Tuesday, August 16, 2005
Major Disruption by Worm Underscores Need for Patching
In the evening of August 16, 2005, anti-virus, news organizations, and computer security firms were reporting that two worms which exploit a security hole in computers with Windows 2000, as well as perhaps early versions of Windows XP, are propagating rapidly. One expert indicated the worms have the potential for exponential growth. Last week, BOL reported on the newly released Microsoft security patches which are designed to fix this security hole, and others.
Once a security hole is discovered and made public, it's just a brief matter of time before hackers go into overdrive attempting to find machines plagued by the security hole. That's why it is so essential to move quickly to test the security patches as they become available and to implement them after you ensure they will not negative impact critical systems.
In a warning put out this evening by anti-virus firm TrendMicro, the company said about the worm:
It also has backdoor capabilities, and may execute commands coming from a remote malicious user. This provides remote users virtual control over affected systems, thus compromising system security.
As a form of an anti-debugging technique, this worm also gathers Web sites from RSS feeds, then randomly sends these sites as messages in the IRC channel it is connected to. It does this in order to confuse or mislead anyone who is monitoring the IRC channel from the real IRC commands it issues.
================
Among those reportedly affected -- CNN, New York Times, ABC, illustrating that it's not just naive home users or small businesses. Patch management can be even more of a challenge for large enterprises. One news story also just reported that at least two Canadian banks were affected. News Story.
In the evening of August 16, 2005, anti-virus, news organizations, and computer security firms were reporting that two worms which exploit a security hole in computers with Windows 2000, as well as perhaps early versions of Windows XP, are propagating rapidly. One expert indicated the worms have the potential for exponential growth. Last week, BOL reported on the newly released Microsoft security patches which are designed to fix this security hole, and others.
Once a security hole is discovered and made public, it's just a brief matter of time before hackers go into overdrive attempting to find machines plagued by the security hole. That's why it is so essential to move quickly to test the security patches as they become available and to implement them after you ensure they will not negative impact critical systems.
In a warning put out this evening by anti-virus firm TrendMicro, the company said about the worm:
It also has backdoor capabilities, and may execute commands coming from a remote malicious user. This provides remote users virtual control over affected systems, thus compromising system security.
As a form of an anti-debugging technique, this worm also gathers Web sites from RSS feeds, then randomly sends these sites as messages in the IRC channel it is connected to. It does this in order to confuse or mislead anyone who is monitoring the IRC channel from the real IRC commands it issues.
================
Among those reportedly affected -- CNN, New York Times, ABC, illustrating that it's not just naive home users or small businesses. Patch management can be even more of a challenge for large enterprises. One news story also just reported that at least two Canadian banks were affected. News Story.
See anyone you know?
Sixteen people were arrested by ICE (U.S. Immigration and Customs Enforcement) and Secret Service in what they're calling Operation Card Shark. Card Shark seeks to break up false document schemes.
In its latest bust, authorities seized a large quantity of counterfeit Social Security cards, other fake IDs, and equipment for making the false identity documents.
Next time you're opening an account or making a loan using some sort of ID as verification of identity conjure up a mental image of this picture in your mind and let it motivate you to examine it just a bit more closely so that you're sure who you're really dealing with.
Sixteen people were arrested by ICE (U.S. Immigration and Customs Enforcement) and Secret Service in what they're calling Operation Card Shark. Card Shark seeks to break up false document schemes.
In its latest bust, authorities seized a large quantity of counterfeit Social Security cards, other fake IDs, and equipment for making the false identity documents.
Next time you're opening an account or making a loan using some sort of ID as verification of identity conjure up a mental image of this picture in your mind and let it motivate you to examine it just a bit more closely so that you're sure who you're really dealing with.
Monday, August 15, 2005
National Vulnerability Database from NIST
Every IT professional should bookmark the new cyber vulnerability resource from NIST (National Institution of Standards and Technology). Sponsored by the Department of Homeland Security National Cyber Security Division and US-CERT, the new National Vulnerability Database (NVD) integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. As of the time of this writing, the database contains 12,006 vulnerabilities (!), 491 US-CERT Alerts, and 1097 US-CERT Vulnerability Notes.
Recent vulnerabilities are chronicled in reverse chronological order. The one posted today involves a popular Web site stat-tracking program. Each vulnerability is briefly described and its severity is rated.
Access the NVD.
Every IT professional should bookmark the new cyber vulnerability resource from NIST (National Institution of Standards and Technology). Sponsored by the Department of Homeland Security National Cyber Security Division and US-CERT, the new National Vulnerability Database (NVD) integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. As of the time of this writing, the database contains 12,006 vulnerabilities (!), 491 US-CERT Alerts, and 1097 US-CERT Vulnerability Notes.
Recent vulnerabilities are chronicled in reverse chronological order. The one posted today involves a popular Web site stat-tracking program. Each vulnerability is briefly described and its severity is rated.
Access the NVD.
NASD warns investors about wireless risks
The National Association of Securities Dealers recently issued an Investor Alert which addresses, among other things, the need for consumers to exercise caution when connecting to brokerage accounts from wireless hotspots.
Financial institutions who haven't done so already may want to think about giving their online banking customers similar warnings about the risks of evil twinning (sometimes called WiPhishing), sniffing, and other wireless dangers.
Also, the NASD issued a reminder to its members of their obligation to safeguard customer information. Page 3 of the bulletin outlines the risks posed by wireless technology and remote access. Read the bulletin.
NASD's Investor Alert contains the following suggestions for consumers about using wireless:
First, follow general best practices for securing any Internet-connected computer:
Keep your computer up to date with the latest security updates
Install a firewall and anti-virus software on any laptop or PC with wireless connectivity
When accessing your personal financial information online, you should have a secure web connection at all times - the web site address should start with "https://" instead of "http://" and you should see a secure symbol such as a closed padlock or key on the status bar in the lower right part of your screen
If authorized, use a Virtual Private Network (VPN) which offers protections that standard networks do not
Next, take some special precautions when connecting to a wireless network:
When in any doubt about the security of a hotspot, don't use it for conducting confidential business
Shut off wireless connectivity or remove the wireless network card if you leave your computer unattended
Disable wireless ad hoc mode. This is a setting that allows all wireless devices to find and communicate with other wireless devices within range. Disabling this mode prohibits networks that you didn't create from using your wireless software, and will also prohibit any unknown or rogue connections
Disable file and printer sharing capabilities when visiting hotspots
Read more about the NASD's alert to investors here.
The National Association of Securities Dealers recently issued an Investor Alert which addresses, among other things, the need for consumers to exercise caution when connecting to brokerage accounts from wireless hotspots.
Financial institutions who haven't done so already may want to think about giving their online banking customers similar warnings about the risks of evil twinning (sometimes called WiPhishing), sniffing, and other wireless dangers.
Also, the NASD issued a reminder to its members of their obligation to safeguard customer information. Page 3 of the bulletin outlines the risks posed by wireless technology and remote access. Read the bulletin.
NASD's Investor Alert contains the following suggestions for consumers about using wireless:
First, follow general best practices for securing any Internet-connected computer:
Keep your computer up to date with the latest security updates
Install a firewall and anti-virus software on any laptop or PC with wireless connectivity
When accessing your personal financial information online, you should have a secure web connection at all times - the web site address should start with "https://" instead of "http://" and you should see a secure symbol such as a closed padlock or key on the status bar in the lower right part of your screen
If authorized, use a Virtual Private Network (VPN) which offers protections that standard networks do not
Next, take some special precautions when connecting to a wireless network:
When in any doubt about the security of a hotspot, don't use it for conducting confidential business
Shut off wireless connectivity or remove the wireless network card if you leave your computer unattended
Disable wireless ad hoc mode. This is a setting that allows all wireless devices to find and communicate with other wireless devices within range. Disabling this mode prohibits networks that you didn't create from using your wireless software, and will also prohibit any unknown or rogue connections
Disable file and printer sharing capabilities when visiting hotspots
Read more about the NASD's alert to investors here.
Tuesday, August 09, 2005
Never Assume a Bomb is Fake
It's true. Most of the time, when a robber says he has a bomb, or shows what is supposed to be a bomb, it's really not one. It may be an alarm clock with some empty paper towel rolls tied on to pose as dynamite. Perhaps it's a Mutant Ninja Turtle lunchbox with nothing but a half-eaten cheese sandwich inside. It's more likely than not that it's something other than an explosive device.
A recent robbery, however, drives home the point that you can never assume a bomb is fake. Until law enforcement authorities have ruled the device or package a non-threat, you must treat it as if it could detonate.
A few weeks ago, a robber walked into a Colorado Springs credit union with a backpack on, removed what he said was a bomb, and placed it on the counter while demanding cash. After grabbing his loot, he left the device, about the size of a 12 ounce cup, on the counter and made his getaway. Bomb technicians determined it was real and disabled the unit before it could explode.
Remind your staff of these basic premises: assume a robber has a gun if he says he does; assume any gun is loaded; assume the idiot will shoot, if provoked; assume whatever weird device the bandit is wagging around will explode if given the opportunity. That's the way you stay alive.
Checked your robbery stats lately?
Bank robbery is a crime of opportunity. Some bandits simply hear a new story about a heist and think it might be easy. Evidently, a few of their synapses aren't firing, as they're failing to factor in FBI agents on their tail, federal prosecution, time in the slammer. For other individuals, it's a career choice. They are the repeaters, the serial robbers who just can't seem to quit.
Some law enforcement agents believe that the widespread methamphetamine problem is fueling a surge in bank robberies in certain jurisdictions, but the motivations of the individual robbers are generally as unique as the robbers themselves, and they come in all ages, sizes, ethnicities, backgrounds and genders. The FBI recently noted that there had been 125 bank robberies in the Denver area by the first part of July. The total for the area for the entire previous year was just 151, indicating a huge increase year to date. Chicago FBI officials have indicated they are seeing an increase in violent, takeover robberies.
Have you kept track of the trends in your area and are you taking appropriate preventive measures? If robberies are up in your area, it's time to reinforce employee training, test your camera system, get rid of overused video tapes, consider posting a "No Hats, No sunglasses" sign. If the level of violence is increasing in heists in your area, review procedures. Test your alarms. Trim your hedges. Reinforce the importance of following proper opening and closing procedures.
It's true. Most of the time, when a robber says he has a bomb, or shows what is supposed to be a bomb, it's really not one. It may be an alarm clock with some empty paper towel rolls tied on to pose as dynamite. Perhaps it's a Mutant Ninja Turtle lunchbox with nothing but a half-eaten cheese sandwich inside. It's more likely than not that it's something other than an explosive device.
A recent robbery, however, drives home the point that you can never assume a bomb is fake. Until law enforcement authorities have ruled the device or package a non-threat, you must treat it as if it could detonate.
A few weeks ago, a robber walked into a Colorado Springs credit union with a backpack on, removed what he said was a bomb, and placed it on the counter while demanding cash. After grabbing his loot, he left the device, about the size of a 12 ounce cup, on the counter and made his getaway. Bomb technicians determined it was real and disabled the unit before it could explode.
Remind your staff of these basic premises: assume a robber has a gun if he says he does; assume any gun is loaded; assume the idiot will shoot, if provoked; assume whatever weird device the bandit is wagging around will explode if given the opportunity. That's the way you stay alive.
Checked your robbery stats lately?
Bank robbery is a crime of opportunity. Some bandits simply hear a new story about a heist and think it might be easy. Evidently, a few of their synapses aren't firing, as they're failing to factor in FBI agents on their tail, federal prosecution, time in the slammer. For other individuals, it's a career choice. They are the repeaters, the serial robbers who just can't seem to quit.
Some law enforcement agents believe that the widespread methamphetamine problem is fueling a surge in bank robberies in certain jurisdictions, but the motivations of the individual robbers are generally as unique as the robbers themselves, and they come in all ages, sizes, ethnicities, backgrounds and genders. The FBI recently noted that there had been 125 bank robberies in the Denver area by the first part of July. The total for the area for the entire previous year was just 151, indicating a huge increase year to date. Chicago FBI officials have indicated they are seeing an increase in violent, takeover robberies.
Have you kept track of the trends in your area and are you taking appropriate preventive measures? If robberies are up in your area, it's time to reinforce employee training, test your camera system, get rid of overused video tapes, consider posting a "No Hats, No sunglasses" sign. If the level of violence is increasing in heists in your area, review procedures. Test your alarms. Trim your hedges. Reinforce the importance of following proper opening and closing procedures.
Saturday, August 06, 2005
This alert from WebSense Security Labs seems to describe some of the postings we've seen and deleted on the BOL threads. Those few we have seen are made in the middle of the night. When we discover them, or readers click the moderator name to notify us, we take action to delete them. We've had no reports of problems to BOL users caused by these, and we want to keep it that way.
As you should always do on the net, beware of links you didn't ask for and keep your guard up with firewall and virus protection. Notify a moderator when you see these so we may act.
Some of these posts, which appear to be valid news stories, want you to go to sites that will attempt to infect a PC with a Trojan. This can open your PC to use by others.
As you should always do on the net, beware of links you didn't ask for and keep your guard up with firewall and virus protection. Notify a moderator when you see these so we may act.
Some of these posts, which appear to be valid news stories, want you to go to sites that will attempt to infect a PC with a Trojan. This can open your PC to use by others.
