My Security Blog

Must Have Security Solutions (for free)

2008-02-27T18:51:00.004+05:30

I get this question a lot! preety much all the time! "I have a New PC What should do to keep it Secure" or "What should I do to keep my PC Secure" So Here are a some must have security solutions that don't have any performance drag and memory use even when all of them are running at the same time oh and did i mention they are all free. Remember Security for PC is to give you good computing experience, being paranoid and installing many security solutions just causes system drag doesn't help!

Avira Antivir
Top Rated AntiVirus, over 30 million users, Free for Personal Use.
http://www.free-av.com/

Threat Fire
Fills in the gap where conventional AntiVirus fails! Ideal protection against 0-day attacks
http://www.threatfire.com/

Windows Defender
Kool Antispyware from Microsoft Free (Preinstalled in Vista)
http://www.microsoft.com/athome/security/spyware/software/default.mspx

SpyBot S&D Resident or WinPatrol (AntiSpyware)
Both do little or more the same thing has good features a must have!
http://www.safer-networking.org/en/index.html
http://www.winpatrol.com/

Sunbelt Personal Firewall (Previously known as Kerio Personal Firewall)
Just like Windows Firewall this too doesn't slow your connection or speed but gives more features and options.
http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/

Comodo Memory Firewall
Buffer Overflow Protection for all the programs running on your Memory.
http://www.memoryfirewall.comodo.com/

Sandboxie (Run in a Sandbox) or BufferZone Free Protection (Run in a Virtualized Environment)
Run Isolated to System, Restrict Access to System Processes and Environment or Run in a virtual Environment good where Sandboxing fails if the application requires System Services or if you think the sandbox is slowing the operations.
http://www.sandboxie.com/
http://www.trustware.com/virtualization/free.html

Happy & Safe Computing..

Goolag Scanner Released!

2008-02-21T17:13:00.000+05:30

Is this Good or Bad ??? much to debate and surprise, think this would be a good thing. Yep! good thing for everyone who own's a website that's pretty much everyone i know, lol.. "how can this be a good thing ?" use this tool to audit your websites and fix stuff before that information is used to bring the site down.

Released by CULT OF THE DEAD COW (cDc), one of the world's largest hacker group, Goolag Scanner is a web auditing tool. Goolag Scanner enables everyone to audit his or her own website via Google. The scanner technology is based on "Google hacking," a form of vulnerability research developed by Johnny I Hack Stuff. You will be surprised what all could be found about a website via google.

Google Hacking Database [ http://johnny.ihackstuff.com/ghdb.php ]

Goolag Scanner [ http://www.goolag.org/download.html ]

This database has long helped Admin's to better secure their websites. similar books from publishers resulted in best sellers, hoping this scanner would run on similar tracks helping even the end user with little knowledge to better manage their websites.

Review: First off an interesting installation voice supported, I scanned a few of my Websites and found no problems, Yappy!! (All those installations and customizations and tweaks did help lol..) The scanner scans for over a 1400 issues including starting from vulnerabilities, installations to error message listings, be warned if you select to run all the tests at once the extensive use of google can result google detecting your activity as that of a bot, not much of a problem you just need to prove Google that you are not a bot enter a few letters from a pic to unblock and continue but at the end of all this you rest assured that your website is safe from almost 1400+ hacks methods and vulnerabilities. or you know what to fix atleast. funny i expected this tool to have an update feature still in beta may be in future versions.

Change DNS ? for a Safer, Faster Online Experience

2008-02-20T20:51:00.001+05:30

OpenDNS is the world's largest, Free DNS service provider. Millions use it to handle their DNS and Web-content filtering needs. And how Complex is this ? its dead easy! just change your DNS and you are done. Yes its that easy. Configure it to your PC, Router or use it with your existing DNS Servers. It also keeps you safe from all those Phishing Sites too.. Using Phishtank (www.phishtank.com), a free online community where one can submit, verify, track and share phishing data, Want more, you can also filter out adult sites and proxies among more than 40 categories, and provide the precision to block individual domains (content filtering), And its faster than your ISP's DNS servers too.. Great for Schools, Organizations, etc., or for Personal use.. Check out there HUGE list of Subscribers and testimonials..

Faster! Safer! What are you waiting for ? (https://www.opendns.com/start)

208.67.222.222
208.67.220.220

New Theme (*Garland)

2008-02-12T07:02:00.001+05:30

Love this new theme took me a lot of time to fix it, My New Theme Rocks!!!

Iconix eMail ID!

2006-07-30T22:41:00.000+05:30

just came across this software found it to be interesting, wud put out my review soon until then chk it out its free no harm done in being more secure! sadly only supports IE & FF hoping Opera support soon.

ICONIX: Tired of trying to figure out which email messages might be phishing or fraudulent spam? Iconix eMail ID lets you see what's real before you even open the message. Iconix eMail ID works with your email program and double checks the source of a message to make sure it's not a spoof. It then uses a simple visual indicator in your inbox - a gold lock with a checkmark to show that a message is real. E-mail from over 300 major senders is currently identified--companies such as eBay, PayPal, Citibank, Amazon.com, Expedia, MySpace, and the New York Times represent the top online sites for retail, travel, auctions, banking, e-cards, news/entertainment, and dating. Version 3.15.16 added support for Mozilla Firefox and Internet Explorer 7.0 beta 2.

http://www.download.com/Iconix-eMail-ID/3000-2382_4-10554745.html

"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein

SQL Injection Scanner

2006-06-10T10:34:00.000+05:30

Finally found a sql injection scanner that would help u secure ur sql better by listing out its vulnerabilities. you can download a free trail or request a free security audit. the service scans for SQL Injections, Cross Site Scripting and other Web Vulnerabilities [ SQL Injection is a hacking technique which modifies SQL commands in order to gain access to data in the database. Cross site scripting attacks allow a hacker to execute a malicious script on your visitor´s browser.] other vulnerabilities it scans for:

CRLF injection attacks
Code execution attacks
Directory traversal attacks
File inclusion attacks
Authentication attacks
& More…

Resources:

Read whitepapers & articles about Web application security

SQL injection : SQL injection is a hacking technique which attempts to pass SQL commands through a web application for execution by a backend database.
Cross site scripting : Cross Site Scripting (also known as XSS or CSS) generally occurs when a dynamic web page gathers malicious data from a user and displays the input on the page without it being properly validated.
CRLF Injection : A CRLF Injection occurs when a hacker manages to inject CRLF Commands into the system.
Directory traversal : Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Authentication hacking : Authentication hacking is a term used when the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user.
Google hacking : Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines.

A Must Audit for all Web Apps!
www.acunetix.com/sql-injection/

Symantec confirms vulnerability in antivirus software

2006-05-27T16:05:00.000+05:30

Symantec confirmed Friday afternoon a vulnerability in its Antivirus Corporate Edition software that had been discovered by security firm eEye. According to the company, a successful exploit of the flaw could "potentially cause a system crash, or allow a remote or local attacker to execute arbitrary code with System level rights on the affected system."

At this time, Symantec has only issued IDS signatures that will be able to detect attempts to exploit the vulnerability. Network Security Appliance 7100 signatures (SU 46), Gateway Security 3.0 signatures (SU 19) and Client Security 2.0 and 3.0 signatures (SU 22) have been made available via the software's live update feature.

The company recommends that customers adjust their software policies as long as the flaw is exposed to a potential exploit. Specifically, the firm said that companies should restrict access to administration or management systems to privileged users only, keep all operating systems and applications updated with the latest vendor patches and "run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats."

Symantec also said that users should "be cautious visiting unknown or untrusted websites or following unknown URL links" and should not "open attachments or executables from unknown sources."

Symantec Anti Virus Software Flawed !!!

2006-05-27T04:33:00.000+05:30

A flaw has been detected in Symantec's leading anti-virus software AGAIN!, by researchers from eEye Digital Security.

The anti-virus software, Symantec 10.x, which protects some of the world's largest corporations and US government agencies, suffers from a flaw that lets hackers seize control of computers to steal sensitive data, delete files, or implant malicious programs.

Symantec is investigating the issue, but could not immediately confirm the vulnerability. However, if confirmed, the threat to computer users would be severe because the security software is widely used, and because no action is required on the part of victims to bring on the attack.

Symantec says it has these anti-virus products installed on more than 200 million computers. Meanwhile, a spokesman for the company said that it is examining the reported flaw, but described the flaw as so new that the company does not have any details on the same.

Researchers at eEye Digital Security have said that the vulnerability is capable of being exploited by remote hackers to take complete control of the target machine, "without any user action". eEye Digital has published a note about the discovery on its Web site, but has pledged not to reveal details until after Symantec repairs the flaw, as this would help hackers attack Internet users. eEye Digital has posted a brief advisory to raise alarm about the bug, which can allow execution of malicious code with system-level access. The flaw carries a "high risk" rating because of its potential for serious damage.

Meanwhile, the flaw happens to come at a very awkward time for Symantec. John Thompson, chief executive, Symantec just recently campaigned to convince consumers to trust Symantec and not Microsoft for protecting their personal information, he he he lol…

Security in the CLR World Inside SQL Server

2006-05-26T07:25:00.000+05:30

Is running ।NET Framework code within SQL Server 2005 exciting or a threat? Which is it? This article explores the security issues of SQLCLR code so that both developers and DBAs can make informed decisions about its use.

One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) hosted in any environment is code access security (CAS).

CAS provides a code-based rather than user-based authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005's own, newly enhanced security features? By default your .NET code is reasonably secure, but it's all too easy for the two security schemes to butt heads and cause you grief. In this article I'll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.

The good news is that Microsoft did a great job bringing together the security systems of SQL Server and the Common Language Runtime, with tools to control code. But there are some interesting features—both to watch for and to take advantage of!

Don Kiely gives a complete detail about and how to secure ur SQL Server, chk it out।

Page 1: Introduction
Page 2: Securely Hosting SQLCLR Code

Page 3: SQL Server-Level Security
Page 4: SQLCLR Permission Set Levels
Page 5: Accessing External Resources
Page 6: It's Secure Enough

New Yahoo IM Worm Poses as 'Safety' Browser

2006-05-23T09:30:00.000+05:30

Security researchers have identified a new worm spreading across Yahoo's instant messaging network that has been cloaked under the guise of a "safety" browser in an attempt to dupe users.
The worm (named yhoo32.explr) installs a piece of software called 'Safety Browser' and then hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs.

Because Safety Browser uses the IE icon to identify itself, users can easily mistake it for the legitimate Internet Explorer. This is the first recorded incidence of malware installing its own web browser on a PC without the user's permission, according to security firm FaceTime.

The self-propagating worm spreads the infection to all contacts in Yahoo! Messenger by sending a website link that loads a command file onto the user's PC and installs Safety Browser.

"This is one of oddest and more insidious pieces of malware we have encountered in years," said Tyler Wells, senior director of research at FaceTime Security Labs.

"This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser,' have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers."

Iskorpitx Strikes Again

2006-05-19T06:43:00.000+05:30

Type the word "Iskorpitx" into Google, and see what you get. Exactly the same word spit back at you, except from any number of different sites. That's because Iskorpitx is the handle of a hacker who recently committed the biggest hacking incident in web-hosting history. Those search results are the graffiti he left.

Thought to be a 45-year-old Turkish man, Iskorpitx successfully hacked at least 21,549 sites at once (a tally is still being made-expect the final count to be much higher), defacing pages on all of them. His signature included a Turkish flag, his handle and country of origin, and several repetitions of the "f***" next to the names of France, Greece, and Armanian [sic].

As one might imagine, this has upset quite a few people. A brief glance at the list of sites Iskorpitx affected shows the domains .org, .net, and .com, indicating a probable lack of aim or distinction on his part.

Iskorpitx has quite a reputation for this sort of thing. Since 2003, he's hacked an estimated 117,000 websites, not even including this latest round, and some of those were the sites of his own country's government.

The Turkish hacker seems to have ignited some sort of passion for the activity in his country. In recent months, more than 50 percent of notified defacements appear to have originated from Turkey. Brazil was formerly the most prominent home of these sorts of hackers.

It remains unknown whether the most recent attacks where made at the root or webserver level. Iskorpitx executes his hacks by creating subpages, regardless of what authorization level he achieves on the servers.

Iskorpitx's motivations are unclear. Although many of the Turkish hackers have religious agendas, he does not seem to share them. Whatever his reasons or inspiration, Iskorpitx is acting as a massive nuisance throughout the Web.

Via Doug Caverly.

Alert! Spoofed Symantec Email Disables Anti-virus Updates

2006-04-20T20:33:00.000+05:30

Symantec has been spoofed in the form of a high risk malicious email which looks like a Symantec Virus advisory, but actually disables anti-virus updates.

The email contained a "From" address that said it was from Symantec's Norton Anti-Virus division. The message said that the user's computer was infected with a virus called w32.aplore@mm. The user was then directed to a link that was supposed to dispose of the infection, but instead downloaded an executable file that disabled updates.

The malicious file was located on a free hosting service but the Web site mirrored a Symantec update site. The spoof was discovered by security company SurfControl.

Demand For Secure Web Environments For Kids Rises !!!

2006-04-18T11:30:00.000+05:30

With all of the recent MySpace controversy about children using it and attracting predators and whatnot, there is a growing demand from parents to have a more secure web environment for their kids.

Another driving factor for the demand is the fact that kids can write things that they may regret years later when their words are still on the web.

At least 2 companies have recognized this demand and are working to fill it. One is called Industrious Kid, and will be a "self-contained" site for kids to interact with each other. To sign up, parents will have to use their credit cards even to access free areas of the site.

The second company is called netTrekker, and it aims to protect kids from inappropriate content when searching online. Its search engine has been around since 1999 and has been primarily used in schools as its results have been approved by a large group of educatrors. Now it is available for home use as well.

With both netTrekker and Industrious Kid, it is up to the parents to sign up for the services. Provided that they work as they're supposed to, some concerns may be alleviated.

via Chris.

IE Cumulative Security Update Issued !

2006-04-12T13:09:00.000+05:30

Microsoft issued a cumulative security update for Internet Explorer, replacing several earlier security updates. Rated: Critical

The update replaces a February 28th cumulative update affecting Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition family, and Windows Server 2003 with Service Pack 1 for Itanium-based Systems.

Along with the update, Microsoft released a compatibility patch for Enterprise users who require more time to prepare for the Active X update. The compatibility patch will function until a subsequent Internet Explorer update is available in June. The changes made to Internet Explorer in relation to Active X will become permanent after the June update. A complete list of affected software and software components are available at the Microsoft bulletin page. Updates can be downloaded there as well.

Go directly to download page…

IE Address Bar Spoof Discovered!

2006-04-11T23:10:00.000+05:30

An address bar spoof can be conducted by a malicious phisher taking advantage of a race condition in Internet Explorer.

The Secunia security advisory website advised IE users of a moderately critical vulnerability in the browser. Secunia created a test that can show if the user's browser is vulnerable.

IE 6 on fully patched Windows XP SP1/SP2 machines, and the IE 7 Beta 2 preview (March edition) demonstrate this vulnerability. In my testing, the vulnerability was present on IE 6, but not in Firefox 1.5 or Opera 9 TP2.

Like a previously reported critical issue about IE, Secunia noted that users can disable Active Scripting in the browser until Microsoft releases a patch. Secunia provided more details and a link to the test demonstrating the vulnerability:

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

- Display of a spoof vulnerable IE -

- Display of a spoof proof IE -

This is how your browser should look like! Check your browser!

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: Click Here to Test your Browser!

Verify:

If u have doubts on a certain page u are browsing thru and wish to verify if its legitimate or not here’s somethin u can do ! just copy the code below and place it on the address bar u are viewing the page of doubt hit enter that will display the original page location!

<copy>
javascript:alert("The Real URL address: " + location.protocol + "//" + location.hostname + "/");
</copy>

Fix / Solution :

if u want a tool that can alert you wen there is a spoof like this then use the following toolbars they come in different flavors for different browsers :)

http://toolbar.netcraft.com/
http://toolbar.trustwatch.com/
http://www.corestreet.com/spoofstick/index.html
http://pages.ebay.com/toolbar/accountguard_1.html
http://addins.msn.com/addins_category_toolbar.aspx

Microsoft Says Recovery from Malware Becoming Impossible !

2006-04-05T02:28:00.000+05:30

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference. Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added.

Danseglio, who delivered two separate presentations at the conference—one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits—said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard."

Microsoft says stealth rootkits are bombarding Windows XP SP2 machines. Click here to read more.

"We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said.

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations.

Are virtual machine rootkits the next big threat? Click here to read more.

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money.

"At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said.

Trojan Holds Data for Ransom

2006-03-23T05:47:00.000+05:30

If you're the unlucky victim of a new Trojan making the rounds, it'll cost you $300 to get your data back from the Trojan's author.

As of press time the Trojan did not yet have a common CME identifier. It is currently known as cryzip by LURHQ, Symantec, McAfee and Trend Micro. Kaspersky calls it Zippo and Panda Labs calls it ZippoCryptor.

Once infected, the Trojan encrypts a user's data in a password-protected zip file. In addition to the inaccessible files, the victim is left with a ransom note in a file titled "AUTO_ZIP_REPORT.txt."

The file starts with the words, "INSTRUCTIONS HOW TO GET YUOR FILES BACK READ CAREFULLY." According to LURHQ, the typo-rife ransom note continues: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enough password."

The note warns users not to attempt to crack the password on the compressed zip files. The only way to get the data back, it says, is by sending the "ransom" to an E-Gold account, apparently operated by the Trojan's author.

According to security firm LURHQ, a random E-Gold account number is automatically inserted at the top of the ransom note from an embedded list.

"By operating many accounts simultaneously, the Trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others," LURHQ's advisory states.

So far, the Trojan does not appear to be widespread. McAfee, Panda Labs and Symantec have given it a low-risk assessment and all have issued updates to its malware definition files to identify the Trojan.

It could always be worse.

Though the cryzip Trojan may make a victim cry, at least it doesn't berate victims like last year's Cisum.A virus did.

Microsoft Application Threat Modeling!

2006-03-13T14:20:00.000+05:30

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports

Download Microsoft Threat Analysis & Modeling v2.0 BETA2

Download A video introducing the Microsoft Application Threat Modeling process and The Microsoft Threat Analysis & Modeling v2 tool.

10 Immutable Laws of Security

2006-02-23T19:37:00.000+05:30

If an attacker can persuade you to run his program on your computer, it is not your computer anymore
If an attacker can alter the operating system on your computer, it is not your computer anymore
If an attacker has unrestricted physical access to your computer, it is not your computer anymore
If you allow an attacker to upload programs to your Web site, it is not your Web site any more
Weak passwords prevail over strong security
A computer is only as secure as the administrator is trustworthy
Encrypted data is only as secure as the decryption key
Out-of-date antivirus software is only marginally better than no antivirus software at all
Absolute anonymity is not practical in real life nor on the Web
Technology is not a panacea

Source : Clinic 2801 // microsoftelearning.com

Attack code out for latest Microsoft flaw

2006-02-17T05:43:00.000+05:30

Actually the heading should be Attack code out late for Microsoft flaw Why ? microsoft patched that flaw 2 days earlier cheers!

Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system. The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

Windows Defender Out!

2006-02-14T16:16:00.000+05:30

wondering what is it ??? Its the transformation of microsoft antispyware (GAINT) to Beta2! so what are u waiting for ? install now! [25 million subscribers!] Microsoft will continue beta1 support till june’06

Here is a comparision chart of windows defender to other microsoft security software.

The New Face of Phishing !!!

2006-02-14T05:23:00.000+05:30

Phishing is a difficult enough form of fraud to avoid for most computer users, but when some of the biggest names in the financial industry fail to do their part to detect and eliminate these online scams, consumers often are placed in an untenable situation.

Case in point: A source recently forwarded a link to one of the "best" phishing attacks I've ever seen. This one -- targeting the tiny Mountain America credit union in Salt Lake City, Utah -- arrives in an HTML-based e-mail telling recipients that their Mountain America credit union card was automatically enrolled in the Verified by Visa program, a legitimate security program offered by Visa that is supposed to provide "reassurance that only you can use your Visa card online."

The fake MountainAmerica.net Web site

The e-mail includes the first five digits of the "enrolled card," but those five digits are found on all Mountain America bank cards, so that portion of the scam is likely to be highly convincing for some recipients. The message directs readers to click on a link and activate their new Verified by Visa membership.

Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.

The SSL Certificate issued to Mountain-America.net

Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf. In this case, however, it looks like that process fundamentally broke down. Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1.

The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

Choicepoint is a data aggregator that bills itself as "the nation's leading provider of identification and credential verification services." When Geotrust issues a certificate, Choicepoint provides a unique identifier -- an alphanumeric identifier that is supposed to be linked to a "corporate profile" that people can use to learn more about the recipient of that certificate. However, the profile page on this particular phishing site didn't have any more information than was already included in the rest of the certificate, including the company's name, city and state of incorporation, and the company's Web site (in this case, the profile refers to the phishing site's address.) It's unclear to me how the unique identifier adds anything that is of use to the person trying to verify the legitimacy of a Web site.

ChoicePoint's "Unique Global Business Record" for Mountain-America.net

I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.

The error page generated by Visa.com

Back to the Verified by Visa program. Users who get the phishing e-mail described above -- or any genuine communications prompting them to visit the Visa site -- might think they're being sent to another fraudulent Web site. First off, the Visa site asks users to enter their credit card number. Then there's the fact that when I clicked on any of the links on the Verified by Visa site, I received "Page not found" errors.

The site has finally been shutdown!, thanks to the hard work of the folks at the SANS Internet Storm Center, who first spotted this scam.

Also, I heard back from Geotrust. Joan Lockhart, the company's vice president of marketing, said the site was registered on Sunday and the cert was issued early this morning. Lockhart said Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

Geotrust's cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site's registrar records, along with a special code that the recipient needs to phone in to complete the process.

Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious.

"I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said.

Source: Brain Krebs

NEWS: Critical Bugs Sting Lotus Notes

2006-02-12T03:29:00.000+05:30

Some of the six holes can allow attackers to hijack corporate systems even if users only view incoming e-mail.

Six critical vulnerabilities have been found in IBM's Lotus Notes, Big Blue and security firms announced Friday, including some that could allow attackers to hijack corporate systems if users simply viewed incoming e-mail.

Danish vulnerability tracker Secunia, which discovered the half-dozen bugs, tagged them as "Highly critical," its second-from-the-top alert rating, and said that some of the flaws would create buffer overflows, normally the only entry hackers need to start dropping their own code onto a compromised computer.

Some of the vulnerabilities, said Secunia, can be exploited if users only view malicious e-mails, while others require users to open attachments or extract files from a zipped file attached to a message. Several versions of Notes are at risk, including 7.0 and 6.5.4. Upgrading Notes to 6.5.5 or 7.0.1 solves the problem, said IBM.

"In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments," IBM also recommended in its advisory. IBM offered up work-arounds for customers unable to patch immediately, but they required users or administrators to disable a number of DLLs.

The last bugs to hit Notes were a handful in early January, when IBM itself acknowledged that the e-mail system and its client were open to denial-of-service (DoS) attacks.

Security In Visual Studio

2006-02-10T15:03:00.000+05:30

Security considerations should be included in all aspects of your application development, from design to deployment.

To help you effectively develop secure applications, you should have a fundamental understanding of security concepts and the security features of the platforms for which you develop. You should also have an understanding of secure coding techniques.

Understanding Security

Security in the .NET Framework: Describes .NET Framework code access security, role-based security, security policy, and security tools.

Defend Your Code with Top Ten Security Tips Every Developer Must Know (Click here): Describes the really important issues you should watch out for so that you don't compromise your data or your system.

Coding for Security

Most coding errors that result in security vulnerabilities occur because developers make invalid assumptions when working with user input or because they do not fully understand the platform for which they are developing.

Security Policy Best Practices: Describes the .NET Framework security system recommended best practices you may need to consider in your code.

Secure Coding Guidelines: Provides guidelines for classifying your components to address security issues.

Security Best Practices for C++: Discusses buffer overruns and the complete picture of the Microsoft Visual C++ security checks feature provided by the /GS compile-time flag.

Windows OneCare Pricing...

2006-02-08T03:02:00.000+05:30

Prices are out for windows one care and the offers are kooler than expected. Microsoft Windows OneCare Live will be available in June from retailers and via the Web for an annual subscription of $49.95 for up to three personal computers. To thank its valuable beta customers (like me ;) ) and offer an easy transition to the paid service, Microsoft also announced a promotional deal offering the first year of Windows OneCare Live service for $19.95 to beta customers who become subscribers between April 1 and April 30, 2006.

OneCare is now available free to all new beta testers, at http://ideas.live.com, its a must try!!! once you have OneCare on ur system u wont need anything else, thats for sure ! trust me.