On the Horizon

Microsoft Patch Release for February

2006-02-16T14:43:30Z

Its the second Tuesday of the month (past) and Microsoft has released more security patches. These patches target Microsoft Internet Explorer and Windows Media Player. You can read up on them here.

The patches will be released through the campus Software Update Services (SUS) in about a week, pending some testing. Once approved through SUS, campus users who have their system configured to receive them (standard thru UWin systems) should get them at around 12:00pm. Please note that you may be asked to reboot your system.

For those of you running Windows at home, it is highly recommended that you apply these patches as well. You can do this by launching Internet Explorer and selecting the Windows Update option from the Tools menu.

U.S. Justice Dept Takes Aim at Search Engines

2006-02-01T20:19:56Z

A vast majority of us use the powerful search capabilities of Google these days. But regardless of which on-line search engine you may use - Google, MSN, Yahoo, whatever - records of those searches are stored on your local system and theirs. Currently, privacy advocates in the United States are up in arms because the U.S. Justice Department is seeking access to search logs from these companies in hopes that such information may aid in investigations.

While this may or may not affect us directly, an interesting article published by InformationWeek outlines how you can protect your privacy by ensuring any web browser logging facilities on your personal computer system remain clean. In short, the article states you should:

* Remove your browser history
* Delete your web cache
* Delete your browser cookies
* Watch where you surf
* Make sure your system is clean of any SpyWare

The article explains how to do these things and even provides a link to a Microsoft utility that will do most of this for you in one swipe (for Windows XP users).

Blackworm / Blueworm Warning

2006-01-27T14:55:23Z

There are many variations of this identified virus, but what is most definate is the fact that it is dangerous. If the Blueworm sucessfully penetrates your system, it will sit dormant until February 3, when it will begin overwriting files at random.

It is propogated via E-Mail as an attachment and carries one of the following extensions: pif, scr, mim,uue, hqx, bhx, b64, and uu.

TSC takes every precaution to ensure mail entering campus systems is as clean as we can make it. What you can do to help us though is to use judgement when receiving attachments via E-Mail. Make sure the mail you open is from a known and trusted source, and even then, question that. For your system at home:

- Make sure your Anti virus software is updated
- Watch those attachments coming in - seriously question those attachments with the above listed extensions
- Delete E-Mail that you question

More information about the Blackworm / Blueworm virus is available at the following links:

http://www.lurhq.com/blackworm.html

http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=blackworm&alt=blackworm&Sect=SA

Windows .WMF Vulnerability - Updated

2006-01-03T21:07:04Z

Update - Jan 6

Microsoft has released the .WMF patch early. For those of you running Windows 2000 or greater at home, you can manually download and install the patch from the following url (you will have to reboot your system):
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Reports are that the patch is also available through Windows Update as well. Campus systems will be receiving the patch through the automated Software Update Services (SUS).

For those of you using laptops and plan to take your systems off campus are urged to run WIndows Update to ensure you get all updated patches prior to leaving the campus. A copy of the patch is also available through the MyUWinnipeg Portal under Faculty Staff Pages > Trend Anti Virus Software

*******************

On December 28, Microsoft released an advisory outlining a previously unreported vulnerability in the way Windows deals with image files. Malicious code to exploit this vulnerability has already been released and is appearing on a variety of web sites. Trojans are also being distributed via E-Mail as attachments.

More information on this '0-day exploit' can be found on Microsoft's web site here. There is currently no patch available for this vulnerability, although one is expected to be released on January 10.

Microsoft has been working with Anti virus companies to minimize the impact to Windows users. As such, several varients of Trojans that exploit this flaw have been identified and cataloged. At a bare minimum, it is recommended that all users ensure their systems have updated Anti virus pattern files. For Trend Micro OfficeScan users:

- Alternate mouse-click on the Trend Micro OfficeScan Taskbar icon (the blue circle) and select 'Update Now!
- Select 'Update Now' in the Settings box
- Be patient as OfficeScan verifies the pattern file versions

For other Anti virus software, follow the manufacturers recommendations for downloading and installing pattern file updates.

VirusTotal Online Service

2005-12-21T15:41:01Z

Keeping the topic on viruses and malware, an Internet service known as VirusTotal allows you to upload files you think may be suspicious and the service will scan them using a variety of different anti virus engines and report on the results.

There are currently over 20 engines from the major anti virus companies used by this free service, so you will get very good coverage. Other forms of malware like Spyware would also be covered since many of them are supporting that in their mainstream products. So, if one engine doesn't know about the suspicious file, the others just might.

Common Malware Enumeration

2005-12-16T15:02:27Z

Supporters of the popular Common Vulnerabilities and Exposures database (CVE) have expanded to include organizing the many different faces of viruses and malware. In conjunction with US-CERT, Mitre has formed the Common Malware Enumeration Initiative (CME), who will organize the indentifiations each anti-virus manufacturer places on viruses and malware. CME will designate a number to each piece of identified malware and cross-reference it between those anti-virus companies who participate in the initiative.

This will be an excellent reference point for consumers and professionals alike who need to cross-reference virus names between anti-virus vendors. For example, one of the many varients of the Zotob worm that takes advantage of a Microsoft Windows Plug and Play vulnerability is listed as "WORM_ZOTOB.F" by Trend Micro. Yet, McAfee lists the same varient as "W32/Bozori.worm.b"; Symantec as "W32.Zotob.F", and Computer Associates as "Win32/Zotob.F!Wor".

CME will lump all these disparate names together and provide a cataloged number, like CME-15.

So, you can see the advantages of doing such a thing. I tip my hat to Mitre for making this happen!

Things that have no relevance to work whatsoever

2005-12-14T21:20:35Z

Thought I would take advantage of this service to post some non work related stuff on the off-chance it might be of interest to someone. Posts in this area will appear during breaks through the working day.

Monthly Microsoft Patch Release

2005-12-14T17:27:15Z

Microsoft has released its monthly patches yesterday. They include a cumulative update for Internet Explorer and one pertaining to the operating system kernel. You can go to the TSC IT Security web site to view more information.

Here on campus, Microsoft patches are released through the local Software Update Services (SUS). Those with UWin Project systems that have been deployed by TSC should already be configured to receive them. To get more information on how SUS works follow this link. Please note that we wait at least one week before deploying patches through SUS - sometimes longer.

For those running Windows at home, it is strongly recommended that you update your systems. Here is a link that will tell you how.

DRM, Sony, and You - Part 1.2

2005-12-09T19:33:48Z

Back in November, I posted to the local noticeboards a short article regarding Sony, Digital Rights Management (DRM) and stealth-like software the company decided to incorporate into some of their CD products. It seemed to spark the interest of many, and a few even responded to me off-line (thanks for reading by the way).

Much has happened since my initial post that I thought would be of interest to you. But first, a quick rundown:

Stealth-like software otherwise known as a 'rootkit' was identified by a security expert when he decided to play a Sony/BMG labeled CD on his computer. This rootkit installed itself on his system once he acknowledged a 2000+ word End User License Agreement (EULA). On discovering the rootkit, he found it was nearly impossible to remove without breaking portions of the operating system.

He reported it in his blog, and it literally exploded from there. Sony faced pressure from a very wide audience on different fronts including class-action lawsuits being filed in California and Texas. On top of this, virus writers took advantage of the rootkit's stealth-like ability and created malware to circumvent Anti Virus software products.

Since then, Sony has done some major back-peddling, including stopping the shipment of rootkit-embedded CD's, pull existing product off shelves, and even release a patch to fix systems already infected with the rootkit. Unfortunately for most, this patch was found to introduce more vulnerabilities than it tries to close. Had Sony responded to this issue when they were initally told by security company F-Secure, all this may have been avoided.

The good news (if there actually is good news in this mess) is that Intel is working on technology that would identify hostile code such as rootkits trying to install themselves and report it to the user. It's possible that said technology could be incorporated at the hardware level, bypassing the software layer entirely. Certainly sounds Interesting, but does this open up a new can of worms for the average computer user?

Tips for Safe On-Line Shopping

2005-12-05T22:57:06Z

It's the beginning of the Christmas shopping season, and many of you may be considering doing some of your shopping on-line. While this in itself is nothing out of the ordinary, we must take extra precautions with regards to who it is we are dealing with and how we deal with them. Bankrate has an article outlining tips on how you can ensure your on-line purchases are the 'right' ones. In short:

* Deal with sites you know
* Confirm on-line companies are legitimate by calling them
* Ensure your web transactions are using secure communications - ones that you can verify
* Perform on-line transactions using systems you know and trust to be clean of viruses and malware
* Use a credit card or an escrow service when doing on-line transactions
* Trust nothing you hear and only half of what you see!

Phishing Gets Trickier

2005-12-05T22:39:07Z

In the past, I have posted information relating to a social engineering tactic called 'Phishing'. Many of us have seen examples of Phishing attempts through our E-Mail system. I posted an example of one such E-Mail here.

Security experts are now beginning to lean on a less known but more effective attack vector loosely referred to as 'Spear Phishing'. Spear Phishing takes the standard mass-mailing, mass-user capturing of normal Phishing techniques and makes it "personalized". This means that E-Mail coming into your mailbox or through a messenger service could be customized with logos you recognize and calling you by your formal name.

The New York TImes has a very interesting article describing Spear Phishing and tells the tale of a person in Israel who fell victim to a very elaborate scam.

SANS Top 20 Vulnerabilities

2005-12-01T21:33:30Z

The mother of all security resources, the SANS Institute, has released the latest top 20 vulnerabilities for 2005. In a bit of a twist, they expanded things to include major applications like browsers and Anti virus programs, rather than focusing just at the operating system level.

The web page provides references to the Common Vulnerabilities and Exposures (CVE) database with recommendations on how to close these vulnerabilties. An excellent reference for all system and network administrators to view.

Mac OS X Multiple Vulnerabilities

2005-11-30T15:32:26Z

Apple has released patches that target a variety of known vulnerabilities for the OS X operating system. In short order they target vulnerabilities in:

* Apache2
* Apache mod_ssl
* CoreFoundation
* NT LAN Manager authentication
* ODBC Administrator utility
* OpenSSL
* Passwordserver
* PCRE
* Safari
* JavaScript via Safari
* WebKit
* sudo
* syslog

As you can see, there's a lot there. Apple has posted the advisory here with patches available to all iterations of OS X.

Your Cellphone Records are Available to Anyone

2005-11-28T15:47:04Z

I was simply floored when a co-worker sent me a link to a MacLeans web article explaining how they were able to acquire the cellphone listings of the Canadian Federal Privacy Commissioner. It appears that for a few bucks, you can get the phone listings for just about anyone who uses a cellphone - no matter what company they subscribe to.

Many may not think this is too horrible a thing. After all, who would really care what pizza place I ordered from or what tow truck company I had to get when my car broke down? But if I worked as an executive at a private firm who was working on say, an acquisition, this information could prove very valuable to my competitors.

This strikes right at the heart of the confidentiality issue. If I use a cellphone to make confidential calls, I cannot assume that my phone records will remain private.

PHP Security Reference Material

2005-11-25T20:52:48Z

A fellow security representative at another university posted valuable reference information relating to PHP security. People coding PHP and Administrators who incorporate PHP into web services will find the following links handy and very informative:

PHP Net - Main Guide
http://www.php.net/sites.php

PHP Advisory
http://www.phpadvisory.com/

Hardened PHP Project
http://www.hardened-php.net/

PHP Security Resources
http://www.phpwact.org/security/web_application_security

Secure Programming in PHP
http://www.zend.com/zend/art/art-oertli.php

Recommended Book - Pro PHP Security
Chris Snyder, Michael Southwell
Apress, Paperback, Published August 2005, 528 pages, ISBN 1590595084
http://www.bookpool.com/sm/1590595084

Acutenix Trial Vulnerability Scanner
http://www.acunetix.com/vulnerability%2Dscanner/

I used the Acutenix web scanner before and found it to be an 'ok' product.