I will write a review of the class at the end of the week to let you know thoughts on the class.

The Fail

As MSFT was releasing their patches another group of people were releasing their own little bug. On Tuesday morning as the patches from MSFT were being released several online publications starting reporting a new IE 0day exploit in the wild. All the publicity started here at PC World and from there it just rolls down hill.

The flaw was made public in Chinese language discussion forums two days ago by a security group called the Knownsec team. In tests, it worked on IE 7 running on Windows XP, Service Pack 2.

Since the initial report out of PC World the news starts to spiral out of other media outlets. However nothing  good gets published until HD Moore does some really good analysis on the exploit over at the Breaking Point Security blog.

Defenses

1. Start off by switching browsers to FireFox. You can get it here.
2. Enable DEP on your system,

Until MSFT releases a patch for this I would recommend switching to another browser.

So whats the scope here. It seems that someone out there took over the DNS settings for CheckFree and redirected, high jacked, the CheckFree online bill pay sites to another web site. From what we are told, when a user attempted to access a checkfree bill pay site through their financial institution they were directed to a blank screen. How ever if you went directly to the online bill pay from check free you were directed to another site that was a replica of ChekFree’s that also attempted to install password-stealing software on the victims machine.

You can read more from Security Fix here and here.

In addition CheckFree has started to send out emails to users that they fell “could” have been effected by this attack.

December 7, 2008

First Initial, Last Name
Address
SAN DIEGO, CA Zip Code

Dear First Initial, Last Name,

We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may be infected with malicious software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

* You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
* You were using a computer with the Windows operating system, and
* You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
* After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. We have arranged with McAfee, the world’s largest dedicated security technology company, to provide you with an assessment of your computer’s hard drive and remove any malicious software. Please contact us at 877-800-4864 for further instructions or 800-564-9184, Option 1 for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.

We value your business and your trust, and we apologize for any inconvenience this recent incident has caused.

Thank you,

Art D’Angelo

Vice President, CheckFree Customer Operations

If you feel that you may have visited the Check Free site during those times or are just worried. Update your virus scan software and run a complete scan. You can also visit various AV vendors web sites for online virus scans of your computer.

Does this mean you should stop using online banking? No of course not, however you should look into browser toolbars that can help in identifying sites that are Phishing or just plain wrong. One of my favorites is the Trace tool bar from TraceSecurity. Most security tool bars out there only use what is called a blacklist, know bad sites, this is a method that is always reactive in nature (one step behind, like Antivirus vendors). The Trace tool bar using a whitelist. This method is more ideal in that it keeps a list of know good, and can alert you to any change in the location of your financial instutions web site. In the case of Check free DNS highjack, it could have alerted the user that the checkfree web site was no longer loading from the know good location. Read more about and download the Trace tool bar here.

Summary of the course.

This course addresses the latest cutting-edge insidious attack vectors and the oldie-but-goodie attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack-attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents, a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them, and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

I hope to see you there.

Just 2 words for you – PATCH IT

As of 11:00 PM PST there is a known working Exploit in the wild in the form of a worm.

Read all about this in teh links below.

Microsoft Patch Notification

Microsoft TechNet Blog entry

Microsoft TechNet Blog Entry more about

The normal SANS Stuff

Exploit information links below

Good blog entry on the worm/exploit – ThreatExpert

Another Good Entry – Team Furry

Comment as you see fit.