» 2007 » October - Roger's Information Security Blog

Archive for October 2007

Adobe PDF Attacks

October 26, 2007, 12:47 pm

Symantec’s blog entry about the Adobe PDF exploits reported that the attacks were targeted attacks on a handful of specific organizations. Their writeup on the trojan.pidief.a still has a low treat assessment

Wild Level: Low
Number of Infections: 0 – 49
Number of Sites: 0 – 2
Geographical Distribution: Low

It looks to me like these malicious pdfs are being spammed more widely right now. We’ve received files detected as exploit-pdf.shell.
Subject Lines / File names
Personal Credit Points / report.pdf
Personal Financial Statement / report.pdf
Statement of retained earnings / dept.2007.10.26.3689762.pdf

Tags: Adobe, Spam, Symantec
Category: Antivirus, General | Comment

Jeff Jonas

October 24, 2007, 7:48 pm

I was over at the Federal Information Assurance Conference yesterday and today. Today Jeff Jonas from IBM was one of the speakers. That was rather cool, because I had just read an article in the Washington Post about his work.
Basically, he analyzes separate data sets for commonalities. Casinos for examples might have employee databases and they also have databases of people who have signed up for their players card. Rather than the left hand not knowing what the right hand is doing, he looks for commonality so you can find out that the guy who is winning big has the same home address as the dealer. Queries become data, if I ask about John Brown today and there is no data, but tomorrow, John Brown checks into the hotel, it will tell me about him. Or perhaps someone in another department is interested in John Brown and I dont know about it. The logic will put the two of us together.
Jeff’s blog is http://jeffjonas.typepad.com/

Category: General | Comment

Adobe Reader/Acrobat Update Available for 8.1

October 22, 2007, 7:34 pm

First seen at the ISC, Adobe has released updates for Acrobat and Reader 8.1. They strongly urge the application of these updates.
Updates for 7.0.9 were not released. Surprisingly Adobe says they will be releasing them later. I had expected the next Adobe security bulletin to be a wedge to force users to upgrade.

Tags: Adobe, SANS
Category: General | 1 Comment

Real Fix Available

October 21, 2007, 11:50 am

If you didn’t see it, yesterday AVERT reported that a fix is available for the Real Player zero day.

Tags: Zero Day
Category: General | Comment

Fakechecks.org

October 21, 2007, 12:14 am

Tonight, I saw a public service announcement educating viewers about online scams. The U.S. Postal Inspection Service has put up a site fakechecks.org. They have fraud tests, videos and prevention advise.
I thought this was a really cool site. Its pretty easy to make fun of the rubes that are losing this money this way. Be a better person than that and educate them so they aren’t taken advantage of by online con men.

Category: Awareness, General | 1 Comment

Real Player zero day

October 19, 2007, 3:28 pm

I wrote yesterday about a zero day possibly targeting NASA. This morning Symantec posted news of a Real Player exploit on the loose.
“The issue affects an ActiveX object in the RealPlayer component ierpplug.dll.” While there is no patch available, you can set activeX kill bits. (Google for how to do that). I am deploying that in my enterprise now.

Tags: Google, Symantec, Zero Day
Category: Uncategorized | 2 Comments

Air Force “cyber sidearms”

October 18, 2007, 12:53 pm

Looks like I missed a bit of fun news last week. The Air Force announced that it will be providing “Cyber Sidearms” to its servicemen to help them better respond to cyber attacks. Yet again our men in uniform are underequiped for the battle. Where are the “cyber bunker busters”, the “cyber personelle armor”, and the “cyber uparmored humvee”?
But don’t worry, the men in uniform will be hitting the range to ensure their proficiency with this new cyber weapon.

Lt General Robert Elder said service leaders will stage fake threats to practice using the cyber sidearm. Service members will receive points when they use the tool appropriately and lose points when they fail to act on a simulated threat, he said during a panel discussion in Washington last week sponsored by the Air Force Association.

Use of a real side arm has the effect of putting the enemy down. (And brings you before a review board).
Use of a cybersidearm does… well according the article it doesn’t do much. They haven’t even decided what it will do. At best it sounds like the equivelent of pulling a firealarm or calling 911. It doesn’t stop an attack in progress. Maybe instead of cyber sidearm they should have called this cyber 911. Oh wait, Richard Clarke is already using that name.

Category: Uncategorized | Comment

NASA Bans IE?

October 18, 2007, 10:24 am

I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player.

“Affected Platforms: Any MS Windows system running with Real Player installed and Platforms Internet Explorer used as the routine web browser. At this time it is believed all variations of Internet Explorer and Real Player may be affected.”
They say “The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims.”

I haven’t heard anything about attacks through realplayer and IE, much less through common sites that have been exploited. It sounds related to this advisory from Microsoft, but that was IE7 on XP only. There are some RealPlayer issues over at Secunia but that would effect RealPlayer only. The problem wouldn’t be browser specific and a patch is available.
Interesting to see how this develops. If there is a targeted attack against NASA as this would seem to indicate, we’ll hear about it eventually.
update – I have seen an updated email alert from them saying if you need to use IE, you should remove Real.

Tags: eMail, Microsoft
Category: General | 3 Comments

Backscatter

October 16, 2007, 11:00 pm

One of our users is a victim of backscatter and has been reporting them to the abuse mailbox at work.
Backscatter is the unsolicited mail that occurs when a spammer sends out email as you and poorly configured email server return all manner of notices to you. Its funny to watch the Barracuda spam firewall spamming the employee with the message Undeliverable: **Message you sent blocked by our bulk email filter** and an RFC rejection. Along with that is the usual ‘out of office’ and non-deliverable reports.
I figured there really isn’t much we can do. I decided that maybe its time to adjust the SPF record and change it from a ~all to a -all setting. Surprise, Surprise, I found that there was not a SPF record for the domain in question. I’m not sure if I dropped the ball on that or if our external DNS provider did something crazy again. At any rate, that is getting fixed but given how few people use the SPF record, I dont think it will be a lot of help.

Tags: DNS, eMail, Spam, SPF
Category: Spam | Comment

Article: Infosec on the Cheap

October 15, 2007, 10:33 pm

Adam Hils spoke about IT Security on a budget at the Gartner Symposium IT Expo. His comments are summarized by Larry Dignan at zdnet.
http://blogs.zdnet.com/BTL/?p=6605

Category: Uncategorized | Comment

Roger's Information Security Blog