Posts tagged ‘Brian Krebs’

Comcast to warn of infected machines

October 10, 2009, 6:15 pm

This week numerous sources reported on news that Comcast will deliver popups to alert customers with infected machines.
I agree with Phil Lin, marketing director at network security firm FireEye Inc as reported in the linked AP story above, if this catches on we’ll soon see this used in social engineered attacks.
According to Brian Krebs in his Washington Post blog Security Fix, the alert is a

“so-called “service notice,” a semi-transparent banner that overlays a portion of whatever page is being displayed in the customer’s Web browser. Customers can then either move or close the alert, or click “Go to Anti-Virus Center,” for recommended next-steps, which may include downloading and running the McAfee anti-virus tools the company offers for free, or purchasing a cleanup package and allowing a Comcast technician to attempt to remotely diagnose and fix the problem.”

I’d love to see an escalation so that ignored notices eventually put you in a walled garden until remediation occurs.
There is debate in the industry about the responsibility of the ISP. Techies want a pipe. They dont use the ISPs email server, webhosting, or news server. They dont want blocked ports or managed traffic. There is another side that demands a clean pipe. I’ve seen this more in the business area where a business ISP partners with a Security as a Service vender to clean up or montior the Internet Traffic. John Pescatore takes this position in his post saying warning about a problem isn’t as good as preventing the problem from reaching the user in the first place.
I think its good to see a ISP want to be a good citizen. ISPs want to be more than just dumb pipes. Trying to clean up the neighborhood is a good start. This is a logical next step from blocking ports such as outbound SMTP other than through the ISPs mail server.

Tags: , , ,
Category: General  |  Comment

CheckFree Attack

December 7, 2008, 11:35 am

Brian Krebs reports on a attack on CheckFree in todays Security Fix blog.
It looks like someone used phishing to get credentials for their Network Solutions account. Brian says “This may seem like a logical stretch, and perhaps it is.” I dont know about that. If they just phished the email address in the whois record they would probably get the right person.
Once they had the login credentials it was a quick update to change the authoritative DNS servers and redirect users to a malicious server.
Avivah Litan, a fraud analyst with Gartner seems to think that other (unnamed) security mechanisms should be in place besides username and password. “If all that’s protecting a bank’s Web site is a user name and password, that’s kind of like having a massive vulnerability in the core of the Internet,”
I’m not sure the solution is some call back mechanism where NetSol verifies the change request. Why is a user name and password supposed to be good enough to protect my stuff but not theirs.
I noticed that as of this morning CheckFree.com now shows clientUpdateProhibited in the whois record. I dont know enough about that to know if its a solution. The RFC says it means “ignore all updates except to turn off clientUpdate Prohibited”. That doesn’t sound like much defense.
While it is a reactive defense, it doesn’t cost much to monitor your domains so you are alerted about DNS errors and changes.
Also if Network Solutions had emailed a change alert to the address of record this could have been caught earlier as well.
To me the bottom line is personnel need to be trained not to fall for phishing attacks.

Tags: , , , ,
Category: General  |  Comment

Adobe Reader Exploit Drops Trojan.Zonebac

February 8, 2008, 10:50 pm

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named “bak” at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.
Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.
This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.
It looks like I may have to move up my implementation of Adobe Reader 8.2.1
Brian Krebs’ writeup on this reports that according to iDefense this was spreading through banner ads. http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html

Tags: , , , , ,
Category: Antivirus, General  |  Comment

JAVA 1.6 Update 4

January 23, 2008, 7:25 pm

SANS blogged about the latest JAVA 1.6 Update 4 release back on January12th. Brian Krebs today wrote a piece in his Washington Post blog Security Fix.
I admit it. I have no idea whether or not this update is critical. SANS seemed to say ‘you might want to do this soon.’ Brian said ‘it contains some security fixes. You should update.’ I’m looking around to see how SUN categorizes this fix. Microsoft would be letting me know if its critical or important, if exploits are available and how an attack might occur. Cisco would use the CVSS standard, which is pretty cool. Even after reviewing SUN’s release notes I dont have a clue.
I kind of want to say no news is good news. We need to keep the enterprise wide reboots caused by software updates to a minimum. I just hope I dont open my RSS reader one day and read about a exploit in the wild that would have been patched if I had deployed this. I’ll keep this one on the back burner and deploy it if Adobe, Flash and Quicktime slow their vulnerability circus for a while.

Tags: , , , , ,
Category: General  |  5 Comments

Got Windows 2000 and want to run Quicktime? tough luck

July 12, 2007, 8:39 pm

Through reading comments over at Brian Krebs Security Fix, is found out that Quicktime 7.2 is not supported on Windows 2000. Just to verify that for myself, I tried installing on Windows 2000 and found that only XP and Vista are supported.
Windows 2000 is slowly riding into the sunset, however Microsoft still supplies security patches for the OS. I’m not sure what extra cost Apple would incur by allowing the software on Windows 2000. At this point, I think I have no other choice but to uninstall Quicktime from the remaining Windows 2000 computers.

Tags: , , ,
Category: General  |  6 Comments

Browning Notice

February 26, 2007, 7:39 pm

I received an email today about a settlement notice regarding a class action lawsuit over some credit monitoring. I read the email over, googled the web page given, and checked out snopes, butt didnt’ find anything. Next I opened my RSS reader and found that Brian Krebs has an excellent writeup. His summary, its very suspicious looking, but its actually a legit settlement notice.

Tags: , ,
Category: General  |  Comment

Spam Automation Tools

January 8, 2007, 8:23 pm

Brian Krebs links to the XRumer auto-submitter in an entry in the Washington Post Security Fix. Its interesting to see the software that is out there for pumping spam into on-line bulletin boards.
XRumer, uses search engines to gather target forums, it then automates the registration and posting of the spam. They brag in the feature list that they can get around captchas, and email verification. There is a long video demonstrating its use.

Tags: , ,
Category: Spam  |  Comment

A whole new kind of bluejack

October 17, 2006, 3:39 pm

Johnny Cache has uncovered flaws in bluetooth implementations from Toshiba. Brian Krebs reports in his SecurityFix blog.
Apparently its a Toshiba bluetooth driver that is also used by Dell.
In a refreshing change from how Apple responded to their wireless driver vulnerability,

A Dell spokesperson said SecureWorks shared an exploit with the company that worked against any of nine different Dell Latitude laptops, and that the company’s engineers were able to reproduce the reported problems in-house. Dell said it has shipped updates to fix the problem on Latitude Models D820, D620, D420, and D520. Other Latitude models also are vulnerable, including the D810, D610, D410, D510 and X1 versions, but the company doesn’t expect to ship updates for those models until Nov. 4.

I keep my bluetooth disabled, but I’ll be checking the Toshiba site soon to see if my M400 is vulnerable.

Tags: , ,
Category: Uncategorized  |  Comment

Microsoft Antispyware false positive pooches SAV

February 13, 2006, 11:19 am

Looks like I should blog this since Chris Mosby is linking over here. (thanks for the linkage chris). I posted about it on the myitforum.com antivirus discussion list rather than posting here so I could see what others were seeing.
An blog entry by tech reporter Brian Krebs notes that Microsoft Antispyware (MSAS) is (or has) tagged Symantec Antivirus as a keystroke logger. If you then follow the MSAS removal prompt, you’ll remove enough of your SAV client that it wont work anymore.
The source of these reports are Microsoft Antispyware newsgroups, I haven’t seen anything on the Symantec or Microsoft website on this. Apparently the problem was with the 2/10 definitions. Newer definitions are available.
One interesting thing from the comments in the MS Newsgroup, they have had problems in the beta with deploying Microsoft Antispyware updates. Caching servers are really causing a problem.
If this has happened to you, you best bet is probably an uninstall reinstall. I dont know if restoring from Quarantine will work in this case. Time to go check on the status of systems in my enterprise to see if any have had this problem.
[UPDATE]:
Techworld reports that this effects pretty much all SCS and SAV corporate edition. That makes sense since it is detecting something in the landesk registry key that SAV stores all its stuff in.

Tags: , , , ,
Category: General  |  Comment