Arizona IT Management » threats

Phishing and Wardriving

admin — Thu, 27 May 2010 15:49:11 +0000

Phishing and Wardriving are coming back around. Please read this article and familiarize yourselves.

http://www.informationarmor.com/2010/05/27/the-internet/

Attacks, Exploits and Patches

admin — Wed, 12 May 2010 15:47:32 +0000

Widespread Web Site Attacks Reported
Following the reports of high profile web sites like syfy.com and php-nuke.org being compromised, another widespread attack on web servers has been reported. The attacks compromise sites running WordPress and other popular blog software. The attack mechanism is not yet known, but clients should ensure that the latest WordPress version is installed. Sites using shared hosting are especially susceptible as compromise of a neighboring site often spreads to the remaining virtual hosts. We also encourage clients to review their sites for signs of infection and take appropriate remediation steps. In particular, clients should look for modifications made to html source pages as well as database table changes.
http://www.h-online.com/security/news/item/Large-scale-attack-on-WordPress-996628.html
http://www.psychcomp.com/syfycom-hosts-malware/
http://twitter.com/lordparody/status/13600067003
http://www.sophos.com/blogs/sophoslabs/?p=9585

Microsoft Outlook Express Exploit
Exploit code has been made publicly available that triggers a vulnerability in Microsoft Outlook Express and Windows Mail. The integer overflow vulnerability could allow a remote attacker to execute arbitrary code, although the attacker would need to control the mail server being used by the victim. At this time, there is no known vendor patch available.
http://www.exploit-db.com/exploits/12564
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0816

Microsoft’s May Security Patches
As a reminder, Microsoft will be issuing their May security release later today. The two scheduled bulletins will address remote code execution vulnerabilities in Windows and Office. We will update the assessment when more details are available.
http://www.microsoft.com/technet/security/Bulletin/MS10-may.mspx

April Patches and Updates

admin — Wed, 14 Apr 2010 16:09:17 +0000

1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service (MS10-024 CVE-2010-0024)
Microsoft Windows SMTP Service and Microsoft Exchange are vulnerable to a denial of service, caused by the improper handling of DNS Mail Exchanger (MX) resource records by the Simple Mail Transfer Protocol component. As SMTP services are often exposed to the Internet and email is usually considered a business critical function, the business impact of this vulnerability is more significant than for typical Denial of Service issues.

http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx

2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
Microsoft Windows is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MPEG Layer-3 audio codecs when handling malicious files. The vulnerable MPEG Layer-3 audio codecs are the MPEG Layer-3 Audio Codec for Microsoft DirectShow. Successful exploitation of this issue would provide an attacker with complete control over the endpoint target. The use of malicious media files like images and movies has been prevalent in the past years.

http://www.microsoft.com/technet/security/bulletin/MS10-026.mspx

Adobe Reader and Acrobat Security Update
Adobe has addressed multiple critical vulnerabilities affecting Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh. The most severe of these issues could allow a remote attacker to execute arbitrary code on a vulnerable system. Refer to the “Solution” section of the Adobe Security Bulletin for information on remediating these issues.
http://www.adobe.com/support/security/bulletins/apsb10-09.html

Microsoft April 2010 Security Release
Microsoft released eleven security bulletins today. There are five rated Critical, five rated Important and one rated Moderate. We encourage our customers to apply the patches and IBM product coverage where applicable. Please, review the break-down below.
http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx

Microsoft Maximum Severity Rating: Critical
Microsoft Security Bulletin MS10-019: Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
Vulnerabilities in Windows Authenticode Verification could allow a remote attacker execute arbitrary code on a vulnerable system.
CVE-2010-0486
CVE-2010-0487
http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx

Microsoft Security Bulletin MS10-020: Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
Multiple vulnerabilities affecting Microsoft Windows could allow remote code execution. Successful exploitation can occur if an attacker can convince a user to initiate an SMB connection to a specially crafted SMB server.
CVE-2009-3676
CVE-2010-0269
CVE-2010-0270
CVE-2010-0476
CVE-2010-0477
http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx

Microsoft Security Bulletin MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
A remote code execution vulnerability affects Windows Media Services running on Microsoft Windows 2000 Server. The Windows Media Unicast Service fails to properly handle specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default.
CVE-2010-0478
http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx

Microsoft Security Bulletin MS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
http://www.microsoft.com/technet/security/bulletin/ms10-026.mspx

Microsoft Security Bulletin MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
The Windows Media Player ActiveX control is affected by a remote code execution vulnerability.
CVE-2010-0268
http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx

Microsoft Maximum Severity Rating: Important
Microsoft Security Bulletin MS10-021: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
This bulletin addresses two vulnerabilities in Microsoft Windows, the most severe of which could allow elevation of privilege. In order to exploit these vulnerabilities, an attacker must have valid logon credentials and be able to log on locally.
CVE-2010-0236
CVE-2010-0237
http://www.microsoft.com/technet/security/bulletin/ms10-021.mspx

Microsoft Security Bulletin MS10-022: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
A vulnerability affecting VBScript on Microsoft Windows could allow remote code execution. This vulnerability requires user interaction and cannot be exploited on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
CVE-2010-0483
http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx

Microsoft Security Bulletin MS10-023: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
Microsoft Office Publisher is vulnerable to a remote code execution issue. An attacker could exploit this issue by creating a specially crafted Publisher file and sending it in an email or hosting it on a Web site.
CVE-2010-0479; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx

Microsoft Security Bulletin MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service
http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx

Microsoft Security Bulletin MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
Vulnerabilities in Microsoft Office Visio could allow remote code execution if a user opens a specially crafted Visio file.
CVE-2010-0254; IBM Product Coverage: CompoundFile_Shellcode_Detected
CVE-2010-0256; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx

Microsoft Maximum Severity Rating: Moderate
Microsoft Security Bulletin MS10-029: Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
A spoofing vulnerability exists in the Microsoft Windows IPv6 stack which could allow an attacker to impersonate an address to bypass edge or host firewalls. CVE-2010-0812
http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx

Top Tips for Twenty Ten

admin — Wed, 17 Feb 2010 17:07:49 +0000

Rules of Social Networking

Pay attention to what you post and upload. Social networking is public.

Consider images, videos, and information you publish
You shouldn’t publish your address, date of birth, etc.
Use a nick-name that only your friends know.

Choose your friends with care.

Do not accept friend requests from people you do not know
Verify all your contacts

Protect your work and environment and avoid reputation risk

When joining a social networking site use your personal e-mail address
Be careful how you portray your company online
Do not mix your business contacts with your friend contacts

Protect your mobile phone and the information saved on it from any physical intrusion

Do not let anyone see your profile or personal information without consent
Do not leave your phone unattended
Do not save your passwords on your mobile phone
Use the security features available on your mobile phone

Turn off Location Aware Services

Twitter, Google Buzz, Foursquare and new Smart-phones will publish your location when you post an announcement. Letting the entire world know you aren’t home. See the website http://pleaserobme.com/
Instead of using a GPS to mark your home location, have your GPS set home to a familiar landmark near your home, such as a corner store. If a thief breaks into your car, not only do they know you aren’t home, but they will have access to your garage door opener and turn by turn directions to your front door.

When Planning Vacation

Do not post dates and times you will be away, rather write posts as a journal of events that have happened so it’s a surprise that you were gone for a period of time.

Anti-Phishing Flow Chart

Are you sure you’re safe?

admin — Mon, 04 Jan 2010 19:42:29 +0000

Holidays are the times when spammers and other anarchist types send malware related emails to everybody. Just because the holidays are now officially over, doesn’t mean your organization is safe. Many employees take vacation and the danger still exists in their mailbox awaiting for them to open. Email administrators may see an increase in infections the week after a long holiday. Apply the best security practices and maintain up-to-date software updates and patches as well as anti-virus signatures. User education is also key in mitigating this threat.

With the new year… new decade upon us, let’s work together to accomplish something. Something awesome. Something amazing. Something that will make your customers go WOW! Something that will make your staff more productive, regardless of where they are. Let’s enable and empower them to be able to securely work on anything, from anywhere.

Microsoft IIS and Symantec Alert Management System

admin — Wed, 30 Dec 2009 17:20:51 +0000

A vulnerability was recently reported in Microsoft IIS. Microsoft has since completed its investigation and “found that there is no vulnerability in IIS.” However, “there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.” The issue only impacts IIS servers that are set up to allow both “write” and “execute” privileges on the same directory, which is not the default configuration for IIS. This issue can be mitigated through proper Web server configuration and Web application development best practices, including proper validation of user submitted file names, and by configuring Web server software so that it will not execute scripts or applications in directories where user uploaded files are stored. We would also like to note that an exploit targeting Microsoft IIS has been made publicly available. We encourage our customers to refer to the Microsoft Security Response Center (MSRC) blog post for additional information.
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
http://www.exploit-db.com/

We would also like to inform our customers that a report has surfaced indicating there has been “an increase in probes to port 12174.” Our analysts have also observed an increase in activity on this port. Reportedly, these probes are targeting a vulnerability in the Intel LANDesk Common Base Agent (CBA) which is used by the Symantec Alert Management System. An attacker could exploit this issue by sending a specially-crafted packet to TCP Port 12174 and execute arbitrary code on the vulnerable system. The Alert Management System 2 (AMS2) is a component of the Symantec System Center console, Symantec AntiVirus Server, and of the Symantec AntiVirus Central Quarantine Server. To mitigate against this threat, ensure the Symantec Alert Management Systems running in your environment are up-to-date.
http://isc.sans.org/diary.html?storyid=7834
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02

Adobe Threats

admin — Wed, 16 Dec 2009 15:31:50 +0000

Adobe is indicating they have received reports of active exploitation of a 0day vulnerability affecting Adobe Reader and Acrobat 9.2 and earlier versions (CVE-2009-4324). We encourage our clients to use caution when opening PDF files. Links to malicious documents can easily be sent through spam or through links on seemingly non-malicious Web sites. We also recommend referring to the Adobe PSIRT blog for the latest information on this threat.
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214

Some of the common predictions are: increased attacks targeting Microsoft 7 platforms and smartphones, more tailored and targeted attacks and continued targeting of social networking sites to distribute malware and obtain information. We have seen attackers become increasingly sophisticated over the years and their attacks harder to detect. And if you’re not technically savy? Script kiddies have professionally produced products readily available to them on the Internet. In other words, be prepared for another cyber threat filled environment in 2010.
http://www.f-secure.com/weblog/archives/00001835.html
http://securitylabs.websense.com/content/Blogs/3509.aspx
http://blog.trendmicro.com/trend-micro-2010-future-threat-report/