Thomas C Green has an article in The Register on Steve Gibson’s WMF conspiracy theory. I love it.
Archive for January 2006
New Virus? Nyxem.e
Just saw a virus detected as nyxem.e in the inbound email. I believe nyxem is another name for the mywife family of viruses. Looks like this is a new varient
http://www.f-secure.com/v-descs/nyxem_e.shtml posted today
Tracking Malware
I’m currently looking for a Forensics research paper topics. In reviewing current research topics in Forensics I read one paper I thought was worth sharing here.
http://www.ucl.ac.uk/cert/win_intrusion.pdf
Checking Microsoft Windows Systems for Signs of Compromise by Baker, Green, Meyer, and Cochrane.
The goals of the paper are to document actions to be taken when dealing with a compromised Microsoft system. Additionally the paper tries to explain how we can best investigate the system, find points of entry and compromise.
Ten Places NOT to Hide Your Password
Ten Places NOT to Hide Your Password
Auditors and attackers look for passwords in common hiding places. If you must write down your password, keep it in a safe place, just as you would cash. Do not write the full password. Use a code or a memory jogger. Here is a list of places where auditors have found passwords! (You should not put your passwords in any of these locations):
1. On a note inside a book’s pages
2. On the ceiling
3. On a sticky note on the underside of a shelf or drawer
4. On a note thrown into the trash without shredding
5. On a note in the drawer under the pencil tray
6. On a note behind the lamp
7. On a note under the keyboard
8. On a sticky note on the monitor
9. Behind the calendar
10. In plain sight mixed into other writing on a chalk or dry erase board
If you must write your passwords down store them securely, either physically locked up or protected by password or biometric.
WMF Exploits, on a webserver near you
One of the things I neglected to mention in the previous post is that by exploiting these sites, WMF exploits are served up by sites you may trust and go to every day. They may be your friends site, or the site of a small business.
Getting infected via WMF exploit isn’t a matter of visiting hacker or porn sites, its something that can happen very easily if you haven’t patched.
More Hijinks at PowWeb
Looks like someone practiced some root fu over the weekend at powweb. First I got a comment from someone finding this blog via Google. He/she discovered a tgp.la link in their website hosted at powweb. I assumed that was just an old infection from when that happened last April. At that time, some server exploit added an iframe for that domain into many user’s websites. POWWeb chose not to clean their users websites of the iframe link to tgp.la, much less notify the users of the problem. Although several of us had worked to knock tgp.la offline last April, it was always possible for the bad guys to re-register that domain and get back in business. Sadly tgp.la is alive again causing some websites on powweb webservers to inadvertently serve up viruses.
Some would like to claim that the individual users sites were all hacked (certainly the more likely option). We looked into that last April and there was no commonly vulnerable system. Some people had only static HTML with strong ftp passwords. This was clearly a server level hack.
But this wasn’t the only problem at powweb this weekend. The default 404 page was apparently hijacked on cluster 2. Meaning all websites housed on this cluster would serve a virus if a file was not found on their site. The discussion thread for this is here, assuming it has not been deleted.
To avoid 404 page hijackings, I encourage everyone hosted on an Apache server to implement their own 404 redirect so they are not reliant on their web-host. Instruction for doing this are provided by extras here.
Really, powweb is a great webhost. Things like this are going to happen in a shared environment. A lot of places wouldn’t have the forums to find out what is going on.
Good luck, and safe computing.
Indentured Servant
Did I mention that my company updated their education assistance policy? After 5 years of allowing people to leave freely the second their company paid for degree was obtained, after I’ve been taking classes for two years, now in the final year of my degree they have changed the program so that if I leave within one year of them giving me money for a class, they will demand reimbursement.
Now most people think two things about this. The first is that I’m trying to shock by using the phrase indentured servant. I think they have confused the phrase ‘indentured servant’ with ‘wage slave.’ I’m not making a comparison to slavery. That would be incredibly insensitive. No I am using the phrase indentured servant correctly. Websters defines an indentured servant as a person who is bonded or contracted to work for another for a specified time, in exchange for learning a trade. This is exactly the contract I have been forced to accept. I would like to not accept the company money, but I know the odds are I’ll stay where I am forever anyway so I might as well take the money.
The second reaction people have is that the company is Just in requiring people to stick around for a year after accepting money for school. I think that these people are not looking at it from my point of view. To frame the argument in a way they can understand, I ask, what if the company’s matching funds for your retirement fund only fully vested after you stayed for an additional year after each deposit. Many companies have a vesting period. Perhaps we should have that also so we the employee don’t skip out the door after taking the retirement money.
The bottom line for me is that I have increased my worth to the company through self-study, obtaining certifications and working on this degree. Under corporate policy its not possible for them to increase my pay at the same rate at which I have increased my value. So now in the moment where I have the upper hand, the velvet handcuffs that were the company benefits have become steel.
This is why I have a countdown to my Freedom day on the front page of this blog.
The I.T. Tech News Cycle
I wrote in November 2004 about how news is reported in I.T. We just saw another example of it.
Back in November 2005, Eugene Kasperski blogged about the problems in current antivirus products as they compete against criminals motivated by the dollar. Now the more traditional print media in SC Magazine finally caught up with the story. This story was then repeated in Donna’s Security Flash (generally a good blog, but in this case repeating a two month old story). I thought it was kind of funny to see this story coming around again. But hey, as NBC says, if you haven’t seen it, its new to you.
Wireless Training
I’m going to be receiving some training in Cisco wireless hardware this week. Hopefully it will be somewhat worthwhile. I signed up for it last fall, but it looks like now we’d be going with Cisco’s more recent wireless products. If nothing else its a good way to get out of the office for 4 days.
Actually, from the budget talk I’ve heard lately the wireless funds are already gone.
