emails to respond.

Under the new law, victims may seek to recover actual damages or $500,000 for each violation, depending upon which is greater

Consumers Insist Financial Institutions Remain Vigilant In Protecting Their Privacy | eds.com

Consumers Insist Financial Institutions Remain Vigilant In Protecting Their Privacy | eds.com

A recent study put out by EDS shows likely implications if financial institutions are cavalier with their security and safety of private information.

GonzoBanker - Article

GonzoBanker - Article

From the Cornerstone Advisor, how one bank was able to fight and bring down a phishing site within 1 day.

PhishFighting.com - Fight back and take down the Phishers.

PhishFighting.com - Fight back and take down the Phishers.

This is an interesting site that is trying to feed as much false information to phishers. I'm going to give it a try for the next phishing email I get.

CastleCops - New Research Reveals Men More Likely to Fall Prey to Online Scams

Are men smarter online than women? A recent study says no, even though men were more aware of the issues.

TIME.com Print Page: TIME Magazine -- The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)

The Chinese are coming!!! Time had a very interesting article about an investigation about the defense of some governement research facility.

CNN.com - Worm strikes down Windows 2000 systems - Aug 16, 2005

CNN.com - Worm strikes down Windows 2000 systems - Aug 16, 2005

The sad part about this is that the patch to help prevent this had been out a week. And a simple router change would prevent much of the traffic.

One minor part - SANS is not based in Jacksonville, FL, just Johannes. It would be nice to get most of the information right, but this is CNN.

User Education Sites

You have heard all your life that education is important, and that is especially true online. You can learn about how to better protect yourself by learning what the proverbial bad guys are trying to do to get your information. There are several good sites out there that try to educate the normal user on what threats to your information exist and how you can protect yourself. These newsletters attempt to take possibly technical information and make it readable to the normal internet user. Such sites (and their associated newsletters) are as follows:

US-CERT - The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. This partnership has allowed a furthering of computer security both within the federal government and with home users as they publish threats, best practices, and other education materials. Two pages within the site have great links for educating yourself about the internet in general and the threats that have materialized. These sites are http://www.us-cert.gov/cas/tips/index.html and http://www.us-cert.gov/nav/nt01/.

SANS Institute - This computer security think tank has a philosophy of educating both the technical and non-technical with securing the internet. The Ouch! newsletter is a security awareness document that shows you how to avoid phishing, viruses, and other malware (bad programs).

Knowledge is power. The more you educate yourself online, the better (and safer) your internet experience will be.

Security still underfunded

Security still underfunded

Why is computer security still a challenge in the world. One of the leading reasons still happens to be user education (which is always a driving factor). In addition, it is still a struggle for IT departments to convince the CXO's of companies of the real ROI of computer security.

Antispyware firm warns of massive ID theft ring - Computerworld

Antispyware firm warns of massive ID theft ring - Computerworld

Sunbelt software happens to stumble on a site that had accounts for at least 50 financial institutions. Spyware had been installed on various PC's around the world and reported back to this web site.

Worm hole found in Windows 2000 | CNET News.com

Worm hole found in Windows 2000 | CNET News.com

Eeye has announced a second Microsoft Vulnerability this week (not much information), this one being "wormable" and at the core of the TCP/IP implementation (from what I understand).

Worth keeping an eye on it.

Cisco Silencing former ISS employee about possible problems with internet routers

At the Black Hat 2005 conference, former ISS employee Michael Lynn was to discuss the possible exploits of Cisco routers. The presentation was pulled by the Black Hat Organizers (particularly Jeff Moss) under threat of lawsuit by Cisco and ISS. Furthermore, they are in the process of silencing all those that might have had a mirror of the presentation (see the following infowarrior site), which basically they threatened the site operator to pull the information or face a suit himself. As the Internet Storm Center so elequently put it -

Lynn's Cat is Out of The Bag

While Black Hat may have torn out paper pages, the PDF of Michael Lynn's presentation, "The Holy Grail: Cisco IOS Shellcode and Exploitation Techniques," lives on. Given the amount of attention this thing has gotten, mirrors and links to it are now all over the place.


Shame on Cisco and ISS for their conduct to a security researcher that was discussing a possible issue that he had discovered in working for ISS that can affect much of the core of the internet. There was to be nothing in there to tell the black hats that might be attending the conference before DEFCON 2005 how to exploit it (basically, they would have to do the same research that Lynn did). Many top proponents of full disclosure (like Bruce Schneier) have railed on these companies for the way they handled the situation.

What is Cisco trying to hide...

What may happen if you don't keep up your server patches

This site has about a 10 minute "demo" on how someone may take control of your server (in this case IIS) and gain control to your internal network if you fail to keep up on your vulnerability management.

Scary Stuff.

A Chronology of Data Breaches Since the ChoicePoint Incident

A Chronology of Data Breaches Since the ChoicePoint Incident

This is a very interesting list of all the reported security breaches since the announcement of Choice Point's problems this Feburary.

Security headache for CVS customers?

Security headache for CVS customers?

According to this blog, CVS is currently pulling access to their customer loyalty card (ExtraCare) via the internet because of a security hole. CVS has 50 million of these cards out all over.

Not anything like credit cards, but still an issue none the less.

Lost Credit Data Improperly Kept, Company Admits - New York Times

Lost Credit Data Improperly Kept, Company Admits - New York Times

Apparently, there is more information about the CardSystems had not followed Visa and MasterCard Regulation in storing the data that was exposed. This included names, account numbers, expiration dates, and security codes. It also appears that a trojan program entered CardSystem's network.

MasterCard: 68,000 Customers at High Risk - Yahoo! News

MasterCard: 68,000 Customers at High Risk - Yahoo! News

An update to the story...of the 40 million cards exposed by CardSystems Solutions, about 13.9 million accounts were MasterCard. The rest are Visa, Discover, and Amex (even though Amex says this is to a lesser extent). MasterCard says that of these 13.9 cards, about 68,000 are a higher risk. A quick calculation (assuming the rate of the 1st third of the cards) yields about 200k cards being higher risk. I wonder what they consider a higher level of risk.

The card compromise affects both credit and debit cards, so I can forsee a great problem with people's checking accounts.

From what I also understand, the compromise occured when a trojan was installed on the internal network. For sensitive data, one would think they would be more diligent in preventing this situation from occurring.

MasterCard Cites Security Breach

MasterCard Cites Security Breach

Apparently, one of MasterCard's processors had a security breach, exposing 40 million credit and debit cards. Many financial institutions will have a lot of effort replacing these cards. The need for data security is quite evident these days as various companys are playing a very bad game of can you top this.

Another write up can be found at SecurityFocus.com

Threatchaos.com Gartner presentation

Richard Stiennon had a very interesting presenation at the Gartner conference this week. He is the VP of Threat Research at Webroot Software. The presentation is in the blog of his below. It basically looks at what he sees as the potential spyware threat for the coming year.

Threatchaos.com: "Latest ThreatChaos Presentation

Data at Bank of America, Wachovia, others compromised - May. 23, 2005

Data at Bank of America, Wachovia, others compromised - May. 23, 2005

Apparently, 4 Banks sold information to a collection fraudster and at least 670,000 customer infomation was stolen. Not good for the banks.

NewsFactor Network - Internet Life - Web Survey Examines 'Pharming' Trend

NewsFactor Network - Internet Life - Web Survey Examines 'Pharming' Trend

NewsFactor Network - Tech Trends - Blogs: The Next Hot CRM Strategy

NewsFactor Network - Tech Trends - Blogs: The Next Hot CRM Strategy

This article discusses how people might be using blogs to help maintain better customer service. Not necessarily a security issue, but an interesting trend.

NewsFactor Network - Enterprise Security - Phishers Using New Methods To Steal User Information

NewsFactor Network - Enterprise Security - Phishers Using New Methods To Steal User Information

TSA

Two articles below on how the TSA will begin to have airlines transmit information from confirmed passengers to check against terrorist lists, etc. The second article mentions that the TSA would also be obtaining credit card information. With the woeful history of some departments and internet security, one might wonder if that is such a great idea. And...why would the government need my credit card number????? Inquiring minds would like to know.


USATODAY.com - U.S. asks for more data on travelers

AP Report on TSA Request

InfoWorld: Holy Father on rootkit writing for fun, profit: March 16, 2005: By : APPLICATION_DEVELOPMENT : NETWORKING : SECURITY

Why do hackers do what they do? See the following article from InfoWorld with an interview with the Hacker Defender Rootkit.

InfoWorld: Holy Father on rootkit writing for fun, profit: March 16, 2005: By : APPLICATION_DEVELOPMENT : NETWORKING : SECURITY

Interesting Security Issues to watch

Two interesting stories dealing with companies and consumers reached the surface this week. The first has to deal with Choicepoint PRG, which is a company that is generally used by companies to do background checks on prospective employees among other features. Apparently, they opened business accounts to members of the criminal element, which allowed them to access a ton of information about people. Choicepoint has notified by letter 35,000 customers in California (as required by California Statue) about the possible compromise of their data. Some estimates say that as many as 110,000 people might be affected nationwide. There has been over 700 cases of identity theft because of this data compromise. The Reuters article can be found here.

The other article comes from the "You have to be kidding me file." A man in South Florida is suing Bank of America for the $90,000 in losses he incurred because of a trojan program on his computer. The trojan had a keystroke component, which allowed the program creator to gain passwords and to wire monies to Latvia. The core of the case is that B of A did not inform customers about the possibilities that this trojan may affect them. At what point is a company doing business with you responsible for disclosing the possibility that a security threat (worm, virus, or trojan) can put your data at risk, especially if the threat lives on your computer. Businesses have plenty of threats to combat without making sure that you are running anti-spyware, anti-virus, and a firewall on your personal computer. A loss by B of A in this matter might limit businesses interest in using the internet as a mode of commerce, as no one will want to accept the risk of some moron who can't keep malware off of his computer suing them for not telling him/her he should be running personal computer security software.

Gates talking about the Security Future at RSA Conference

Bill Gates said some interesting things at his keynote address at this years RSA conference.

Some of the interesting notes:

• Microsoft will keep the personal edition of its Microsoft Antispyware free.
• Internet Explorer 7 will be in beta later this summer and will be available for XP SP2 and Longhorn (when it comes out) users with a valid Microsoft License.
• Windows Update will become much more (Microsoft Update), which will incorporate a wider group of Microsoft products
• More training programs.

We'll see how this helps internet security. The first and the third initiatives will be the more important when they come out.

Symantec joins Microsoft in Patching

Symantec announces a critical flaw in its security products that can lead to compromise. The announcement is here. Make sure you are patching this as you take care of your Microsoft products.

Busy Microsoft Patching Month

Microsoft is releasing 13 patches on Tuesday. Make sure your automated updates are working. You will also likely have to visit Microsoft Office's site as well for a patch.

A reason to be aggressive against computer security threats

The Internet culture may be beginning to change. There is a story in the LA Times where some people are starting to "unplug" from the Internet because of spam, spyware, and virus concerns. It is imperative that we continue to fight and win against malicious code in order to continue to grow the usefulness of this incredible medium.

Microsoft Announces Beta for Anti-Spyware program

Microsoft is announcing their beta program for the "new" AntiSpyware program....which they obtained from buying Giant Software. I have set it up on my home PC and it seems to be pretty good so far. Quite customizable, and even found possible spyware that Spybot S&D has not found over the years I have used it. I know that Microsoft is planning to offer a subscription service with it, but between the 2 programs mentioned, it might be a pretty good combo. We'll have to see how the beta goes. Download at:
Microsoft Windows AntiSpyware (Beta) Home

Auditor Toolkit

I am testing a version of Linux that is called the Auditor Toolkit. There is an article on Security Focus that refers to it dealing with WEP insecurities. I am intrigued by this and will let you know what I think about the product.