Tag Archive for Security

| May 31, 2010
Comments Off on Java Help

Java Help

-Updated 11-12-13- JavaRa 2.3 is now available to remove Java. The new version fixed several bugs and further improved localizations.

-Updated 08-28-10- Earlier this month Lunarsoft, the publishers of JavaRa, released version 1.16beta of JavaRa. According to the FAQ’s some of the added features include:

  • A new system of reading registry keys into the program,
  • A new system of reading languages,
  • x64 support,  and
  • Bug fixes.

More info and download here. The beta tag should not scare you off, because according to the FAQ’s the program itself isn’t in beta anymore because it is quite stable. Beta is still used because some fixes and x64 support haven’t been tested extensively yet.

Java HelpA recently unearthed feature that has been built into Java since Java 6 Update 10 allows developers to easily distribute their applications to end-users. Sun introduced a feature called Java Web Start designed for developers to install software and execute a program from a website. KrebsOnSecurity reports the feature allows criminals to remotely execute malicious code on the user’s computer.

AVG has discovered this exploit in-the-wild attack that takes advantage of this feature to redirect the unsuspecting web users to a Russian website that serves a crime-ware kit that bombards visiting browsers with exploits. After a delay,  Sun issued the patch. According to ZDNet, Sun does not mention the disclosure or the attacks in the release notes accompanying the patch, but they have been able to confirm it does cover the flaw in question. Even after applying the update, users may still be vulnerable. After installing updates to the Java Runtime Environment (JRE),  the update installs a whole new version of itself without removing the old installations.

Lifehacker points out JavaRa, a utility that removes the old and obsolete versions of JRE while leaving files that are necessary for the current version to run. The utility also removes other bloat and registry entries to ensure that Java still works on your computer without all the extra files cluttering up your hard drive. JavaRa is free but does require administrative rights to run because it makes changes to the registry. JavaRa works on just about every version of MSFT’s Windows. Once you have the app downloaded, just run the app and tell it to remove old versions of the Java Runtime Environment. The app will spin for a while and then let you know the old versions are gone. The app will also:

  • Remove the startup entry that makes Java run when Windows starts,
  • Remove the Sun Download Manager.
  • Check to see if there are updates available for the installed version of Java.

rb-

So far JavaRa is a free, simple, portable download for Windows that just works and will make a great addition to your flash drive toolkit.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| May 11, 2010
Comments Off on Microsoft Security Report

Microsoft Security Report

Microsoft Security ReportMicrosoft (NASDAQ MSFT) released the latest Microsoft Security Intelligence Report (SIRv8) on April 26, 2010. Data for SIRv8  came from 500 million PCs across the globe between July and December 2009 and for the first time separates enterprise user and consumer user malware trend data. The data included in the 250-page report says that enterprises and consumers each suffer from different types of malware threats.

Microsft security goog news

Microsoft logoThe good Microsoft security news from the SIR 8 report is that newer operating systems and up-to-date applications are the most secure. Windows 7 and Vista Service Pack 2 have the lowest infection rates per 1,000 executions of the Microsoft Malicious Software Removal Tool (MSRT) in the second half of last year. (pg. 85). Microsoft runs the Malicious Software Removal Tool before installing Windows updates.

Windows OSPC's cleaned/1,000 MSRT
XP SP121.7
XP SP214.5
Win 7 32-bit2.8
Vista SP2 32-bit2.2
Vista SP2 64-bit1.4
Win 7 64-bit1.4

The report shows that the more recent versions of Microsoft Windows are less vulnerable to attack. Cliff Evans, Microsoft UK’s head of security and privacy says only about 5% of the vulnerabilities are in Microsoft software. This has led to a shift in emphasis to targeting third-party programs and utilities. In XP, around 45% of attacks exploited third-party (i.e. non-Microsoft) code, with Vista and Windows 7 it’s around 75% according to an article in the Guardian.

Application attacks continue to increase. Running updated software decreases the attack surface and increases Microsoft security robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Matt Thomlinson, general manager of product security in Microsoft’s Trustworthy Computing group told DarkReading, “With Internet Explorer, IE 6 is four times more targeted in drive-by attacks.” Thomlinson says SIR 8 provides the first real results to illustrate this.

Browser attacks

The Microsoft security report says that nearly 75% of the browser-based exploits encountered in 2H09, were third-party applications, including Adobe Reader, RealPlayer, Apple QuickTime, and AOL software (pg.26). This means Windows Update is not enough to protect users, who must also install updates from Adobe, Apple, and other software suppliers.

Attacks against Microsoft Office make use of older vulnerabilities that have mostly been fixed and can easily be avoided by keeping the software suite up to date. The majority of Office file format attacks can be avoided by applying service packs (pg. 43). For example, 75.8% of the attacks on Microsoft Office files exploited a single vulnerability (CVE-2006-2492, the Malformed Object Pointer Vulnerability in Microsoft Office Word), which was found in 2006.

The report found that enterprise users contract more worms, “In the enterprise, worms are more of a problem, which is not a surprise in that you have networks with trusted file shares and USB devices, and they are more susceptible to those transmission mechanisms,” Thomlinson told DarkReading. “This is the first time we’ve had data allowing us to separate [enterprise and consumer machines] and show differences [in malware prevalence.]” Worms were found in 32 percent of enterprise PCs.

ThreatPresent %
Worms32
Miscellaneous Trojans18
Unwanted software16
Trojan down-loaders and droppers13
Password-stealers and monitoring tools7
Backdoor programs 5
Viruses 4
Exploits 3
Adware3
Spyware1

Rogue anti-virus attacks

Windows in both the enterprise and the consumer markets were hit hard by rogue anti-virus attacks last year. Rogue security software was found on 7.8 million up 46% from 5.3 million in the second half of last year. The most detected rogue security software family, Win32/FakeXPA, was also the third-most prevalent overall threat detected by Microsoft worldwide in 2H09. Three other rouge software families were also widely detected:

  • Win32/Yektel,
  • Win32/ FakeSpypro, and
  • Win32/Winwebsec.

MSFT claims that attacks are now motivated by financial gain, with a “black economy” of malware authors, botnet herders, and other criminals working together to exploit vulnerabilities in Windows PCs. “We’re seeing that the criminals are more professional and organized,” Thomlinson says. “This is really about criminals in shirts and ties, not with tattoos.” Criminals are becoming more specialized in different aspects of cybercrime. They are then coordinating with criminals with other specialties. He says. “Threats are being packaged together and sold as commodities and kits,” he says. “It struck us as we looked at botnets that this is an early version of cloud computing: There is computing available for whatever use they have in mind, and they are taking advantage of many machines to do that. This is the ‘black cloud’ of computing.

rb-
The next report will be interesting as attackers focus their attention on Win7 as it becomes wider deployed. The takeaway from the report is:
  • Keep your installed software patched to current levels.
  • Running old versions of operating systems, browsers, and application software exposes companies to additional unnecessary risks (Ask Google).
  • Invest into initiatives that get systems upgraded to the newest technology available.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| April 24, 2010
Comments Off on 9 Year Old Hacks School System

9 Year Old Hacks School System

9 Year Old Hacks School SystemComputerWorld reports that officials at Fairfax County Public Schools thought they had a hacker on their hands. It was reported that someone was changing teacher passwords on the Falls Church, Virginia, school district’s Blackboard system. Blackboard (BBBB) gives teachers, students, and parents a way to communicate and stay on top of homework assignments and class announcements over the Web. Blackboard’s website says more than 5,000 K-12 and higher-education institutions nationwide use its software.

Blackboard logoThe District contacted local authorities when teachers and staff members reported their passwords were changed preventing access to their accounts because according to ComputerWorld. Changes to content and enrollment information for some courses was also discovered. The local police investigated and pulled a search warrant for Cox Communications, the Washington Post reports. They traced the  IP address which accessed the Blackboard system to the McLean, Virginia physical address of the home of a 9-year-old student in Fairfax County Public Schools. The police initially suspected the student’s mother, but after interrogating both of them it became clear that the child was to blame.

Turns out that the Blackboard system was not hacked. The student had simply taken a teacher’s password from a desk and used it to change enrollment lists and other teachers’ passwords. “This was a case where an individual … got hold of a teacher’s password, and the passwords had administrative rights,” said Paul Regnier, a school board representative. “It was actually not a hack, unless you consider the 9-year-old took the teacher’s username and password from the desk a hack,” said Michael Stanton, Blackboard’s senior vice president of corporate affairs. Although there will be no criminal charges filed against the perpetrator, citing school policy, Regnier wouldn’t confirm that it is a student, the Fairfax school board is taking the incident seriously, Regnier said. “Nothing bad happened this time, but we have to make sure that … it doesn’t happen again,” he said.

rb-

TPassword on post ithis event correlated with the recent (04/14/2010) Tufin Technologies survey results of the hacking habits of 1,000 New York City teenagers. The survey found that 39% of the teens surveyed think hacking is “cool” and 16%, or roughly one in six, admitted to trying their hand at it. Only 15% of the entire sample has either been caught or knows someone who has – particularly disturbing considering 7% of young hackers reported they did so for money and 6% view it as a viable career path.

The big lesson here is, of course, SECURE YOUR PASSWORDS

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| April 8, 2010
Comments Off on Update Email Policy

Update Email Policy

Update Email PolicyA court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, “reasonably expect that emails she exchanged with her attorney on her personal, password-protected, web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer. She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

  • Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
  • Definitions of the specific technologies and devices to which the policies apply;
  • Warnings that web-based, personal e-mail can be stored on the hard drive of a computer and forensically accessed;
  • No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are applicable only in New Jersey for now. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firm’s computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| April 3, 2010
Comments Off on NICs Latest Threat to PCs

NICs Latest Threat to PCs

NICs Latest Threat to PCsThe latest malware attack vector is the network interface card (NICs). According to a post at Gizmo’s Freeware, two separate presentations at the CanSecWest international security conference demonstrated exploits utilizing network cards. The article reports that both exploits focused on Broadcom (AVGO) NIC’s.

The post reports that in at least one of the demo’s the researcher used the Broadcom remote factory diagnostic mechanism to install custom firmware on the network card. The researcher used the compromised firmware to create a tunnel into the PC in such a way that packets sent via the tunnel were not visible to the system firewall. Using the network card’s access to memory,  the attacker could then run whatever code he wanted.

HP uses the vulnerable NICs in PCs

HP (HPQ) uses the vulnerable Broadcom NICs in many PCs. In response, the HP Software Security Response Team has released a Security Bulletin (Document ID: c02048471) “HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code.” In the bulletin, HP says this information should be acted upon as soon as possible.

HP has made softpaq SP47557 available to resolve the vulnerability. In the bulletin, HP says the following models contain the Broadcom Integrated NIC firmware

  • HP Compaq 6005
  • HP Compaq dc5700
  • HP Compaq dc5750
  • HP Compaq dc5850
  • HP Compaq dc7600
  • HP Compaq dx7200
  • HP rp3000 Point of Sale System
  • HP rp5700 Desktop PC
  • HP rp5700 Point of Sale System

Rb-

This is a new hole, not a new attack. The premise appears to be poor design. Why would a manufacturer leave “the remote factory diagnostic mechanism enabled.”  The article goes on to say that, ”by default, the remote factory diagnostic mechanism (ASFor Alert Standard Format 2.0) is normally turned off.” That’s a good thing unless it’s not then you got troubles.

This technique would allow a very low-level attack that is not visible to traditional desktop security software. The network security devices would have to pick up the threat and not desktop security software. This also proves the case for good asset management, I can think of one client who has 80+ of the HP 5700’s distributed at 80+ sites without a management tool such as Intel’s vPro to push these low-level updates to PC’s. There is no telling if these PCs will ever get patches unless Microsoft adds it Windows Update.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »