A Great Windows Maintenance Find for FREE

Posted on by
Reply

A few days ago I stumbled onto a pretty decent Windows maintenance tool I wanted to share. It is called Advanced WindowsCare Personal and is available from snapfiles.com here.

Overall, this is a pretty great tool. It is very easy to use and does a lot of tuning and preventative maintenance for Windows systems – especially home and end-user systems that might not have a corporate IT person to take care of them. It does a good bit of clean up around the system, helps to protect it against spyware and some malware. While not a full anti-malware solution, it does make some basic registry changes to help prevent installation of the most common spyware and other bad stuff.

It did a very nice job of helping me tune a Windows system that I was messing with and in running basic management functions and maintenance tasks. I am not sure I would upgrade to the “Pro” version, but for a free utility, this one is pretty good.

If you still have Windows systems to manage, especially for family members and the like, this may be worth the time to install for them and spend 15 minutes teaching them to use it. Likely, they can repair most of their own problems using the tool, instead of calling you over to Aunt Millie’s for tech support. 😉

Ohio Votes Today

Posted on by
Reply

The day for the Ohio primary is here. With a ton of media attention focused on our state, a new voting process in place and the removal of the touch-screen systems our primary is certain to have its ups and downs today.

When we reviewed the security of the Ohio voting system, we did find some serious issues. However, the optical scanning systems from our review were less prone to problems under normal voting use than the touch screens. Therefore, we agree that the optical scanners are a more secure choice, especially in the way that our Secretary of State has outlined their use.

Voters in Ohio today should expect some lines and a small amount of confusion and hype. But, careful review of your ballot, care marking of your selections and following the published procedures should make the process easy, reliable and interesting. Our only words of caution are to ask for another ballot if you make a mistake and refrain from marking anywhere except in the square of your chosen candidate. Again, take a few moments and review the ballot before you turn it in.

The Secretary of State has taken great measures to ensure oversight and accountability for all votes and voters around our state. The various boards of election and other officials have also taken great steps toward improving the security of the process. They are all to be commended for achieving the progress we have made thus far, in such a short amount of time.

While there is still quite a bit of work to be done around electronic voting and elections security; today is a good day to look at the work we have done so far. Together, citizens, politicians and government can work to find a useful, reliable and secure way to continue the wonderful democracy that we, as Americans, enjoy.

Do your part. Vote. Stay engaged in the debate about electronic voting and don’t be afraid to let others know what you think…

New Advanced Botnets Discovered

Posted on by
Reply

Previously undetected botnets have been found to be running under the radar. The largest one has gained the name “MayDay”. MayDay has not infected a lot of systems yet, like Storm has, but has advanced capabilities to evade detection. Notably, it’s able to send HTTP traffic through an enterprises proxy. The bot also uses peer-to-peer technology, through two channels, to stay in contact. The bot appears to be using both TCP and ICMP for data transmission.Even though this bot isn’t a large threat yet, it shows that bot development isn’t going to stop any time soon. Bot writers are getting smarter and more clever, while detection and analysis techniques are lagging behind.

Increase in European “Options” HTTP Scans from Linux Systems

Posted on by
Reply

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues. 

More Chinese Scans for Web Bugs

Posted on by
Reply

This morning I was checking through my usual HoneyPoint deployments and it was a normal day. As usual, the last 24 hours brought a large number of web application bug scans from hosts in China. They are the normal PHP discovery probes, some basic malware dropper probes against known web vulnerabilities and a ton of web server fingerprinting probes from various Chinese hosts.

China has now surpassed the US as the source of most global probes and attacks, a least according to Arbor. Check out the China profile here.

One of my close friends, JK, claims that there is a massive initiative underway in China to map the Internet on a global scale and to have a fairly up to date global vulnerability matrix for the world’s systems. While this could be true, and is certainly possible, with a large enough set of bot-infected hosts that dropped data back to a centralized database, it is an interesting thought.

For sure, these probes and scans exist on a global basis. Our international HoneyPoints pick up much of the same Chinese traffic as our US ones. Perhaps a quick check of some of your logs will show the same. Much discussion of pro-active blocks against Chinese address space is underway in several organizations. Perhaps this is something we should all think about?

Hardware Security Testing Presentation & MP3 Available

Posted on by
Reply

The pdf of the slides and the audio from yesterday’s presentation on Hardware Security Testing is now available.

You can get the files from this page on the main MicroSolved site.

Thanks to the many who attended and who sent me the great feedback this morning. I am really glad everyone liked the content so much!

Check out the next virtual event scheduled for March 25th at 4 PM Eastern. The topic will be 3 Application Security “Must-Do’s”.

Here is the abstract:

This presentation will cover three specific examples of application security best practices. Developers, security team members and technical management will discover how these three key processes will help them mitigate, manage and eliminate risks at the application layer. The presenter will cover the importance of application security, detail the three key components to success and provide strategic insight into how organizations can maximize their application security while minimizing the resources required.

We look forward to your attendance. Email info@microsolved.com to sign up!

Multiple IBM AIX Vulnerabilities

Posted on by
Reply

Vulnerabilities have been discovered in AIX’s X server and inet_network libc library that can lead to a number of threats. These include the execution of arbitrary code in a root context, Denial of Service, or exposure of sensitive data. The original IBM advisories are located at:

AIX X server multiple vulnerabilities

AIX libc inet_network buffer overflow

Underground Cyber-Crime Economy Continues to Grow

Posted on by
Reply

I read two interesting articles today that reinforced how the underground economy associated with cyber-crime is still growing. The first, an article from Breech Security, talked about their analysis of web-hacking from 2007. Not surprisingly,  they found that the majority of web hacking incidents they worked last year were geared towards theft of confidential information.

This has been true for the majority of incident response cases MSI has worked for a number of years now. The majority are aimed at gaining access to the underlying database structures and other corporate data stores of the organization. Clearly, the target is usually client identity information, credit card info or the like.

Then, I also read on darknet this morning that Finjin is saying they have been observing a group that has released a small P2P application for trading/sale of compromised FTP accounts and other credentials. Often, MSI has observed trading and sale of such information on IRC and underground mailing lists/web sites. Prices for the information are pretty affordable, but attackers with a mass amount of the data can make very good incomes from the sale. Often, the information is sold to multiple buyers – making the attacker even more money from their efforts.

Underground economies have been around since the dawn of capitalism. They exist for almost every type of contraband and law enforcement is usually quite unsuccessful at stamping them out. Obviously, they have now become more common around cyber-crime and these events that have “bubbled to the surface” are only glimpses of the real markets.

It is critical that information security teams understand these motivations and the way attackers think, target victims and operate. Without this understanding, they are not likely to succeed in defending their organizations from the modern attacker. If your organization still spends a great deal of time worrying about web page defacements and malware infections or if your security team is primarily focused around being “net cops”, it is pretty likely that they will miss the real threat from today’s cyber-criminals and tomorrow’s versions of organized crime.

Thunderbird 2 MIME vulnerability

Posted on by
Reply

Mozilla Thunderbird 2.0.0.9 has been found to contain a heap buffer overflow vulnerability due to the way it handles external-body MIME types. Systems running this version of Thunderbird are vulnerable to compromise or the execution of arbitrary code via specially crafted email messages. You should update to Thunderbird 2.0.0.12 as soon as possible.

Mozilla’s advisory is located at: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html

ICQ Vulnerability Should Increase Your Vigilance

Posted on by
Reply

A newly discovered format string error in ICQ version 6 build 6043 once again highlights the need to be cautious about who you are conversing with. Interaction  with the embedded Internet Explorer component can allow specially crafted messages to execute arbitrary code on the affected system. Make sure that you only open messages from known and trusted contacts.  It is a good idea to clean unknown or untrusted contacts from your contact list and enable the “Accept messages only from contacts” option. The build named above is known to be vulnerable other versions may also be affected