General: October 2007 Archives

Symantec's blog entry about the Adobe PDF exploits reported that the attacks were targeted attacks on a handful of specific organizations. Their writeup on the trojan.pidief.a still has a low treat assessment

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low

It looks to me like these malicious pdfs are being spammed more widely right now. We've received files detected as exploit-pdf.shell.

Subject Lines / File names
Personal Credit Points / report.pdf
Personal Financial Statement / report.pdf
Statement of retained earnings / dept.2007.10.26.3689762.pdf

I was over at the Federal Information Assurance Conference yesterday and today. Today Jeff Jonas from IBM was one of the speakers. That was rather cool, because I had just read an article in the Washington Post about his work.

Basically, he analyzes separate data sets for commonalities. Casinos for examples might have employee databases and they also have databases of people who have signed up for their players card. Rather than the left hand not knowing what the right hand is doing, he looks for commonality so you can find out that the guy who is winning big has the same home address as the dealer. Queries become data, if I ask about John Brown today and there is no data, but tomorrow, John Brown checks into the hotel, it will tell me about him. Or perhaps someone in another department is interested in John Brown and I dont know about it. The logic will put the two of us together.

Jeff's blog is http://jeffjonas.typepad.com/

First seen at the ISC, Adobe has released updates for Acrobat and Reader 8.1. They strongly urge the application of these updates.

Updates for 7.0.9 were not released. Surprisingly Adobe says they will be releasing them later. I had expected the next Adobe security bulletin to be a wedge to force users to upgrade.

If you didn't see it, yesterday AVERT reported that a fix is available for the Real Player zero day.

Tonight, I saw a public service announcement educating viewers about online scams. The U.S. Postal Inspection Service has put up a site fakechecks.org. They have fraud tests, videos and prevention advise.

I thought this was a really cool site. Its pretty easy to make fun of the rubes that are losing this money this way. Be a better person than that and educate them so they aren't taken advantage of by online con men.

I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player.

"Affected Platforms: Any MS Windows system running with Real Player installed and Platforms Internet Explorer used as the routine web browser. At this time it is believed all variations of Internet Explorer and Real Player may be affected."

They say "The malware appears to be spreading through a large variety of common and highly-respected Internet sites, however it does not appear these sites are themselves infected. The affected sites are serving solely as a mechanism to attract potential victims."

I haven't heard anything about attacks through realplayer and IE, much less through common sites that have been exploited. It sounds related to this advisory from Microsoft, but that was IE7 on XP only. There are some RealPlayer issues over at Secunia but that would effect RealPlayer only. The problem wouldn't be browser specific and a patch is available.

Interesting to see how this develops. If there is a targeted attack against NASA as this would seem to indicate, we'll hear about it eventually.

update - I have seen an updated email alert from them saying if you need to use IE, you should remove Real.

The Symantec Security Response weblog has a good entry today on DNS security. Its worth reading. The problem I see is that its short on solutions. Sure its a nice observation that SSL will warn you, but what else can you do?

I appreciate that they didn't go with the "use OpenDNS" kneejerk response that I see a lot. Depending on your ISP, the OpenDNS servers may be more secure. But if you're a large company, you want your ISP to be certified and accredited. That may be easier to force your ISP to obtain (you're paying them a lot of money after all). As the article states, the DNS response is still vulnerable to spoofing

There were a couple of points not covered by the article.
1. What if you get infected and the infection changes your DNS server settings. Will you catch that?
2. DNSSEC if it were ever implemented would provide some protection. I would have been interested in the author's take on that.

This is interesting, McAfee has purchased Safeboot for $350 million.

Safeboot seems to be the name I hear most when talking to people at other companies about what FDE products they use. I wonder if ePO will be extended to manage this software in the next few years. That would be pretty cool. I found Safeboot to be rather buggy in my eval. But it seems similar problems occur in any FDE product.

That McAfee would make this purchase shows that they think this will continue to be a big market. One wonders what other companies may be on the market.

Russell Shaw blogging on the front page of zdnet finds it hard to believe that someone who hasn't been on the Internet can be on a jury that finds someone guilty of illegally using Kazaa to share copywrite protected material.

I don't know if Russell is starting with the default assumption that all music should be free. It certainly seems as if the anti-RIAA forces believe that at their heart. I do kind of wonder if he extends that thinking to other crimes. Should I not be allowed to be on a jury that convicts a thief unless I've stolen myself? I guess I just dont feel that thieving is all that different in cyberspace. Good for them for not falling for the specious argument that "it wasn't me, it was my insecure wireless therefore I am blameless."

I also think its kind of funny that Russell thinks funeral directors are supposed to be compassionate therefore they should give light penalties during the sentencing phase of a trial.

Blue Coat announced today that its Dynamic Real-Time Rating (DRTR) will now catagorize phishing sites on the fly in addition to pornography and gambling sites. DRTR is used to catagorize previously uncatagorized sites.

SUN has an update available for the Java Runtime Environment versions 1.3.1, 1.4.2, 5.0 and 6.0. When I looked at the fix list for 6, I really couldn't tell if this update was necessary from a security perspective or not. After reviewing an article at Techworld, I've decided I need to get this on the update schedule.

[quote]
Although Sun does not assign threat scores or label its advisories with terms such as "critical" or "low," Danish bug tracking vendor Secunia collectively tagged the five advisories and their 11 patches as "highly critical," its second-highest ranking.
[/quote]

Saw this on the McAfee blog.

Apple released a Quicktime update tonight bringing us to 7.2.0.245.
Download Link

The patch is issued to resolve "a command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files."

It would have been nice if they'd updated the file version of quicktimeplayer.exe or updated the version information in add remove programs. Now I have to either talk the SMS guys into adding QuickTime.qts to the software inventory or just go ahead and run this patch one time on anything that has Quicktime 7.2.

I saw a post today on the Security Basics mailing list asking "Why isn't full disk encryption from manufactures a slam dunk?"

I think the answer is that it is still rather new. The problem is its new so some people are waiting to see if its defeated by attackers. Others made recent investments in softwarae FDE. Dell just made the Seagate available in the Latitude line at the end of July. Give it some time. I expect within three years hardware FDE will be the norm.

I received a Dell Lat 830 with a Seagate Momentus 5400.2 FDE drive on Tuesday. I need to remove the software encryption the help desk loaded on their, but I should have some comments later this week.