[SecurityRatty] tag: excel

On Idiots and Logs

Fri, 15 Aug 2008 07:51:00 +0000

How on Earth can someone even utter the phrases "scalable log management" and "Microsoft Access for data storage" in one sentence? OMG, OMG, OMG...

MS Access, for God's sake! I wonder if they tried storing logs in Excel spreadsheets?

Yeeeeesh.

Microsofts Patch Fix Critical Vulnerabilities In IE And Office

Wed, 13 Aug 2008 08:26:27 +0000

Microsoft has released six critical patches and five patches described as important, addressing a total of 26 vulnerabilities. All six critical updates address code injection risks involving Access, Excel, Microsoft Office and Internet Explorer. Full bulletin can be found here. Here’s the brief summary of critical flaws: CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2259 and CVE-2008-2258: These patches fix [...]

Patch Tuesday? Aw jeez!

Tue, 12 Aug 2008 20:50:56 +0000

This is gonna be a biggie people.
Good luck to us all.

clipped from www.internetnews.com

Patch Tuesday Targets ‘Mammoth’ Set of Flaws

The six critical security flaws relate to Remote Code Execution vulnerabilities in Microsoft Windows, Internet Explorer, Media Access Player, Access, Excel, PowerPoint and Microsoft Office. All versions of Windows, from Windows 2000 to Vista, and Windows Server 2003 and 2008, are impacted. Microsoft today also released an updated version of the Microsoft Windows Malicious Software Removal Tool.

Malware and Office Documents Joining Forces

Mon, 14 Jul 2008 07:20:34 +0000

Common office files as documents, presentations, spreadsheets and PDF files, are the most widely abused ones in targeted attacks, which when backed up with enough personal information and take into consideration the time of their attack if the social engineering campaign is either going to be based on a current/upcoming event, or on an event anticipated due to information gathered through open source intelligence, often make it through common signature based scanning solutions.

Despite the relatively easy to obtain, point'n'click DIY tools for backdooring common office files are available for the script kiddies to take advantage of, some are naturally remaining proprietary tools, making them harder to analyze unless a copy is obtained. Like this one, generating "undetected" by signatures based scanning, office documents and spreadsheets that would drop the actual malware on the PC.

Automatic translation of its description and core features :

"The program represents a generator OfficeJoiner macros in the language Visual Basic for Application (VBA), for introduction in the document Microsoft Office Word / Microsoft Office Excel executable file (win32 exe), followed by fully automatic recovery and launch, without any additional action by the user. The only requirement that formed in such a way xls / doc files is to support VBA macros on the computer end-user formed file and permission to launch macros.

The program uses NOT a vulnerability (exploit) or macro-virus tools for the introduction, extraction or running embedded files. This means that it has generated macros compatible with ALL versions of Microsoft Office products starting with Microsoft Office 97 package, with any established "patches" and the service pack. Macros generated by this program not detected antivirus, for the simple reason that they are not viruses or macro viruses. The program uses only "established" means products built into Microsoft Excel VBA language to achieve their goals.

- Fully automatic generation of macro for the introduction of documents word / excel any given exe-file with his persistence in the body and subsequent documents automatic recovery and launch, when opening a document word / excel.

- Generated macros are compatible with all versions of ms word / excel since version 97, employments and regardless of the presence / absence of any patches / servicepacs.

- Generated macros are not macro-viruses, exploits do not use and do not contain any malicious code, so do not be detected by any antivirus tools as viruses.

- Conversion body ex-file macro happening in such a way that while in doc / xls file it not detected any antivirus, and can be freely sent by mail safely passed all checks, even if in itself contains viral code defined antivirus.

- Sgenerirovanny and attached to the body of the document macro can be protected with a password or signed certificate, using funds established Microsoft Office, which does not affect him productivity or efficiency (macro, in any case remain fully workable).

- Box macro can be made both in the new document, and in any document containing data and-or other macros. Generated program code is fully compatible with any other embedded in the document macros or entering data, and will not interfere with their work, as well as maintain its efficiency.

- Added auto-finding ways to extract exe-file;

- Added possibility of a macro arbitrary text in the body of the instrument;

- Optimized algorithm macro-generation code;

Enabling this option will lead to the creation macro code, who himself will find a way to unpack and run embedded exe-file. Auto-search finds the current user folder and produces there extraction and launch embedded file. The peculiarity of this method is that this method will work on the computers of users with a limited account, because in its user folder in any case has the right to record / performance. Using this option is justified to improve the "punching" macro on computers with limited account or unknown file structure (let Windows installed on the disk is different from C).

You can specify a name for final file independently, or leave blank, then the name will be generated automatically.

On this possibility has asked for a user program, its essence is that after running a macro, retrieval and downloading exe-file the document with the introduction of exe-file will be withdrawn posed text. Perhaps in this way can improve the application of social engineering, designed to force the user to allow support for macros. For example, in the text of the document indicate:

"This document contains hidden text (password, a system of calculation formulas, interactive components, etc.), Which can be viewed only after the inclusion of support macros. Please enable support for macros and re-opening this document ".

After resolving support macros, and the implementation of embedded exe-file, the document will be withdrawn given a string containing probable "password" or any other textual information. "

Despite that the tool is proprietary, the underground economy's leaks are largely driven by bargain hunters who would exchange proprietary tool, whose often biased exclusiveness may increase the profit margins, for a service or a good that may be worthless for them in general, but impossible to obtain and take advantage of in the present. It will not just leak in one way or another, someone will inevitably backdoor the backdooring tool and trick the novice bargain hunters into running it, by having both their host infected and money taken.

Related posts:
The Underground Economy's Supply of Goods and Services
Yet Another DIY Proprietary Malware Builder
The Small Pack Web Malware Exploitation Kit - Proprietary
DIY Exploit Embedding Tool - A Proprietary Release
Skype Spamming Tool in the Wild - Proprietary Release

Wee-Fi: Sprint Treo 800w, New Wireless in Portland (Ore.), Hartford (Conn.) Fail

Mon, 14 Jul 2008 06:45:41 +0000

Palm Treo 800w released: Sprint is offering the EVDO/Wi-Fi phone with Windows Mobile 6.1 and built-in GPS. The phone is $250 with a two-year contract. This is apparently the phone that Palm should have released a couple of years ago; now, it's unfavorably compared to the iPhone except for keyboard entry and the ability to subscribe ($10/mo) for turn-by-turn live navigation. You'll note that applications are scarcely mentioned, which is one of the linchpins of the iPhone. This is a business phone with productivity tools--unlike the iPhone, you can use on-board apps to create and edit Word and Excel documents, not just view them. There's also no store mentioned for purchasing video and audio, or software for synchronizing them. The reviewer finds the video quality washed out as well, and the 320-by-320-pixel touchscreen is a bit small compared to other smartphones that focus on video.

Stephouse steps into Portland, Ore., void: Local firm Stephouse has built out 5 sq mi of business-grade wireless availability in downtown Portland and 2 sq mi in an underserved part of north Portland using Proxim gear for both Wi-Fi and WiMax service. Wi-Fi use is $20 per month or 1 free hour per day up to 10 free hours per month. The offering seems to focus on the business side, though, in competition with services like Towerstream. Prices aren't listed on the company's site.

Hartford drops Wi-Fi effort: Connecticut's trouble capital city has given up on city-wide Wi-Fi. No surprise. No firms ready to build for free, no money, no tangible goals. My wife grew up in the suburb to the west--West Hartford, prosaically enough--and speculates that the lack of county-oriented government in Connecticut has doomed Hartford to be a civic wasteland. It's recovering a bit as housing affordability goes up, and there's more going on in the city than there used to be. But there won't be Wi-Fi. Incidentally, the Mark Twain House & Museum in Hartford, home of one of the world's first bloggers, is near financial ruin. It's a great piece of American history; I'm hoping it's saved again--it's had many lives since Twain built it and went bankrupt.

Fort Lewis soldiers exposed by laptop theft

Fri, 11 Jul 2008 09:44:02 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08 (UPDATED 7/11/08 - Laptop with information about soldier found; Lacey teen arrested)

Organization:
United States Army

Contractor/Consultant/Branch:
Fort Lewis*

*The principal Fort Lewis maneuver units are the 1st Brigade, 25th Infantry Division and the 3d Brigade, 2nd Infantry Division. It is also home to the 593d Corps Support Group, the 555th Engineer Group, the 1st MP Brigade (Provisional), the I Corps NCO Academy, Headquarters, Fourth ROTC Region, the 1st Personnel Support Group, 1st Special Forces Group (Airborne), 2d Battalion (Ranger), 75th Infantry, and Headquarters, 5th Army (West). Fort Lewis has more than 25,000 soldiers and civilian workers, source: About Fort Lewis

Victims:
Soldiers

Number Affected:
~800 - 900

Types of Data:
"personal information"

Breach Description:
"A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials."

Reference URL:
KING Channel 5 News
Tacoma News

Report Credit:
Elisa Hahn, KING Channel 5 News

Response:
From the online sources cited above:

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3
[Evan] Storing personal information on removable devices such as laptops, external hard drives and flash drives without encryption, strike one. Moving the mobile device outside of a controlled area is strike two. Leaving the mobile device overnight in an unlocked vehicle in plain sight of passers-by is an emphatic strike three.

He reported them stolen about 10 a.m. on July 4.
[Evan] A soldier's personal information stolen on the day our country celebrates our independence is insulting.

A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft.

the Army began no later than Wednesday notifying the affected soldiers through e-mail and phone calls. They’ll get follow-up letters.

Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission.

They’re also supposed to be password-protected and personal information is supposed to be encrypted

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

"We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved," Caruso said.

"Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify."

there was no classified, secret or top-secret information on the laptop and the hard drive.

Caruso said the employee was working on a project regarding a particular unit at a location other than his office.

She said "it would be inappropriate to speculate" about what potential disciplinary action the worker might face if he is found to have broken security rules.
[Evan] It is probably inappropriate to speculate, but you know we will anyway. My guess is that there is another person looking for a job in the Olympia, Washington area.

Since the theft, post officials have set new training requirements for military personnel staff and prepared a memo for each employee to sign outlining the safeguarding and reporting requirements

Commentary:
When someone's poor judgment creates unnecessary risk to military personnel it carries a little more weight for me. These men and women give everything to protect us. Without them I wouldn't be able to write this, and without them you wouldn't be able to read it.

Past Breaches:
United States Army:
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Laptop stolen from the home of a BearingPoint employee

Thu, 19 Jun 2008 11:38:38 +0000

Technorati Tag: Security Breach

Date Reported:
6/5/08

Organization:
BearingPoint, Inc.

Contractor/Consultant/Branch:
None

Victims:
Independent BearingPoint contractors

Number Affected:
Unknown

Types of Data:
"first and last name and Social Security Number"

Breach Description:
On May 14, 2008 a BearingPoint company-issued laptop was stolen from the residence of an employee. The laptop contained sensitive personal information belonging to a number of BearingPoint independent contractors.

Reference URL:
The Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

BearingPoint recognizes the importance of safeguarding the personal information it handles in the course of conducting business.
[Evan] As demonstrated on their web site. The number "8" followed by "The number of years in a row that identity theft has been the #1 internet crime"

To that end, we have implemented safeguards for the information.
[Evan] OK, I am following so far.

Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] Well, I think "rigorous safeguards" needs to be quantified somewhat. What are "rigorous safeguards" and how do they apply to this breach?

The Company was recently victimized by such conduct and we are writing to inform you that this criminal conduct might have a direct impact on you.
[Evan] Uh oh, here it comes. Not only was "The Company" recently victimized, but just as importantly, the owners of the personal information were victimized as well.

On May 14, 2008, the residence of one of our employees was burglarized and the company-issued laptop computer was taken amongst other personal property.

The employee promptly reported the theft to the Atlanta Police Department, which is investigating the break in.

The investigation into the burglary is on-going and BearingPoint is cooperating fully.

BearingPoint worked diligently to reconstruct the information stored on the stolen laptop.

BearingPoint has been able to determine that the computer contains the name and social security number of independent contractors.
[Evan] Recognizing the importance of safeguarding personal information, is storing personal information on a laptop (presumably without encryption due to the fact that there is no mention of it) a prudent practice?

The stolen laptop did not contain credit or debit card numbers, or financial account numbers.
[Evan] So a criminal would have to open his/her own accounts using the other information that WAS on the laptop.

We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused.

The personal information on the laptop can be accessed only with two passwords and two forms of authentication.
[Evan] The "passwords" are the authentication. I am guessing that BearingPoint meant two forms of identification (probably usernames). Again, I am guessing that one of the username/passwords is for the operating system itself which takes less than 10 minutes to bypass in most instances and I am guessing that the other username/password combination is file access for which there are known workarounds in many common applications (Word, Excel, PowerPoint, etc.). Either way, I think that this excerpt is meant to minimize the situation with a strong bias towards saving face.

In addition, the personal information was not stored in a single file or spreadsheet but dispersed among numerous files.
[Evan] Information security personnel know better than to argue the security through obscurity defense.

To date, we have received no report indicating that the information stored on the laptops has been accessed or misused.
[Evan] I think "laptops" in the breach notification is a typo

BearingPoint recognizes this development, and any related inconvenience, might be upsetting.

We regret this incident has occurred and we apologize for any inconvenience it may cause you.

As a result of this incident, we have taken immediate steps to review our current policies and procedures to further enhance security for personal data we handle and to reduce the risk of recurrence.
[Evan] Restrict ability to store confidential information on mobile devices? Encryption? Two-factor authentication?

To lessen the potential inconvenience to you and reduce the risk that you might be subjected to attempts to steal your identity, we have engaged ConsumerInfo.com Inc., and Experian company, to provide you with one year of credit monitoring, at no cost to you.

Please contact BPt-FMGOICPrivacy@bearingpoint.com should you have additional questions regarding the cirumstance of the incident.

BearingPoint currently anticipates notifying affected individuals on or before June 6, 2008, of this incident.

Commentary:
Marketing on the BearingPoint web site boasts "BearingPoint has demonstrated some of the biggest advancements in risk consulting services among the large number of providers in this market" - Forrester Wave: Risk Consulting Services, Q2, June 2007 Report.

It is disappointing to read about a well-respected company losing control of confidential information, but what makes this worse is the fact that it happened through the actions of a leading information security and risk consulting company. It is important to point out that one incident DOES NOT define a company.

No encryption or mention of it as a matter of policy, and the attempts to minimize the possible impact by mentioning ineffective controls (passwords and obscurity) is troubling.

Past Breaches:
Unknown

Walter Reed Army Medical Center breach through P2P

Tue, 03 Jun 2008 05:14:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
United States Army

Contractor/Consultant/Branch:
Walter Reed Army Medical Center ("WRAMC")

Victims:
"Military Health System beneficiaries" or patients

Number Affected:
~1,000

Types of Data:
"Names, Social Security numbers, birth dates and other information"

Breach Description:
"WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army."

Reference URL:
Walter Reed Army Medical Center News
Associated Press
WISH TV Channel 8 News

Report Credit:
Walter Reed Army Medical Center

Response:
From the online sources cited above:

WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army.

Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
[Evan] This information belongs mostly to military personnel that were patients of WRAMC. The victims are the people that defend this country. Grrr.

The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said.

Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.
[Evan] There is more insight into the cause of the breach below. Keep reading.

Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.

Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise.

The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.

the company was working for another client, found the file and contacted Walter Reed.

The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday.

The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.

"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."
[Evan] Obviously easier said than done.

Walter Reed plans to offer free credit protective services to patients whose information was revealed.

The hospital also has set up a hot line for people to call to see if their information was disclosed (1-877-854-8542, ext. 9).

The Health Insurance Portability and Accountability Act of 1996 protects patients from unauthorized release of their health records. The Walter Reed Army Medical Center has a robust information assurance program that meets all program standards and requirements. The compromised data file did not include protected health information such as medical records, diagnosis or prognosis for patients.

Message to "Team WRAMC" from COL Patty Horoho:
I want to ensure that each of you have an understanding of what may be in the papers regarding possible disclosure of personal data. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. The information did NOT contain any protected health information such as medical records, diagnosis or prognosis for patients. The individuals impacted have been identified and we are taking a proactive approach to contact them to assist in providing fraud protection services. Below is the media release we sent out will provide more details. A 24/7 hotline has been established in the Combined Operations Center, 202-782-8333 or 877-854-8542 ext 9 and a info site on the web page is also being created.

I need everyone to ensure that they are not loading or down loading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared.

Commentary:
So the cause of this breach was an unauthorized installation and configuration of a Peer to Peer (P2P) program. My concerns about this revolve around the ability to install the application and the inability of WRAMC personnel to block and/or detect the network traffic.

The installation of computer programs on a computer usually require elevated privileges such as administrative access. Are users of WRAMC information resources also administrators of their systems? If so, this is generally not a good idea.

P2P programs such as BitTorrent, Morpheus, Lime Wire, etc. are dependent upon a network to work, thus the "Peer to Peer". Most, if not all P2P network traffic is easy to block and/or detect with any combination of filtering, network access control and intrusion detection or prevention. Are these technologies not in use at WRAMC?

Lastly, what is WRAMC policy with respect to acceptable use and network access? There is no mention in the news reports.

Past Breaches:
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Govt Earns C On Computer Security Report Card

Tue, 20 May 2008 18:46:23 +0000

There was always that one kid in class. You know, the one that didn’t always get it. Or spent most of the day staring out the window. Daydreaming knuckle heads that were nowhere near inclined to excel. Well, it appears that they US gov’t is one of those kids. Well, on average anyway.

From the Washington Post:

The federal government earned an overall grade of “C” for securing its computer systems and networks from cyber attack last year, a slight improvement from the “C-minus” mark the government was given in 2006.

The report cards were issued today by Rep. Tom Davis of Virginia, the ranking Republican on the House Committee on Oversight and Government Reform.

Nine agencies earned failing grades for 2007, including the departments of Agriculture, Commerce, Defense, Interior, Labor, Transportation, Treasury, Veterans Affairs, as well as the Nuclear Regulatory Commission. The grades are based on data submitted by the agencies and agency inspector generals to the White House for fiscal year 2007.

There are a couple bright spots. The DOJ, SSA, EPA and the GSA were among eight agencies that managed to score an “A” on their report card. They get to go to McDonald’s.

But, the NRC gets no hot apple pie with their happy meal.

Article Link

Three Essays on Muni-Fi You Should Read

Tue, 20 May 2008 08:50:08 +0000

In the aftermath of the last man standing, MetroFi, announcing its metro-scale Wi-Fi endgame, three useful essays have appeared: If you're trying to understand the past, present, and future of the space, I recommend you read these short opinion pieces.

First, Karl Edwards of Excelsio, a firm that consults on municipal broadband, lays out a pretty straight case as to why EarthLink, Kite, and MetroFi's networks, among other one-offs, were designed to fail. I've written about aspects of this over the last four years, but Edwards is succinct. In part, EarthLink offering to build Philadelphia's network at no cost to the city set the mold wrong for all networks to follow. We're resetting now, and Wi-Fi's moment may have passed.

Edwards offers as one the constraints set by cities, "Expectation that the network would cover 90-95% of the City with wireless coverage as opposed to just in the areas where there was a solid business case." This has been a problem I've had for a couple of years when it started to become clear that 90-plus percent coverage wasn't in the interest of the ISP--nor in the city's interest because these networks couldn't be completed.

Edwards also notes that when consulting for Grand Rapids, Mich., which chose Clearwire as its wireless partner, EarthLink told the city that they expected a conservative 22-percent uptake for their Wi-Fi service by end of the fourth year. Given that in mature markets, a high-single-digit uptake is considered very good, that's shows how the Excel spreadsheets were skewed. USI Wireless's estimates for break-even require less than 10 percent of the population in their covered areas to subscribe, and their numbers of subscribers to date are tracking that number closely.

He closes with a set of eight principles for wireless network builders to come to the table with and cities to adopt, all of which I agree with.

Next, Esme Vos suggests a very modest proposal: San Francisco should have required all its cafes to offer free Wi-Fi, and then Fon or others could have aggregated and bundled access to these locations. There's a long set of comments accusing Esme of communism, socialism, utopianism, and other isms. The post and the comments make for lively reading.

Finally, Craig Plunkett, who operates hotspot networks around New York City and Long Island, chimes in with a summary of these opinions and the notion that muni-Fi jumped the shark when Ocean City, N.J., decided to put Wi-Fi in garbage cans. He points out that "an infill strategy" of providing service where needed and then extending from there is effective.