Microsoft Patch Tuesday May 2010 Pre-Release, (Sat, May 8th)

Microsoft announced they will be releasing a total of 2 bulletins rated critical that could allow for remote code execution. The vulnerabilities affect Windows 2000, XP and Vista as well as Windows Server 2003, 2008 and 2008 R2. Other affected applications are Office XP, 2003, 2007 and MS Visual Basic. More details available here.
The recent SharePoint Security diary posted on ISC will not be addressed in the May bulletins.
[1] Microsoft Security Response Center Blog
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Intresser prendre SANS Sec 503 en franais?
Enregistre toi http://www.sans.org/nice-2010/pour leCommunit SANS Nice, France - du 21 au 26 juin 2010 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Security Awareness – Many Audiences, Many Messages (Part 2), (Fri, May 7th)

Last month, I posted a diary titled The Many Paths to Security Awareness, which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators. The end goal is that, when faced with a security-related decision, you see a move in the positive direction. As a security professional, you want people in your organization or your customers' organizations to make the right choice when they're put on the spot.



First of all, I'd like to thank everyone very much for participating in the survey that was part of the original story. I used the survey results, along with interviews and my own experience to write a paper on this topic (one of my last requirements for my sans.edu masters degree ! ). You can find the paper here == http://www.sans.edu/resources/student_projects/ , along with a presentation that summarizes the information. The presentation got posted as a PDF, so the nifty powerpoint animations don't work, but the message is all there.



There were lots of things in the results that you'd expect - for instance, CEO's are motivated by regulatory compliance, avoiding lawsuits and shareholder value, but some of the results were a bit of suprise:
When I started this, I had thought that protection of Intellectual Property (IP)would be of primary concern to Engineers and others that actually create said IP. However, what Ifound was that, more and more the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments. So protection of IP is now on the radar of lots of CEO's, and protection of IPcan be used to influence security decisions at that level.
Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive ! Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).
Something that we all live with is that ITgroups are still taking the lead in developing, monitoring and enforcing security policies. However, what is FINALLYhappening is that HRis now starting to take the lead in some of this. In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with ITthere to provide the service and act as an expert consultant. This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy)and Web Surfing Policies, where in many companies ITcould only watch and shake their heads.
What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school). So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.
Again, the full results are in the paper, the power point covers the high points.
Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !
=============== Rob VandenBrink, Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

non-latin TLD to be issued, (Thu, May 6th)

Top-level domains are taking a new turn today with ICANN announcing the new TLDs using non-Latin characters.For exampleEgypt: (Egypt). It will be interesting to see how this will be used. I wouldn't know where to begin typing on my keyboardso I would have to rely on links to get me to some sites. As we know clicking links blindly on the internet is always a great idea, especially in emails. -) (http://www.icann.org/en/announcements/announcement-05may10-en.htm).
Cheers
Mark
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Security Bulletin Advance Notification for May 2010

Revision Note: Advance Notification published.Summary: This advance notification lists security bulletins to be released for May 2010.

DNSSEC...not a bang but a whimper?, (Tue, May 4th)

Tonight is the night that DNSSECis enabled between the DNSroot servers. I am not going to go into detail since the good people at the other ISChave already done a wonderful job of that in their posting.
Lots of the usual hype in the usual places including The Register, slashdot, etc. The fact is that this really only affects the way your ISPs talk DNS to the root servers. I suspect most users are using their ISPs DNS servers which will continue to talk to their customers the old way. It may cause problems for some users who are hosting their own DNSservers behind antiquated firewalls, but for the most part this will be a non-event.



What I find interesting is that using the resolver test at RIPE, my OpenDNS provided resolvers fail.
Hopefully that will be fixed before the big event.

Update: OpenDNSresponded to my query with a pointer to a forum article. It seems they are just fine.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

MS10-022 - Important: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169) - Version:1.1

Severity Rating: Important - Revision Note: V1.1 (May 5, 2010): Corrected the registry key verification for VBScript 5.6 on Windows XP Service Pack 2.Summary: This security update resolves a publicly disclosed vulnerability in VBScript on Microsoft Windows that could allow remote code execution. This security update is rated Important for Microsoft Windows 2000, Windows XP, and Windows Server 2003. On Windows Server 2008, Windows Vista, Windows 7, and Windows Server 2008 R2, the vulnerable code is not exploitable, however, as the code is present, this update is provided as a defense-in-depth measure and has no severity rating. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Malicious iFrame on US Treasury and other sites?, (Tue, May 4th)

We have received a number of emails from readers pointing us to news articles indicating that the USTreasury is in the process of cleaning up malicious iFrame that have infected a number of their sites. We have also received one report that this particular iFrame redirect has also been found at other sites and that perhaps this may be another registrar related compromise.
If anyone has any further information on whether or not this is bigger than just the USTreasury, we would love to hear it.
As usual you can send us feedback through the comments to this diary, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

SIFT review in the ISSA Toolsmith, (Tue, May 4th)

Russ McRee over at holisticinfosec.org has once again written an excellent ISSAToolsmith article. This article is a review/tutorial of SIFT - SANSInvestigative Forensic Toolkit. SIFTis Rob Lee's open source forensic toolkit used for the SANSSEC508. Daniel Wesemann announced the availability of SIFTin a previous diary.
As usual Russ provides good insight into the high points of SIFTincluding how to install and configure SIFT. He then walks you through some of the features of SIFTby performing a basic investigation of a memory image.
While the article only scratches the surface it is definitely worth the read if you are interested in forensics using open source tools.

-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Social engineering via paper mail, (Mon, May 3rd)



Following up on yesterday's social engineering post, the banking scammers don't just rely on ZBot -- the good old paper based advance fee or fake letter approaches still work, too.
ISC reader David, for example, got a fedex envelope with an unexpected check over 2'850$, with him as recipient. Diligent security specialist that he is, he called the issuing bank .. and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to wire back 2500$ and keep the 350$ for your trouble. If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam.
The second scheme is phishing via old-fashioned paper mail. You get a letter stating that for security reasons calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:
Voice: Please enter your account number, followed by the pound key[you type]

Voice: Please enter your current telephone access code[you type in the access code in the letter]

Voice: This access code is incorrect. Please try again.[you type - correctly again]

Voice: This access code is incorrect. Please hold for an operator.[you hold]

Operator: XYZ Bank, my name is QRS, how may I help you[you explain]

Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?
Yep. You get the drift. After this exchange, they have everything they need.
Lesson learned: Do not ever call your bank on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a security pin code any day.

Update: Apparently, a bank in the US is currently sending out letters about phone pin codes that look a lot like the fraudulent fakes described above - including both an unsolicited new pin code and an 800 number to call to change it. If you received one of these letters, call your bank branch (as mentioned above) or check that the telephone number on the letter matches the 800 number the bank has listed under contact on their (real) web page. Trust, but verify was yesteryear. Nowadays, the rule in banking matters changed to Don't trust, always verify. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Security Bulletin Summary for March 2010

Revision Note: V3.0 (May 3, 2010): Announced availability of Microsoft Producer download associated with MS10-016.Summary: This bulletin summary lists security bulletins released for March 2010.

MS10-016 - Important: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561) - Version:2.0

Severity Rating: Important - Revision Note: V2.0 (May 3, 2010): Corrected installation switches for Movie Maker 2.6 on Windows Vista and Windows 7. Also, announced availability of Microsoft Producer. Microsoft recommends that users of Microsoft Producer 2003 upgrade to the new version, Microsoft Producer.Summary: This security update addresses a privately reported vulnerability in Windows Movie Maker and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Zbot Social Engineering, (Sun, May 2nd)

Have you updated your awareness program lately? A sample of the new email used to social engineer the new Zbot variance, crossed my desk recently and prompted me to wonder if our security awareness had a variance to include this type of attack? Do your users know that no one will send a password over clear text? Do your users know the difference between plain text and encrypted text?



The tactic being used is skillful and easy to fall prey to. Are your users aware of this method?

Dear Prey,
Your account has been deactivated for whatever reason and requires you to download and execute the following file. The password for the file is 12345.
Thank you for your prompt attention to this Zbot social engineering email!
Reputable Company

Mari Nichols
Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Happy May Day, (Sat, May 1st)

The past 24 hours have been somewhat uneventful. Perhaps it's because today is May Day, a traditional holiday in many countries. Perhaps it's because the Kentucky Derby was today. Who knows. Regardless, we are happy to report that we've only noted one item worthy of mentioning and that's a lapse in the Snort digital certificate. Two readers let us know that it had expired on April 30th. It looks like the issue has been resolved - the current certificate is good until June of next year.
Marcus H. Sachs

Director, SANSInternet Storm Center (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More Articles...

Page 3 of 26

3

Security News

Feed Source

Information mostly from: http://isc.sans.org

User Login



Login using Facebook Login Using Facebook