General: September 2004 Archives

The BotNet Came Calling

There is a writeup in todays ISC diary about a botnet found on a corporations network across 40 sites. I highly recommend reading it.

The question is how do you avoid it. The company in question failed to follow good practices by not noticing when their antivirus failed to update. It also sounds like they relied on their computers going to symantec's liveupdate server rather than using an internal system or using VDTM. That sounds like another mistake.

What else can you do? Monitor for P2P installation (banning it should already be company policy). Prevent users from being admin? That just doesn't fly. Limit outbound activity to the firewall to specifically allowed ports? Great idea, already done it. I suppose an internal IDS/IPS as well as segmenting internal networks so not everyone can talk to everyone would help also. Patching should also help. The article doesn't state how GaoBot spread within the network. Its either not patching or improperly secured file shares (ie wide open or weak passwords).

When half the company subverts firewall security by going home with a laptop and hooking it up to an untrusted network, you never know what surprises you are going to find when they bring the computer back in.

By Roger on September 24, 2004 11:08 PM |

JPG-GDI Vuln- Your Time is Up

There are now exploits out there that will exploit the jpg vulnerability to open a remote command prompt or create a local administrator account. While I dont see how this could turn into a worm like sasser or blaster, it could easily be used to spread spyware, and to develop a bot network. Its like mydoom. It could leave a port open that is later harvested by another worm.

Its a good time to be running a firewall, and to be careful of what links are followed. Head over to windows update, and then office update. After that run the GDI Scan Tool available over at SANS.

By Roger on September 23, 2004 1:36 PM |

SUN JVM Exploit

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57221-1&searchclause=57221

http://www.f-secure.com/v-descs/binny_a.shtml

Vulnerability in Java Virtual Machine allow the installation of malicious code (viruses and spyware). This effects all browsers using the SUN JVM, not just IE

Solution: Upgrade SUN Java virtual machine to 1.41_04 or later (current version is 1.41_07)

By Roger on September 22, 2004 12:50 PM |

Software flaws will triple downtime by 2008

Saw this in the SC Information Security Newswire:

Organisations that do not include security as a criterion when building
or buying software will see system downtime caused by security
vulnerabilities treble from 5 per cent to 15 per cent of downtime in
2008, industry experts have warned.

http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=7fc97c73-b0a7-41df-8eab-e354169b6084&newsType=Latest%20News

By Roger on September 17, 2004 7:07 PM |
« General: August 2004 | Main Index | Archives | General: October 2004 »

Search