My Security Blog

iPhoned..

2010-04-17T11:52:00.000+05:30

A simple javascript to point the blog to its feed when opened via iPhone and rest is taken care by apple. (reader.mac.com). check out the source for the code.

Anyone noticing a conundrum in this post.. lol.

thats why.. lol…

2010-04-16T11:45:00.001+05:30

Panda Cloud Antivirus !!!

2010-04-09T13:10:00.004+05:30

Interesting! Confusing! and Free!
thinking.. Jedi vs Seth ~ Cloud vs BotNET, lol…

Panda Could Antivirus, an interesting, a bit confusing free antivirus solution, Would have been nice if i dint have to UNINSTALL EXISTING ANTIVIRUS TO INSTALL PANDA CLOUD!!! I hate it when AV’s do that!!! so try only if you have time and patience to… Uninstall – Reboot – Install – Possibly a reboot - Reinstall - Definitely a reboot – Done… or are you ? Any major OS updates resets the AV into reinstalling it, this may drive you crazy or you may just wanna try it on a VPC would be great if your VPC is slow. I would consider this an experimental build or a beta at best! and hence wouldn’t want this alone on my pc. but true to its word it does have a very low memory footprint 2MB!!! wow!!! and panda is a good AV, but Cloud obviously needs to be connected to work better and this is bad!!! Remember worms do block websites so that they cannot be cleaned!!! Not too bad it only asked to be connected sometimes in random, Panda: “aah... well i dont let you get infected in the first place and if u do i have a command line scanner too but no no other antivirus allowed !!!“ bad panda! lol…

First Impressions: the look is pretty dumb there is nothing, absolutely nothing to configure! You wouldn’t even know if it can scan archives, it doesn’t; if its workin and it does work!! Other than assuming the user to be dumb, well what else to assume with a dumb looking UI, no documentation to make sense how it works rather than what it is! Searching forums help here! Think its an ok solution but a lot of scope for improvement and a has a great potential to be, Need to Evolve More lol.. May be this is how we can get rid of all the junk (bots, worms, trojans, viruses; well they are toxic waste of the cyberspace). Think of the collective finds!!! Well atleast panda’s gonna have a huge collection of sure shot signatures as a rain/result from this cloud! Anyways Avira’s back (installed it after installation of panda lol…) and both are running pretty good, not much load at all! Avira and Panda keeping watch together, Panda holding an Umbrella lol…

Well a Cloud Antivirus is probably good for systems on enterprise networks (always on, always connected and clean network) And for PC ? may be..

I do like the panda icon on my taskbar ;)

Thought: Was it a Cloud or a botNET that SKYNET spreads into… let me know when t1000 arrives!!!

BEST BROWSER (*FIREFOX) ADDONS!!!

2010-04-05T01:10:00.001+05:30

If you don’t already have these two set them up at once!

NoScript: The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

https://addons.mozilla.org/en-US/firefox/addon/722

AdBlockPlus: Annoyed by adverts? Troubled by tracking? Bothered by banners? Install Adblock Plus now to regain control of the internet and change the way that you view the web. You can also choose from over forty filter subscriptions to automatically configure the add-on for purposes ranging from removing online advertising to blocking all known malware domains.

https://addons.mozilla.org/en-US/firefox/addon/1865

WOT (Web of Trust): Would you like to know which websites you can trust? The WOT add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which websites you can trust when you search, shop and surf on the Web. Protect yourself from online scams, sites with adult content, spam and other Internet threats.

https://addons.mozilla.org/en-US/firefox/addon/3456

BORG!!! BOT!!! FIGHT!!!

2010-04-04T22:44:00.003+05:30

We are the Borg! You will be Assimilated! Resistance is futile!
Is your PC ~~BORG~~ BOT ? Just the Same!!! Just the Evil!!!

I dint quite came around talking about Bots before so here it is: In one of my boredom experiments i tested a new install (vista, not a test install but that’s another story, lots of others too soon..) just to see how just how long it takes to get a pc botted and surprisingly it went well i dint disable the inherent security features the OS comes with (Defender, UserAccessControl, Firewall) nor added any additional security features. It was not untill i disabled the UserAccessControl (Don’t do that! if u hate UAC nag screens like i do install security solutions and use limited account / UAC was disabled because i was impatient and i intended on getting the system infected faster not because it was 100% foolproof although an admirable feature security features should not be a nag) nyways it dint take long to get infected, Infection started from a legit file sharing site hosting a infected javascript file! ~ErrorBadMemoryRecallFailure~ another reason i should be blogging more! Viruses, Worms (check previous posts for them) and even Bots were ON within a few minutes of dumb surfing…

Btw, OpenDNS lets you know if you are botted:

BotNET’s are growing more and more they are considered a more lucrative business in underground communities, not that difficult to imagine why? There’s no direct link between the worm bot and the creator nor it would directly be causing menace no fear of a bounty on their heads no easy way to trace b’caz they are not profited directly, (not sure but i don’t think the bot will be silent if you are typing a 15,16 digit code (your cc number)) you are sold as a hive (millions of infected pc ~ a borg collective?) to do their bidding for just a few thousand dollars! implies each bot pc (well its no more your pc) is cheaper than a penny check out how spam works when Click Online acquires a botNET:

They even have a user interface to be controlled from (complete control over your the hive ~borg queen~) Spam, Keylog (send whatever you type), Bring down a website (DDOS) Attacks (thousands of bots hit a website making it inaccessible to anybody real), other yuck, yuck, etc…

Now if the question is what the Antivirus companies are doing well they are at work a few of the BEST can detect bots using heuristic methods but mostly antivirus depends on signatures of the viruses the way they detect them in simple terms antivirus (wbc) need signatures (antibodies) to kill them, cant get simpler than that lol.. now its practically impossible for the antivirus companies to recognise all the virus in the world especially when these bots can not only AutoUpdate bypass firewall and fool your antivirus but also use you (your pc) as a medium to spread more to your network your mailing list and so on!!! sounds scary isn’t it it is and the worst is most of them reside at ignorant Institutions and Organizations which should be the most secure! Follow these Guidelines for a safer computing!!!

PS: A Pulse Modulating Phazer kills the Borg!

GUIDELINES FOR SAFE COMPUTING:

2010-04-04T22:44:00.001+05:30

Welcome to Defense against the Dark Arts.. lol!

Use a LIMITED Account Always!
If this might be of any incentive its actually faster than an Admin Account.
Keep your OS and your Security Solutions Updated!
Do i need to say more bugs get pached so that you (your pc) are not venerable.
Don't Use illegal Software or cracks and warez! (trojan’s beware!)
Studies show that’s how many get infected in the first place and pass on!
Keep two Antivirus Solutions at hand (One Active Other on Schedule Scan preferably weekly)
Both being Active can result system slowdown! heatup! reduces your hard-disk lifespan! (as both the antivirus solutions will be fighting to scan everything parallel to what you are accessing. Nevertheless if you want them both ON use ones that are thou powerful but put on less load (like Avira) and keep a look out for two antivirus fighting between themself to kill a virus lol..
PS: DONT FORGET TO DISABLE ARCHIVE SCANING IN ATLEAST ONE OF THEM!!!
Use a Sandbox Software for testing new software's and solutions!
Two Advantages: One, keeps u safe from unwanted modifications to your system at worst an embedded virus probably not intentional by the developer but infected intentionally / unintentionally through the chain of hands it came to you (have a option of downloading than using an old copy on disk download u get newer version and less possibility of infection. Two, keeps your registry clean = faster PC.
Use Community Supported Antispyware Solutions!
Tells you if the file you are downloading is a safe one or not!
Enable DEP (Data Execution Prevention) and Use a Memory Firewall
Check my Previous posts on how to, only Free Memory Firewall Available is Comodo.
Firewall : Windows Firewall is …
Gud it blocks all inbound connections except ones u allow its better if you are on a limited account so no program tries to bypass it if all the applications on your system are clean if you are not already infected if… (Argh! to many if’s) Don’t use a firewall unless it can block and filter most of the incoming and outgoing junk itself without your interference meaning Windows Firewall is good, i love it for its simplicity but we need better! or stay in a clean network. Windows Firewall at best is a good filter put a firewall that’s a kick ass!!! if you don’t want to change use threatfire it will act like an addon increasing your security.
Additional Security and Added Solutions are useful!
Sensitive data on your PC is better stored encrypted, Lock the Folders from prying eyes and programs, Denied Access or change, this can be achieved by variety of applications available free to simple settings of NTFS Access Control Lists. (Note: NFTS Encryption can be cracked)
Don’t over do it!
Too many tools to manage ? Then use professional solutions like Avira Premium even Norton 360 will do (ya, ya, i know lol.., Symantec has improved its not a drag as much and i like its firewall) manage most of these from one console free alternatives are just as strong just as good but don't over do it remember security is essential but only to give u a pleasant experience not to give a stuck and drag experience.

Most of the security essentials are enabled by default in your operating system to prevent infections just download the rest or update/upgrade them to better..

Bottom line! (quite literally lol..)
Follow these to prevent infections i dont want any executables downloaded into my temp folder and run no matter who what, how they browse! do you ???

K9 Web Protection - Free Internet Filtering and Parental Controls Software

2010-04-04T11:23:00.002+05:30

I came across K9 Web Protection from Blue Coat Systems in one of my researches and was very impressed by its simplicity, its has a strong online community that not only reports hacks and methods that bypass the filter but also helps update its filters and categories. you can easily configure to block the selected categories or simply monitor the system. I love the feature where you can set the search engines to result safe searches only!

Its Clean has a neat administration interface via browser (http://127.0.0.1:2372) and easy to configure filters, Best of its Free has both Windows and Mac versions !!!

I tested the system and its simplicity gave it away lol.., it not that difficult to bypass if you understand how it works ;) To be fair its wasn’t a flaw in the software that let me do this but the operating systems transparency. Anyways set it up with a limited account and should work great!

Great software for parents to keep their children safe!

Must Have Security Solutions (for free)

2008-02-27T18:51:00.004+05:30

The Question ! New PC How to Secure ? Here’s the Answer some must have security solutions that don't have any performance drag and memory use even when all of them are running at the same time oh and did i mention they are all free. Remember Security for PC is to give you good computing experience, being paranoid and installing many security solutions just causes system drag doesn't help!

Avira Antivir
Top Rated AntiVirus, over 30 million users, Free for Personal Use.
http://www.free-av.com/

Threat Fire
Fills in the gap where conventional AntiVirus fails! Ideal protection against 0-day attacks
http://www.threatfire.com/

Windows Defender
Kool Antispyware from Microsoft Free (Preinstalled in Vista)
http://www.microsoft.com/athome/security/spyware/software/default.mspx

SpyBot S&D Resident or WinPatrol (AntiSpyware)
Both do little or more the same thing has good features a must have!
http://www.safer-networking.org/en/index.html
http://www.winpatrol.com/

Sunbelt Personal Firewall (Previously known as Kerio Personal Firewall)
Just like Windows Firewall this too doesn't slow your connection or speed but gives more features and options.
http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/

Comodo Memory Firewall
Buffer Overflow Protection for all the programs running on your Memory.
http://www.memoryfirewall.comodo.com/

Sandboxie (Run in a Sandbox) or BufferZone Free Protection (Run in a Virtualized Environment)
Run Isolated to System, Restrict Access to System Processes and Environment or Run in a virtual Environment good where Sandboxing fails if the application requires System Services or if you think the sandbox is slowing the operations.
http://www.sandboxie.com/
http://www.trustware.com/virtualization/free.html

Happy & Safe Computing..

Goolag Scanner Released!

2008-02-21T17:13:00.000+05:30

Is this Good or Bad ??? much to debate and surprise, think this would be a good thing. Yep! good thing for everyone who own's a website that's pretty much everyone i know, lol.. "how can this be a good thing ?" use this tool to audit your websites and fix stuff before that information is used to bring the site down.

Released by CULT OF THE DEAD COW (cDc), one of the world's largest hacker group, Goolag Scanner is a web auditing tool. Goolag Scanner enables everyone to audit his or her own website via Google. The scanner technology is based on "Google hacking," a form of vulnerability research developed by Johnny I Hack Stuff. You will be surprised what all could be found about a website via google.

Google Hacking Database [ http://johnny.ihackstuff.com/ghdb.php ]

Goolag Scanner [ http://www.goolag.org/download.html ]

This database has long helped Admin's to better secure their websites. similar books from publishers resulted in best sellers, hoping this scanner would run on similar tracks helping even the end user with little knowledge to better manage their websites.

Review: First off an interesting installation voice supported, I scanned a few of my Websites and found no problems, Yappy!! (All those installations and customizations and tweaks did help lol..) The scanner scans for over a 1400 issues including starting from vulnerabilities, installations to error message listings, be warned if you select to run all the tests at once the extensive use of google can result google detecting your activity as that of a bot, not much of a problem you just need to prove Google that you are not a bot enter a few letters from a pic to unblock and continue but at the end of all this you rest assured that your website is safe from almost 1400+ hacks methods and vulnerabilities. or you know what to fix atleast. funny i expected this tool to have an update feature still in beta may be in future versions.

Change DNS ? for a Safer, Faster Online Experience

2008-02-20T20:51:00.001+05:30

OpenDNS is the world's largest, Free DNS service provider. Millions use it to handle their DNS and Web-content filtering needs. And how Complex is this ? its dead easy! just change your DNS and you are done. Yes its that easy. Configure it to your PC, Router or use it with your existing DNS Servers. It also keeps you safe from all those Phishing Sites too.. Using Phishtank (www.phishtank.com), a free online community where one can submit, verify, track and share phishing data, Want more, you can also filter out adult sites and proxies among more than 40 categories, and provide the precision to block individual domains (content filtering), And its faster than your ISP's DNS servers too.. Great for Schools, Organizations, etc., or for Personal use.. Check out there HUGE list of Subscribers and testimonials..

Faster! Safer! What are you waiting for ? (https://www.opendns.com/start)

208.67.222.222
208.67.220.220

Iconix eMail ID!

2006-07-30T22:41:00.004+05:30

Just came across quite a useful tool...

ICONIX: Tired of trying to figure out which email messages might be phishing or fraudulent spam? Iconix eMail ID lets you see what's real before you even open the message. Iconix eMail ID works with your email program and double checks the source of a message to make sure it's not a spoof. It then uses a simple visual indicator in your inbox - a gold lock with a checkmark to show that a message is real. E-mail from over 300 major senders is currently identified--companies such as eBay, PayPal, Citibank, Amazon.com, Expedia, MySpace, and the New York Times represent the top online sites for retail, travel, auctions, banking, e-cards, news/entertainment, and dating. Version 3.15.16 added support for Mozilla Firefox and Internet Explorer 7.0 beta 2.

http://www.download.com/Iconix-eMail-ID/3000-2382_4-10554745.html

"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein

SQL Injection Scanner

2006-06-10T10:34:00.000+05:30

Finally found a sql injection scanner that would help u secure ur sql better by listing out its vulnerabilities. you can download a free trail or request a free security audit. the service scans for SQL Injections, Cross Site Scripting and other Web Vulnerabilities [ SQL Injection is a hacking technique which modifies SQL commands in order to gain access to data in the database. Cross site scripting attacks allow a hacker to execute a malicious script on your visitor´s browser.] other vulnerabilities it scans for:

CRLF injection attacks
Code execution attacks
Directory traversal attacks
File inclusion attacks
Authentication attacks
& More…

Resources:

Read whitepapers & articles about Web application security

SQL injection : SQL injection is a hacking technique which attempts to pass SQL commands through a web application for execution by a backend database.
Cross site scripting : Cross Site Scripting (also known as XSS or CSS) generally occurs when a dynamic web page gathers malicious data from a user and displays the input on the page without it being properly validated.
CRLF Injection : A CRLF Injection occurs when a hacker manages to inject CRLF Commands into the system.
Directory traversal : Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Authentication hacking : Authentication hacking is a term used when the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user.
Google hacking : Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines.

A Must Audit for all Web Apps!
www.acunetix.com/sql-injection/

Symantec confirms vulnerability in antivirus software

2006-05-27T16:05:00.000+05:30

Symantec confirmed Friday afternoon a vulnerability in its Antivirus Corporate Edition software that had been discovered by security firm eEye. According to the company, a successful exploit of the flaw could "potentially cause a system crash, or allow a remote or local attacker to execute arbitrary code with System level rights on the affected system."

At this time, Symantec has only issued IDS signatures that will be able to detect attempts to exploit the vulnerability. Network Security Appliance 7100 signatures (SU 46), Gateway Security 3.0 signatures (SU 19) and Client Security 2.0 and 3.0 signatures (SU 22) have been made available via the software's live update feature.

The company recommends that customers adjust their software policies as long as the flaw is exposed to a potential exploit. Specifically, the firm said that companies should restrict access to administration or management systems to privileged users only, keep all operating systems and applications updated with the latest vendor patches and "run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats."

Symantec also said that users should "be cautious visiting unknown or untrusted websites or following unknown URL links" and should not "open attachments or executables from unknown sources."

Symantec Anti Virus Software Flawed !!!

2006-05-27T04:33:00.000+05:30

A flaw has been detected in Symantec's leading anti-virus software AGAIN!, by researchers from eEye Digital Security.

The anti-virus software, Symantec 10.x, which protects some of the world's largest corporations and US government agencies, suffers from a flaw that lets hackers seize control of computers to steal sensitive data, delete files, or implant malicious programs.

Symantec is investigating the issue, but could not immediately confirm the vulnerability. However, if confirmed, the threat to computer users would be severe because the security software is widely used, and because no action is required on the part of victims to bring on the attack.

Symantec says it has these anti-virus products installed on more than 200 million computers. Meanwhile, a spokesman for the company said that it is examining the reported flaw, but described the flaw as so new that the company does not have any details on the same.

Researchers at eEye Digital Security have said that the vulnerability is capable of being exploited by remote hackers to take complete control of the target machine, "without any user action". eEye Digital has published a note about the discovery on its Web site, but has pledged not to reveal details until after Symantec repairs the flaw, as this would help hackers attack Internet users. eEye Digital has posted a brief advisory to raise alarm about the bug, which can allow execution of malicious code with system-level access. The flaw carries a "high risk" rating because of its potential for serious damage.

Meanwhile, the flaw happens to come at a very awkward time for Symantec. John Thompson, chief executive, Symantec just recently campaigned to convince consumers to trust Symantec and not Microsoft for protecting their personal information, he he he lol…

Security in the CLR World Inside SQL Server

2006-05-26T07:25:00.000+05:30

Is running ।NET Framework code within SQL Server 2005 exciting or a threat? Which is it? This article explores the security issues of SQLCLR code so that both developers and DBAs can make informed decisions about its use.

One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) hosted in any environment is code access security (CAS).

CAS provides a code-based rather than user-based authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005's own, newly enhanced security features? By default your .NET code is reasonably secure, but it's all too easy for the two security schemes to butt heads and cause you grief. In this article I'll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.

The good news is that Microsoft did a great job bringing together the security systems of SQL Server and the Common Language Runtime, with tools to control code. But there are some interesting features—both to watch for and to take advantage of!

Don Kiely gives a complete detail about and how to secure ur SQL Server, chk it out।

Page 1: Introduction
Page 2: Securely Hosting SQLCLR Code

Page 3: SQL Server-Level Security
Page 4: SQLCLR Permission Set Levels
Page 5: Accessing External Resources
Page 6: It's Secure Enough

New Yahoo IM Worm Poses as 'Safety' Browser

2006-05-23T09:30:00.000+05:30

Security researchers have identified a new worm spreading across Yahoo's instant messaging network that has been cloaked under the guise of a "safety" browser in an attempt to dupe users.
The worm (named yhoo32.explr) installs a piece of software called 'Safety Browser' and then hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs.

Because Safety Browser uses the IE icon to identify itself, users can easily mistake it for the legitimate Internet Explorer. This is the first recorded incidence of malware installing its own web browser on a PC without the user's permission, according to security firm FaceTime.

The self-propagating worm spreads the infection to all contacts in Yahoo! Messenger by sending a website link that loads a command file onto the user's PC and installs Safety Browser.

"This is one of oddest and more insidious pieces of malware we have encountered in years," said Tyler Wells, senior director of research at FaceTime Security Labs.

"This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser,' have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers."

Iskorpitx Strikes Again

2006-05-19T06:43:00.000+05:30

Type the word "Iskorpitx" into Google, and see what you get. Exactly the same word spit back at you, except from any number of different sites. That's because Iskorpitx is the handle of a hacker who recently committed the biggest hacking incident in web-hosting history. Those search results are the graffiti he left.

Thought to be a 45-year-old Turkish man, Iskorpitx successfully hacked at least 21,549 sites at once (a tally is still being made-expect the final count to be much higher), defacing pages on all of them. His signature included a Turkish flag, his handle and country of origin, and several repetitions of the "f***" next to the names of France, Greece, and Armanian [sic].

As one might imagine, this has upset quite a few people. A brief glance at the list of sites Iskorpitx affected shows the domains .org, .net, and .com, indicating a probable lack of aim or distinction on his part.

Iskorpitx has quite a reputation for this sort of thing. Since 2003, he's hacked an estimated 117,000 websites, not even including this latest round, and some of those were the sites of his own country's government.

The Turkish hacker seems to have ignited some sort of passion for the activity in his country. In recent months, more than 50 percent of notified defacements appear to have originated from Turkey. Brazil was formerly the most prominent home of these sorts of hackers.

It remains unknown whether the most recent attacks where made at the root or webserver level. Iskorpitx executes his hacks by creating subpages, regardless of what authorization level he achieves on the servers.

Iskorpitx's motivations are unclear. Although many of the Turkish hackers have religious agendas, he does not seem to share them. Whatever his reasons or inspiration, Iskorpitx is acting as a massive nuisance throughout the Web.

Via Doug Caverly.

Alert! Spoofed Symantec Email Disables Anti-virus Updates

2006-04-20T20:33:00.000+05:30

Symantec has been spoofed in the form of a high risk malicious email which looks like a Symantec Virus advisory, but actually disables anti-virus updates.

The email contained a "From" address that said it was from Symantec's Norton Anti-Virus division. The message said that the user's computer was infected with a virus called w32.aplore@mm. The user was then directed to a link that was supposed to dispose of the infection, but instead downloaded an executable file that disabled updates.

The malicious file was located on a free hosting service but the Web site mirrored a Symantec update site. The spoof was discovered by security company SurfControl.

Demand For Secure Web Environments For Kids Rises !!!

2006-04-18T11:30:00.000+05:30

With all of the recent MySpace controversy about children using it and attracting predators and whatnot, there is a growing demand from parents to have a more secure web environment for their kids.

Another driving factor for the demand is the fact that kids can write things that they may regret years later when their words are still on the web.

At least 2 companies have recognized this demand and are working to fill it. One is called Industrious Kid, and will be a "self-contained" site for kids to interact with each other. To sign up, parents will have to use their credit cards even to access free areas of the site.

The second company is called netTrekker, and it aims to protect kids from inappropriate content when searching online. Its search engine has been around since 1999 and has been primarily used in schools as its results have been approved by a large group of educatrors. Now it is available for home use as well.

With both netTrekker and Industrious Kid, it is up to the parents to sign up for the services. Provided that they work as they're supposed to, some concerns may be alleviated.

via Chris.

IE Cumulative Security Update Issued !

2006-04-12T13:09:00.000+05:30

Microsoft issued a cumulative security update for Internet Explorer, replacing several earlier security updates. Rated: Critical

The update replaces a February 28th cumulative update affecting Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition family, and Windows Server 2003 with Service Pack 1 for Itanium-based Systems.

Along with the update, Microsoft released a compatibility patch for Enterprise users who require more time to prepare for the Active X update. The compatibility patch will function until a subsequent Internet Explorer update is available in June. The changes made to Internet Explorer in relation to Active X will become permanent after the June update. A complete list of affected software and software components are available at the Microsoft bulletin page. Updates can be downloaded there as well.

Go directly to download page…

IE Address Bar Spoof Discovered!

2006-04-11T23:10:00.000+05:30

An address bar spoof can be conducted by a malicious phisher taking advantage of a race condition in Internet Explorer.

The Secunia security advisory website advised IE users of a moderately critical vulnerability in the browser. Secunia created a test that can show if the user's browser is vulnerable.

IE 6 on fully patched Windows XP SP1/SP2 machines, and the IE 7 Beta 2 preview (March edition) demonstrate this vulnerability. In my testing, the vulnerability was present on IE 6, but not in Firefox 1.5 or Opera 9 TP2.

Like a previously reported critical issue about IE, Secunia noted that users can disable Active Scripting in the browser until Microsoft releases a patch. Secunia provided more details and a link to the test demonstrating the vulnerability:

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

- Display of a spoof vulnerable IE -

- Display of a spoof proof IE -

This is how your browser should look like! Check your browser!

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: Click Here to Test your Browser!

Verify:

If u have doubts on a certain page u are browsing thru and wish to verify if its legitimate or not here’s somethin u can do ! just copy the code below and place it on the address bar u are viewing the page of doubt hit enter that will display the original page location!

<copy>
javascript:alert("The Real URL address: " + location.protocol + "//" + location.hostname + "/");
</copy>

Fix / Solution :

if u want a tool that can alert you wen there is a spoof like this then use the following toolbars they come in different flavors for different browsers :)

http://toolbar.netcraft.com/
http://toolbar.trustwatch.com/
http://www.corestreet.com/spoofstick/index.html
http://pages.ebay.com/toolbar/accountguard_1.html
http://addins.msn.com/addins_category_toolbar.aspx

Microsoft Says Recovery from Malware Becoming Impossible !

2006-04-05T02:28:00.000+05:30

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference. Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added.

Danseglio, who delivered two separate presentations at the conference—one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits—said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard."

Microsoft says stealth rootkits are bombarding Windows XP SP2 machines. Click here to read more.

"We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said.

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations.

Are virtual machine rootkits the next big threat? Click here to read more.

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money.

"At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said.

Trojan Holds Data for Ransom

2006-03-23T05:47:00.000+05:30

If you're the unlucky victim of a new Trojan making the rounds, it'll cost you $300 to get your data back from the Trojan's author.

As of press time the Trojan did not yet have a common CME identifier. It is currently known as cryzip by LURHQ, Symantec, McAfee and Trend Micro. Kaspersky calls it Zippo and Panda Labs calls it ZippoCryptor.

Once infected, the Trojan encrypts a user's data in a password-protected zip file. In addition to the inaccessible files, the victim is left with a ransom note in a file titled "AUTO_ZIP_REPORT.txt."

The file starts with the words, "INSTRUCTIONS HOW TO GET YUOR FILES BACK READ CAREFULLY." According to LURHQ, the typo-rife ransom note continues: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enough password."

The note warns users not to attempt to crack the password on the compressed zip files. The only way to get the data back, it says, is by sending the "ransom" to an E-Gold account, apparently operated by the Trojan's author.

According to security firm LURHQ, a random E-Gold account number is automatically inserted at the top of the ransom note from an embedded list.

"By operating many accounts simultaneously, the Trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others," LURHQ's advisory states.

So far, the Trojan does not appear to be widespread. McAfee, Panda Labs and Symantec have given it a low-risk assessment and all have issued updates to its malware definition files to identify the Trojan.

It could always be worse.

Though the cryzip Trojan may make a victim cry, at least it doesn't berate victims like last year's Cisum.A virus did.

Microsoft Application Threat Modeling!

2006-03-13T14:20:00.000+05:30

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports

Download Microsoft Threat Analysis & Modeling v2.0 BETA2

Download A video introducing the Microsoft Application Threat Modeling process and The Microsoft Threat Analysis & Modeling v2 tool.

10 Immutable Laws of Security

2006-02-23T19:37:00.000+05:30

If an attacker can persuade you to run his program on your computer, it is not your computer anymore
If an attacker can alter the operating system on your computer, it is not your computer anymore
If an attacker has unrestricted physical access to your computer, it is not your computer anymore
If you allow an attacker to upload programs to your Web site, it is not your Web site any more
Weak passwords prevail over strong security
A computer is only as secure as the administrator is trustworthy
Encrypted data is only as secure as the decryption key
Out-of-date antivirus software is only marginally better than no antivirus software at all
Absolute anonymity is not practical in real life nor on the Web
Technology is not a panacea

Source : Clinic 2801 // microsoftelearning.com