Tag Archive for 2010

| March 13, 2010
Comments Off on Mobile Botnet

Mobile Botnet

Mobile BotnetTwo researchers from TippingPoint’s Digital Vaccine Group duped thousands of smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application. Kelly Jackson Higgins at DarkReading writes that Derek Brown and Daniel Tijerina created a smartphone application called WeatherFist. Over 8,000 users downloaded WeatherFist, which grabbed users’ PII. The info they grabbed included GPS coordinates and telephone numbers, before displaying local weather information.

TippingPointThe researchers did not distribute their application via the official iPhone and Android application stores. Rather, they distributed the WeatherFist application via third-party app markets like Cydia, SlideME, and Modmyi. The apps could only be installed on jailbroken iPhones or Android devices where users had specifically given permission for non-approved applications to be run. “We wanted people to feel comfortable using the application and putting it on their phone so we would have permission to do a lot of things like pass GPS coordinates, write to the file system, and surf,” Brown told DarkReading.

Mobile Botnet

At the 2010 RSA Security Conference the researchers claimed they also wrote a malicious version of their mobile botnet, which they dubbed WeatherFistBadMonkey. According to DarkReading, the malicious app behaves more like traditional botnet code, stealing information and capable of distributing spam. “We could enable or disable system services [with a malicious app],” Brown says. The TippingPoint researchers told DarkReading they wanted to prove how an app could behave like much of the traditional Windows malware which, steals information, and allows hackers to gain remote control of hijacked devices.

rb-

Smartphones are a part of today’s network and Brown and Tijerina claim that this research shows a security hole in networks. Some of the ways to plug these new holes are to:

  1. Update policies for the  proper use of smartphones
  2. Prohibit unsafe modifications of smartphones
  3. Allow apps only from reputable app stores
  4. Provide training on smartphone application usage
  5. Lockdown the Wi-Fi network settings to keep smartphones from ‘phoning home’ any information that shouldn’t leave the firm.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| March 6, 2010
Comments Off on How To Chose An eCycler

How To Chose An eCycler

How To Chose An eCyclerThe U.S. Environmental Protection Agency (EPA) recently held a webinar on how to avoid the pitfalls of e-waste recycling. The online meeting, hosted by Chris Newman from EPA Region 5, laid out some best practices to chose An eCycler to recycle eWaste (eCycling). The reasons for eCycling are simple: to protect your data, and your customers’ data, electronics should be disposed of in a traceable and secure way. According to the EPA, eCycling doesn’t necessarily mean shredding machines that are no longer in use; responsible recyclers can wipe computers clean and reuse some parts.

EPA logoAccording to the EPA, the key to finding the best eWaste recycler for the firm and the environment is to “Trust, but verify.”  The responsible firm should verify the claims their eCyclers make. The EPA reports that some unscrupulous eCyclers will use an “EPA ID #” as proof of certification when it’s actually just an accounting tool. Mr. Newman says that the EPA doesn’t certify recyclers but there are several groups that do certify recyclers’ practices.

Chose an eCycler

The Responsible Recycling Coalition (R2) is one of two certifications in the U.S. The EPA started R2 in 2008 with industry partners and initial support of environmental groups. In July 2009, the American National Standards Institute-American Society of Quality National Accreditation Board (ANAB) announced that it will start accrediting companies that will certify recyclers of electronic equipment under the R2 practices. R2 focuses on reducing the human and environmental impacts of recycling electronics. Waste Management recently became the first company to formally adopt these practices.

E-Stewards InitiativeThe other certifying body is the E-Stewards Initiative, which was formed in 2008 by environmental groups that abandoned the R2 partnership when the R2 principals refused to rule out exporting e-waste, incinerating waste electronics, and using prison labor to recycle electronics. In July 2009, the American National Standards Institute-American Society of Quality National Accreditation Board (ANAB) announced that it will start accrediting companies that will certify recyclers of electronic equipment under the E-Stewards Initiative.

rb-

When we talk to clients about their technology life-cycle projects, most of the time, their disposal processes are very weak. Owners need to understand the risks they are incurring by tossing equipment in the dumpster or stock-piling them in the closet.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| March 4, 2010
Comments Off on A New Problem Caused by IE

A New Problem Caused by IE

A New Problem Caused by IEThe Microsoft Security Response Center (MSRC) Engineering team is reporting a vulnerability involving VBScript and Windows Help files.  In Microsoft Security Advisory 981169, the MSRC says that hitting the F1 Help key can activate a vulnerability in VBScript enabling Remote Code Execution. The new Microsoft threat involves any version of Internet Explorer (IE) on Windows 2000 and Windows XP.

MicrosoftThe US-Cert Vulnerability Note VU#612021 says that any file displayed by the  Internet Explorer (IE) engine can trigger an attack. IE’s engine is often used to render HTML for other applications, even if you don’t see the usual IE program window.

Trigger the execution of arbitrary code

This issue makes it possible for a malicious web page, an HTML e-mail or an e-mail attachment, or any file to display a dialog box that will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can reappear when dismissed, nagging the user to press the F1 key. MSFT calls the Windows Help files are an “inherently unsafe” file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.

MSFT suggests that as an interim workaround, users avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box repeatedly appears trying to convince the user to press F1, users should log off the system or use Task Manager to kill the Internet Explorer process.

It is possible  to mitigate the threat from the command line to lock down the legacy Windows Help system by  typing:
cacls “%windir%\winhlp32.exe” /E /P everyone:N
and to undo the change type:
cacls “%windir%\winhlp32.exe” /E /R everyone

Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008, and Windows 7 are not affected.

Steve Balmmer

The MSRC post also describes how to change IE’s Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones a move that can also help protect against potential attacks.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| March 1, 2010
Comments Off on Republican Blocks Unemployment Benefits

Republican Blocks Unemployment Benefits

Republican Blocks Unemployment BenefitsJim Bunning, a Republican from Kentucky, is single-handedly blocking Senate action needed to prevent an estimated 1.2 million American workers from prematurely losing their unemployment benefits next month. As Democratic senators asked again and again for unanimous consent for a vote on a 30-day extension Thursday night, Bunning refused to go along.

According to the Huffington Post, when Sen. Jeff Merkley (D-OR) begged him to drop his objection, Politico reports, Bunning replied: “Tough shit.” And at one point during the debate, which dragged on till nearly midnight, Bunning complained of missing a basketball game.

I have missed the Kentucky-South Carolina game that started at 9:00,” he said,  “and it’s the only redeeming chance we had to beat South Carolina since they’re the only team that has beaten Kentucky this year.” Daily Kos produced a video of Bunning’s obstruction.

The Huffington Post says the stakes are enormous: provisions of last year’s stimulus bill that allow extra weeks of unemployment benefits and COBRA health coverage are set to expire on Feb. 28. State workforce agencies have already sent out letters informing recipients that they’ll be ineligible for extra “tiers” of benefits starting next month. The National Employment Law Project estimates that 1.2 million people will prematurely lose benefits in March.

Judy Conti, a lobbyist for the NELP, said that even when Bunning is eventually thwarted and the extension is passed, state governments will still have to deal with the extra administrative costs of shutting down and restarting the extended benefits programs.

GOP Blocks Unemployment BenefitsMs. Conti said, “Once the program is retroactively reauthorized, the federal government is going to send the same amount of money, but his own state government is going to have to spend even more money.” She continued, “What happened last night was an absolute disgrace. There is a time and a place a purpose for debate on deficit reduction, but you don’t make your stand on the back of the unemployed. It is ill-informed, counterproductive, and just cruel.

Sen. John Cornyn (R-TX) took the floor to stick up for Bunning and stated, “I admire the courage of the junior senator from Kentucky.” And with that, the Senate adjourned for the weekend.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| February 26, 2010
Comments Off on IPv6 Malware

IPv6 Malware

IPv6 MalwareIn a December 2009 report, The Future of Threats and Threat Technologies: How the Landscape Is Changing, anti-malware vendor Trend Micro, predicts that IPv6 changes to the Internet infrastructure will widen the playing field for cyber-criminals.

Trend MicroOne of the changes Trend Micro predicts is the IPv6 Malware Experimentation Stage. The anti-virus firm points out that many weaknesses were discovered in IPv4 during the mid-to-late-1990s as the Internet came into its own. The vendor predicts IPv6 will have a similar pattern of growth.

As the IPv6 user base expands, weaknesses will be discovered in the IPv6 protocol and its implementation. The anti-virus firm believes that the current low IPv6 adoption rate and the increased awareness of IPv4 exhaustion will delay any wide-scale IPv6 malware beyond 2010. However, as users start to explore IPv6, so will the cyber-criminals. The vendor says that users can expect to find some proof-of-concept elements in IPv6 during 2010. Possible IPv6 abuse includes new covert channels or Command and Control (C&C) for botnets.

IPv6 tunneling protocols pose threats

IPv6One attack vector that will open up as users start experimenting with IPv6, are tunneling protocols according to Ben April an Advanced Threat Researcher at Trend Micro. Mr. April points out on the Trend Micro Malware Blog that the 6to4 (RFC 3056) and Teredo (RFC 4380) tunneling protocols pose threats to networks as they transition to IPv6.

Trend’s April says that neither protocol claims to offer any significant security protection. According to the blog, 6to4 tunneling requires that the user endpoint exist in a publicly routable IP space and be directly reachable by any 6to4 serving device with the risk of having to trust traffic coming from any address claiming to support the protocol for full functionality. 6to4 can also support routes to networks behind the endpoint. Endpoints have an IPv6 address which includes the IPv4 address of the endpoint converted to hex. According to April, a server on the IPv6 Internet should also be fortified against both IPv4 and IPv6 threats. 6to4 comes with an entire RFC (RFC 396) devoted to security considerations.

The Teredo RFC goes so far as to call itself the IPv6 Provider of Last Resort. The blog says this label comes primarily from the crazy stunts required to successfully traverse multiple NAT gateways. Unlike 6to4, however, only one host can exist behind the endpoint. April points out the risks that Teredo creates by tunneling from the public Internet to a host inside a NATed environment. This creates the need for a well-protected host. This protocol also allows endpoint address leakage which would aid an attacker. Teredo encodes the IPv4 exit point of the NAT gateway, the UDP port used by the external NAT session, and the IPv4 address of the tunnel endpoint used by the client in a well-known slightly obfuscated way.

Fortinet logoOne answer to the IPv6 security issues could come from network security and unified threat management (UTM) provider Fortinet. In December 2009, the vendor announced that it had achieved 56 Gbps of IPv6 throughput on its FortiGate’-5140 multi-threat chassis-based system. The 56 Gbps for IPv6 throughput is based on its proprietary FortiASIC technologies that accelerate security processing of the FortiGate-5000 Series blades and modules. The FortiASIC processors are security processors that accelerate the processing of network traffic focusing on security enforcement including firewall policies and other content inspection requirements.

The IPv6 performance of the equipment was benchmarked and validated with a BreakingPoint Elite resiliency testing chassis with multiple 10 GbE interfaces. Fortinet’s FortiOS firmware has fulfilled all requirements for IPv6 Phase-2 Core Support as a router product. This certification, awarded by the IPv6 Ready Logo Program.

As Trend Micro’s April says, “IPv4 firewall rules don’t do anything to IPv6 traffic.”

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
« Older Entries   Recent Entries »