Posted by Daniel Tumalad on March 12, 2009
This is Microsoft’s first release for Windows 7 [just being optimistic, hopefully there won’t be alot more to come in the future]. This update is supposed to patch a critical Remote Code Execution bug along with two other spoofing related vulnerabilities.
Now available on Windows Update and Microsoft Download Center.
For more details:
http://arstechnica.com/microsoft/news/2009/03/windows-7-beta-gets-its-first-security-update.ars
Posted in vulnerability, Windows | Tagged: microsoft release, patch, security update, windows 7 | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on January 19, 2009
Secure Coding and Application Dev
What is probably the most significant security news item of the past week is the release of SANS and Mitre of their Top 25 errors and how to fix them. It’s been said that around 85% of criminal activities on the net stem from the current crop of Top 25 flaws. The Top 25 list is divided into three broad categories namely: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses.
The PDF version of the Top 25 is available here.
The Software Assurance Forum for Excellence in Code (SAFECode) has made two publications available to help eliminate the Top 25 errors, its Guide to the Most Effective Secure Dev Practices in Use Today, and Software Assurance: An Overview of Current Industry Best Practices.
Social Engineering
A rehash of old tactics can be seen in an E-mail purportedly from Northwest Airlines (but actually carries a zipped trojan file), and malware spreading websites that claim US President elect Obama won’t be taking the oath of office on the 20th. This just strengthens the argument that your personnel and their security awareness training are now your first line of defense, and not your perimeter firewall.
This is related to the fake Christmas and holiday greetings that been sent every year for the past few years, which was seen again this past Christmas.
Malware
The Downadup (also known as Conficker) Worm versions A, B and C that exploits what Microsoft released an out of band patch for in late October ’08, and weak Admin passwords, is said to have infected an “amazing” 9 million PC’s according to F-Secure researchers. If you’re wondering how they got to this astonishing figure, check out F-Secure’s Blog.
(PC World) UK Ministry of Defence Stung by Rapidly Spreading Virus
Secure deletion, reuse or disposal
According to new research led by Craig Wright, it just takes one re-write to securely wipe the data from a hard drive. This talks about a complete sector by sector overwrite of a hard drive.
Articles on this can be found on Heise Security and SecurityFocus. The paper was presented at the Fourth International Conference on Information Systems Security (ICISS) in Hyderabad, India and can be purchased here.
Encryption
Heise Security has published an in depth article on how modern cryptological attacks are done in their article, “Cheap Cracks“.
Patches and Change Management
Oracle released fixes for 41 different flaws this month and Microsoft released a single patch that closed three flaws.
(Heise Security) Numerous security updates from Oracle
(Heise Security) Microsoft closes three holes in Windows
Microsoft issues patches for ‘nasty’ Windows bugs
A vulnerability in SAP GUI has also been found and a patch has been released and is available to registered SAP users.
Other InfoSec News:
In relation to the Anonymization article I wrote about a few days ago, the makers of Tor has announced that their software has zero known bugs.
(Computerworld) Two big, bad botnets gone, but replacements step up
(Computerworld) Critical security projects escape the budget ax
(Heise Security) Banking details can be stolen through a new JavaScript exploit
(Computerworld) Six Worst Internet Routing Attacks
(GO San Angelo.com) US Air Force planning to train hundreds yearly in cyber warfare skills
(Information Week) Thief Steals Sony Ericsson Prototypes
The Windows 7 Beta Team has removed the 2.5 million download limit as stated in the Windows 7 Blog. People can get the Beta until January 24.
Tips:
(Computerworld) How to Secure your Vista PC in 10 easy steps
(Computerworld Blog) Removing malware from an infected PC
The Windows Security Blog has announced a new Beta called Sundance that could help secure Windows and Office 2007 installations.
In relation to what I wrote about around a month ago regarding wireless networks, the crack in the WPA protocol only affects the TKIP version and not AES, so the solution is to simply switch from TKIP to AES as is detailed in this article from Search Security.com, “Cracks in WPA? How to continue protecting Wi-Fi networks“.
(PC Magazine) The Top Tech Tips of 2008 Part 1
(PC Magazine) The Top Tech Tips of 2008 Part 2
Posted in ISMS, News, social engineering, Windows | Tagged: 27001:2005 A.12, 27001:2005 A.9.2.6, 802.11, aes, botnet, Christmas Cards, conficker, downadup, encryption, javascript, malware, SAP GUI, secure deletion, Tor, Wireless, worm | Leave a Comment »
Posted by Jaime Raphael Licauco, CISSP, GSEC on December 8, 2008
Upcoming details for this month’s Patch Tuesday can be found in Heise Online’s Microsoft wants to close six critical holes and PC World’s Microsoft readies Eight New Security Patches.
A Secunia blog states that 98% of all PC’s aren’t fully patched as was also reported in The Register and SCMag UK. No doubt this contributes to the millions of PC’s out there that are used as zombies unbeknownst to their owners. This happens mostly because people have too much confidence in their Anti Virus in stopping all threats. I’ll write about this more in another post, as for now, you might want to check out Secunia’s freely available Personal Software Inspector to check for patches their PCs may need.
Trend Micro researchers though, say that vulnerabilities only play a minor role (5%) in attacks. And that most attacks (53%) come in the form of Social Engineering attacks wherein the user is duped into downloading malware. An example of this would be fake anti-virus products that take up the top three positions in BitDefender’s Top e-threats (Heise Security also gives the list here). Which reminds me of what Zot O’Conner said in his talk at the Renaissance Makati in late October… that you cannot design a security product to defend against a user that just clicks and accepts anything.
In related news, Security Park reports that Human error continues to be the top cause of IT security breaches primarily because individuals are given the option to bypass them.
Other Security News
Center for Strategic and International Studies publishes report on Securing Cyberspace
Distributed SSH attacks bypass blacklists
New variant of DNSChanger in mass DNS hijack
The debate resumes over Mac Security
Identity Theft breaches on the increase in the US
(Security Focus) US Commission calls for Cybersecurity Czar
(Security Park) Free malware search tool helps financial institutions identify web attacks targeting their websites
SANS Webcast on December Threat Update
SANS Webcast on What Works in Security Information and Event Management
(Linux Security) New Wireshark Packages fix Vulnerabilities
(Linux Security) Never Installed a Firewall on Ubuntu? Try Firestarter
(Linux Security) Debian: New Linux 2.6.24 packages fix several vulnerabilities
(NY Times) Thieves Winning Online War, Maybe Even in Your Computer
(Translated by Google) 21 Million German Citizen’s Account Numbers in Circulation
Posted in Change Management, News, social engineering, vulnerability assessment, Windows | Tagged: Antivirus, distributed ssh, Microsoft, patch, patch tuesday, psi, secunia, social engineering, vulnerability assessment, Windows | 1 Comment »
InfoSec Philippines