[SecurityRatty] tag: scare

The Morphs of Bentham

Fri, 31 Oct 2008 07:23:16 +0000

by Andy Oram10/30/2000 In honor of Halloween, and in memory of New England’s classic horror writer, H. P. Lovecraft, Andy Oram offers this little skit, which promises to scare the wits out of any network administrator. http://oreilly.com/news/halloween_1000.html

6 Months And Counting For Microsoft On CVE-2008-1436

Thu, 16 Oct 2008 11:24:58 +0000

In April of this year Microsoft issued what seemed to be a rather serious security advisory: Vulnerability in Windows Could Allow Elevation of Privilege (951306). Microsoft never provides gory details to vulnerabilities even after they've been patched, but by following the CVE entry from it you can get links to sites like IBM's ISS which are willing to say more, or even to get proof-of-concept exploit code from SecurityFocus. The vulnerability allows authenticated attackers potentially to elevate privileges to LocalSystem. Here we are, 6 months later, and Microsoft still has not patched this vulnerability. What's up with that? "Dustin" from the Microsoft Security Response Center recently addressed the question in a blog on Technet, following an update to the advisory to note the availability of the proof-of-concept code. It's worth noting that this vulnerability isn't really near the top of the scare list. Most of those 3rd parties you see linked on the CVE page rank it down a few notches. Even the usually hyperbolic Secunia calls it "Less Critical" (2 out of 5, 1 step up from "Not Critical"). Furthermore, back in April Microsoft provided workarounds which it says are effective against the proof-of-concept, at the cost of some administrative burden. They also say that they are unaware of any real-world attacks on this vector. You can find more details from Microsoft on the bug in Nazim's IIS Security Blog and the Security Vulnerability Research & Defense blog. Still, 6 months! What Dustin said was "...we began our investigation and immediately realized it would not be trivial to address this issue without introducing new risks." They're still testing and developing a fix. 6 months later. It would seem that the obvious fixes all cause some serious problem, perhaps breaking 3rd party code. Is this inherently unreasonable? It's getting there. The list of affected software includes most of the important versions of Windows. It may be that some of the time this has taken has gone to working with my speculative 3rd parties to update their own software, so that the fix won't have the same impact. But let's not forget that this is not an easily exploitable bug. It's not wormable in any way and by the time it's invoked other serious breaches of security have to have happened. So I guess it's worth it for Microsoft to take their time doing it right.

Trick or Treat

Wed, 08 Oct 2008 20:00:00 +0000

October's here, and you can't escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don't provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs...

Links List 10.3.08

Fri, 03 Oct 2008 16:55:16 +0000

Well finally, an upside to the financial crisis – more students in computer science. After the dot-com crash, enrollment went down in computer science, almost 50% since 2003. Many students shifted their interest from the technology field to banking and finance because they thought they’d make more money. And now the financial crisis could scare them into choosing majors and careers that are “safer alternatives”, like IT. And perhaps the trend is reversing for those already on Wall Street as well. Ben Worthen writes about the influx of resumes Kodiak Venture Partners has been getting: from financial-services vets who want to work at tech startups, – not to “strike it rich” this time around, but just to make a living. And it’s not just the tech workers. Seems like the ones that don’t even have any real IT experience are looking too – for jobs as VPs of marketing (harrumph). (img from www.fas.org)

I’m sure you already know about the other “network management” – where ISPs and carriers get their hands publicly slapped for limiting bandwidth to high-traffic offenders. But when is this kind of “network management” a good thing? At a panel sponsored by the FCC in DC, reps from carriers and ISPs discussed what steps they’ve been taking to prepare for a pandemic or other major global crisis – that would force workers to stay at home or work from more remote locations to limit exposure.

Are people paying attention to ICANN? They’re saying that IPv4 will be fully allocated in the next two or three years. Does anyone care? In their bid to make people care, ICANN talks about the state of IPv6 adoption and touts Africa as the most rapid adopter.

SOA soon part of the ‘cloud’? No, please no.

Microsoft – The Silver Lining in Every Cloud. Joe Wilcox over at eWeek’s Microsoft Watch, has been following Steve Ballmer around and collecting some nice quotes on how the company is transitioning. “For many years, we had kind of what I would call the all-encompassing mission, vision and scorecard statement: a computer on every desk and in every home. …Well, our footprint and portfolio is broader than that. “ [In every hand and of course, in every cloud…] “So, as a vision statement we talk about creating seamless experiences that combine the magic of software, the power of the Internet across a world of devices.” The magic of software – something I haven’t thought about for a while. And:

“You need a real platform in the cloud. When we wanted to go after the PC, we built an operating system. When we wanted to go after the phone, we built an operating system. When we wanted to go after the enterprise, we built an operating system. We’ll announce a new operating system, one that runs in the cloud and has a wide variety of capabilities.”

Hot Dogs are Not Bombs

Tue, 30 Sep 2008 02:58:16 +0000

Another bomb scare.

Malware Infected Spam Threatens To Suspend Internet Access

Wed, 17 Sep 2008 16:47:32 +0000

Spammers are constantly using simple social engineering tactics that scare people into opening malicious files. This is definitely not a first time and it seems this method is rather successful. TrendLabs reports a new form of spam email containing a malicious file attachment that have been spreading over the Internet. This time the subject is [...]

PCI Doesn't Scare one FSI

Sun, 07 Sep 2008 20:00:00 +0000

While in Australia last week, I had lunch with the risk and compliance manager from a large financial institution. We had a lively discussion centered on compliance (I know, most people don't find compliance that exciting, but this was the right group for this conversation!)

Early in the conversation, the topic of the PCI Data Security Standard arose. This entity is beginning to look at the Standard's implications, and, based on reactions I've seen from other customers, I expected to hear a lot of frustration and annoyance. But, I asked the question anyway: "So, are you concerned about having to deal with the PCI requirements?"...

Spamblogs Pushing Rogue Antivirus Programs

Mon, 11 Aug 2008 14:50:05 +0000

Nothing earth-shattering, but worth a mention anyway. I've noticed a couple of blogs pushing security blog feeds are also hawking pretend Youtube vids:

Click to Enlarge

When the videos are clicked, you'll find your browser vanishes down onto the taskbar, replaced by this sitting in the middle of the screen:

Once you click the popup box away, you're confronted with this:

Click to Enlarge

...a randomly selected rogue antivirus product. From here on it, any and all attempts to get rid of this page results in an endless barrage of popups, scare tactics ad hilariously lame warning messages (note the first one is called a "Security Update"):

Wow, they just get more and more hysterical, don't they?

The site to block that's pimping the fake videos is

thoughtcrime(dot)blogtodo(dot)com

CNN Daily Top 10 Videos Spam

Tue, 05 Aug 2008 14:50:01 +0000

Like me, you've probably had quite a few "CNN Top 10" emails through over the last day or so. Here's just two of the many, many mails I've had through to various mailboxes:

If you opened up any of the mails, you'd have seen this:

Click to Enlarge

The first clue that something might have been amiss is the strangeness of some of the titles ("Michael Jackson sued by his own dog" isn't something I'd expect to see on CNN, at least not yet). Of course, the giveaway is that regardless of what link you click on, each one takes you to a website that isn't CNN.com - in fact, they all point to the same "video".

Click to Enlarge

If you download and install the file offered up, horrible things will start happening to your PC. Let's put it this way - anyone expecting to see Michael Jacksons dog in a courtroom is going to be severely disappointed.

Before long, your desktop will look like this:

Click to Enlarge

You'll have warnings like these:

And a rogue antivirus product will magically appear on your desktop:

Click to Enlarge

Worst of all, look at the name of one of the fake infections they try to scare the user with.

There's subtlety, then there's this:

....if you want to avoid your computer contributing to the "terrorist threat", don't open up any emails claiming to contain CNN videos.

Even if its Michael Jackson and his dog.

Get Involved Now In Cloud Computing Discussions

Thu, 24 Jul 2008 06:55:19 +0000

This week Amazon’s Simple Storage Service (S3) suffered a major outage that affected several websites that rely on the service. This is actually the second major outage for Amazon S3 this year. As a result of these and other reported outages, some companies will come to question whether they should pursue these new cloud-based services in the future. I agree with Nick Carr, whether you’re a startup looking to rely on the cloud almost exclusively for computing power and storage capacity or you’re a brick and mortar company who may want to use SaaS services for CRM or an online backup service, these outages should not scare companies away from cloud-based services. Outages are inevitable; no one, not the most sophisticated internal IT shops on Wall Street, or the largest service providers can offer 100% availability all the time. Amazon threw everything it had to fix the problem and was able to address the outage in several hours. How well would you be able to execute on your disaster recovery plan if you had a major outage?

Instead of avoiding cloud-based services, organizations need to be savvier about security and resiliency of the service provider. In fact, your organization may already be in pursuit of these services. Online backup is becoming a viable alternate to premise-based solutions for PC backup as well as remote office backup. Next will be a number of services related to information management such as online archiving and online records management and more online storage offerings to support low cost storage. Further down the road, there will also be hosted, multi-tenancy Exchange solutions. Get involved in these discussions. Don’t take it for granted that the potential service provider has hardened data centers that meet Tier III or Tier IV classifications (these classifications describe data center site infrastructure and topology, Tier IV is the highest rating), that your data is replicated to another data center, that your data is encrypted in flight and at rest and that the service provider has strong security measures in place so that administrators can support the infrastructure but not access or even see your organization’s information. Organizations should have consistent processes before, during and after the contracts have been signed.

And, when you ask about SLAs regarding resiliency, keep in mind that there will be some downtime for routine maintenance and that some unplanned downtime is inevitable. Consider a service provider that might boast about 99.9% availability (8 hours/year outage for 24x7). What is the difference between the following?

· 8 AM to 4 PM on the last Friday of the quarter

· Biweekly outages of 30 min at 4 AM local time

Timing and duration are more important than total downtime/outage.

Get involved in these discussions but be careful not to come off as the obstacle or as the doomsayer. Quite the opposite, you want to be seen as the enabler. Help the organization understand some of the potential risks but then help the organization define its resiliency requirements, security requirements, and risk tolerance. When the organization knows this, it can more confidently go out and select the right service provider, negotiate the appropriate SLAs and be prepared ahead of time with contingency plans for any potential service outages.