Roger's Information Security Blog

Computer Security Day was started in 1988 to help raise awareness of computer related security issues. Our goal is to remind people to protect their computers and information. This annual event is held around the world on November 30th although some organizations choose to have functions on the next business day if it falls on a weekend.
We had an event today, I think it came out fine. Posters in the elevator lobby. Security Awareness newsletter in everyone’s mailbox. And post-it notes with a security related theme.

The Register wrote yesterday that Symantec is not selling LC5 outside the U.S. Actually they are doing better than me, I couldn’t even get Symantec to talk to me about LC5 and I’m in the U.S. SAMInside is better and cheaper anyway.

On November 16, AOL added a “AIM Bots” group to AIM users buddy list. This group contained buddies Moviephone and ShoppingBuddy. A popup indicated that the bots had been added, but it was not clear who really added the new buddies or why. Apparently AIM was seeking to promote knowledge about the bots, which are a way to query movie times and shopping info via IM.
This intrusion is much worse than when aim first started adding ads to the aim client. The protests against this action were even mentioned on Drudge. I dont use third party IM clients like Trillian or software to remove the ads from AIM. I wonder if they are free from this annoyance.
While we are able to delete the bot buddy group manually, you may want to let AOL know what you think by sending a message to megabotfeedback@aol.com. I’d use a disposable email account for that email.

I wonder if I could have bet on this in Vegas? What’s this the third or fourth time in 6 months Trend has published writeups on a virus and said that it exploits a recently patched windows vulnerability only to later retract it.

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4781
Trend Micro has retracted last week’s claim to have discovered a Trojan that could exploit vulnerabilities in the Windows graphics engine.

This is an old one, and a good candidate for a snopes debunking. Who knows, its probably photoshopped, but its still good for an illustration. Security just cant be an afterthought in anything that you design or implement. This news station didn’t have good access control on who could update the school closing crawl.

A News.com article reports that bots will include encryption to hide their presence.

In the near future, bots will include encryption to hide their presence from security and network sniffing tools often used to detect their presence, said Adam Meyers, an information assurance engineer at SRA International speaking at the Computer Security Institute conference here.

I’m not a bot expert, but I thought this was already common practice, controlling bots over encrypted IRC channels.

The bot writers have a choice of a variety of encryption technologies, according to Meyers. They could use SSH, SSL (Secure Sockets Layer), ROT-13 or a proprietary method, Meyers said. Such a bot would be harder to craft than today’s bots, but worthwhile, he said.

ROT13? That’ll slow down the cryptanalysis…not. But perhaps enough to fool the IDS.

CSOOnline blogs about an Office Document Solutions conference in Boston reporting that office Copiers could be the most insecure thing on your network. Of course anyone with an ounce of security knowledge and access to a networked copier already knows that. I blogged about my own copiers here and here.
“Network-connected output devices are becoming an absolute primary target of people, foreign and domestic, who are penetrating networks,” according to Jim Joyce, senior vice president for office services at Xerox Global Services. Its an interesting premise. They could be considered a primary target, because someone might want to hack the copier and then send a copy of everything copied or printed on the copier to an email address outside the company. On the other hand its a good secondary target because the large hard drives and insecure operating system lends themselves to attacking other systems.
I’ve written in the past that the latest copiers I have from Canon seem to be much better than earlier models from both Canon and Toshiba in terms of security. Since then, they have added a scanning workstation which is a unsecured Windows XP client. . I wish they had just given us the software to install ourself instead of bringing a computer that if we secure it, they won’t support it.

How many versions of the SUN JAVA Runtime Environment are you running? A couple MVPs over at broadbandreports asked this question after they noticed users with older versions of SUN JAVA getting infected.
Its not exactly a new problem with SUN JAVA. You run the update, you think you’re protected, but what you don’t realize is that you are merely adding the new version to your system. The older vulnerable version is still there and can still be requested specifically by a malicious website. Can you imagine if Microsoft patches ran that way? Not only that, many applications that use SUN JAVA are programed to work with a specific version only. So I’m forced to use a vulnerable version of JAVA in order to administrate a product like the Cisco VMS server. (Cisco has finally provided an upgrade but they still don’t support the current release.
For the record, I’ve got the following versions on my computer.
1.5.0_01
1.5.0_02
1.5.0_04
1.3.1_03

I’m downloading rainbow tables to go along with with my password cracking software. I ended up getting almost every user account just using alpha-numeric tables. I want to go for the whole shabang so I’m downloading rainbow tables with alphanumeric and special characters and spaces. I just noticed I’ll be over quota. Hope I dont get a nasty email from Cox. Well at least I found one thing that can be legally downloaded via bittorrent.

Some people are reporting false positives in bloodhound.exploit.52. This is Symantec’s heuristic detection for the flash vulnerability. Over at the ISC one person has said this has only been an issue for them with people running Flash 7.0.19. If you haven’t upgraded this is probably the version you are running.
At least one person reporting the problem is using rapid release versions of the virus definitions 11/10 rev 39 and 11/22 with unknown revision number. So this means if they’ve submitted the suspect files to Symantec this false positive could get fixed before the virus defs are widely deployed.