F-Secure blogged this morning about a large scale spam run underway sending messages with the attachment postcard.exe and the subject “Happy New Year!”
I saw that at my site last night. Actually, I probably wouldn’t have even noticed all those detections, but I reenabled the filters on my blackberry so it doesn’t get filled up with all the phishing detection notifications.
Posts tagged ‘Blackberry’
F-Secure: postcard.exe spam run
SANS Session 1.5 Encryption Tools
These are my notes from the vendor panel at the SANS Secure Storage and Encryption Summit.
Guardian Edge
If we haven’t had enough statement of the problem, I like the way they put it.
Data is disappearing out of the organization and you don’t know it.
81 percent of companies report the loss of one or more laptops containing sensitive data in the past 12 months. Would we even know what was on the laptop?
53 % believe that their companies would be unable to determine what sensitive or confidential info resided on a usb memory stick if it were lost.
PGP
- The PGP piece on the blackberry is there by default. You just need to license it. It actually will connect to your PGP Universal server. That sounds kind of neat.
Seagate
Seagate admits that its a hard drive solution only. You need to do something else for your thumb drive, and email, etc.
FIPS 140 in progress for the Seagate (I assume that is FIPS 140-2. I dont think they do 140-1 anymore).
They also have the DoD evaluating for the secure wipe. Seagate just removes the encryption key.
The PGP guy made an analogy to when 3-d graphics cards came out. Something about it not puting software rendering out of business, it works together.
Q- Why would we need this (any of the vendors) when bitlocker comes out.
A – better management tools
- mature product
- OS support, bitlocker is obviously vista only and reportedly the more expensive versions of vista.
- No requirement for TPM. bitlocker is better with TPM.
Can’t stop for a minute
I glanced at my blackberry during dinner and saw a whole mess of virus alerts such as the following:
The message sender was
alerts@CNN.com
The message originating IP was 81.168.6.17 The message recipients were user@$mydomain.com
The message was titled Osama Found Hanged The message date was Thu, 15 Jun 2006 22:02:54 -0700 The message identifier was (empty) The virus or unauthorised code identified in the email is:
/var/qmail/queue/split/0/attach/3384881_4X_AZ-D_PA2__Photo=20and=20Article.exe
Found the W32/Sdbot.worm.gen.as virus !!!
In case its not clear that is the admin notification when someone sends a virus. Looks like another run of viruses being spammed. How many times have they tried the Osama bin Virus since 2001.
I guess it seemed like a good idea at the time (activesynch rant)
So I’ve got my shiny new Treo 700w. It doesn’t come with a holster like my blackberry. But hey, its Windows Mobile 5. its supposed to be better. It doesn’t come with a cradle. But hey its Windows Mobile 5, its supposed to be better.
Next lets synch it up to the computer. Oh wait, some numb nuts thought it would be a good idea to use tcp/ip over the usb connection for the syncing. That means I have to whitelist 3 programs and 6 ports in order for this to work. Not only that, but I cant just whitelist them in my intranet personal firewall program. The mobile phone is self assigning an ip address in th 169.254.x.x autoconfiguration range. This causes my personal firewall to drop intot internet mode.
What does this mean? in order to synch I need to poke holes in my personal firewall allowing access to ActiveSynch a program which in prior versions has had denial of service vulnerabilities as well as information disclosure vulnerabilities. I am really not pleased about this. Not one bit.
Well, that’s it for today. I’ll go whitelist
Some odd png emails
I tried to post this at dinner, but my blackberry doesn’t do javascript. Just remembered to post this now.
All day spam directed to my company with the subject Re: peeper cre has had a file detected as Possible Malware PNG/Generic. I have no way of knowing if this is related to the WMF exploits or not.
Windows Mobile 5 part 2
Back in November, I wrote about the Microsoft pr push for Windows Mobile 5 as a blackberry killer. Its been something we’ve been looking at more with the RIM/NTP judgment hanging over everyone’s head. I’ve learned a couple of interesting things since then.
Jason Langridge (MSDN)
1. Direct push is really http get heartbeats.
2. Requires opening 80 or 443 on the firewall. Microsoft feels that most companies will be fine with this because they already got insecure for rpc over https.
“By eliminating the NOC, isn’t this solution less secure? This is among my favorite questions, and it’s usually followed up with some hand-waving about the connection to the enterprise “somehow” getting “hijacked.” The answer is, it is exactly as secure as the last online purchase you made with your credit card, exactly as secure as the last time you checked your email with OWA, and exactly as secure as the last time you used Outlook with RPC-over-HTTP. That is, we use SSL (which itself negotiates over-the-wire encryption using RC4 or 3DES) to communicate between the device and the server. I suppose that you could run this with SSL disabled, but you also risk a concussion if you run top-speed into a brick wall. Just a little fyi.”
First – bad analogy with making a credit card purchase online. If someone plays man in the middle and gets my credit card information, I’m not liable for fraudulent charges. Is Microsoft indemnifying me against hackers who get in through this new entrance into our network?
Second – Exactly as secure as OWA. External access to owa is protected by SecurID login on the ISA 2000 server. This solution doesn’t offer that protection. Requiring securID would ruin the ability to have an appearance of push email.
Third – As secure as RPC over HTTPS. Sadly that is true. We have not been able to use RPC over HTTPS because Microsoft has not provided support for securID authentication.
The question I would have is can the clients (phones) be given client certificates so that the SSL authentication is mutual?
Sometimes you have to open ports into the company to enable business functionality. Email and VPN are the primary examples. Each new entrance to the enterprise makes the network more difficult to defend. Given the difficulty in getting ISA in place, I dont see this happening particularly. Competing solutions may cost more, but they dont require use to open ports into our enterprise.
On the rumored death of blackberry
The Microsoft hype machine was in full force with the release of Exchange 2003 Service Pack 2. They would have you belief that that along with Windows Mobile is the death knell for Blackberry. Microsoft was pushing it hard, and you could see the MVPs repeating the charge faithfully. When I was out at Microsoft in Herndon, VA they were pushing this, so I asked them how they would architect a solution which required push technology yet the clients must use SecurID for any inbound initiated connection. They couldn’t do it. I had to figure out on my own that I needed a Good Technologies server to make this work. Replacing the Blackberry server with a Good server is hardly a huge benefit of Exch2k3sp2.
The thing is the Blackberry fanatics (and I’m still one), dont even know they are already dead. Company after company is moving to Windows Media phones or the Treo. Some want more features than Blackberry can provide. Other companies just dont want to be caught with their pants down if Blackberry has an adverse court ruling. This lawsuit uncertainty is having a chilling effect on Blackberries market share and it could not come at a worse time.
The Blackberry head says that they already have alternate technology in place if they lose this patent lawsuit. Is he merely trying to keep the stock from tanking or do they have solid plans in place to prevent the Blackberry network from going dark? Will people who have been enamored with Blackberry choose to leave after they’ve been prompted by these events to examine the Good Technology solution.
And that’s why I need to deploy SAV 10
As I was leaving work today, I glanced down at the Blackberry and saw pages and pages of virus alerts. In Outlook that is filtered to another folder so I don’t see it. The virus alerts were coming once per minute from a file in the users temp internet files.
After going to dinner 
I came back and found that the file being detected was a running process. Since SAV versions earlier than 10 cant end the process, it just kept detecting it and being unable to do anything. I used pskill to take out the process and then used SAV to delete the file.
Interesting enough, this user is not a local administrator. However, she also was not added to the correct security group for our “managed user” group policy to apply so she was able to get this autorunning under her hkey_user etc etc windows current version run registry key.
The file was BubbleShotter15[1].com and it was detected as Backdoor.Sdbot. Only other thing on the system that was suspicious was Plaxo. I hate that program.
