Secure San Diego

It is time for me to pick things back up. It has been along time since I have done anything with this blog and I need to start things back up. If you have any ideas about posts drop me a line.

This week contained the proverbial MSFT patch Tuesday, this set of patches contained 8 advisories patching items from Internet Explorer, MS Office Components, Windows Explorer, etc.. So in all this was a pretty heavy Black Tuesday for MSFT.

The Fail

As MSFT was releasing their patches another group of people were releasing their own little bug. On Tuesday morning as the patches from MSFT were being released several online publications starting reporting a new IE 0day exploit in the wild. All the publicity started here at PC World and from there it just rolls down hill.

The flaw was made public in Chinese language discussion forums two days ago by a security group called the Knownsec team. In tests, it worked on IE 7 running on Windows XP, Service Pack 2.

Since the initial report out of PC World the news starts to spiral out of other media outlets. However nothing  good gets published until HD Moore does some really good analysis on the exploit over at the Breaking Point Security blog.

Defenses

1. Start off by switching browsers to FireFox. You can get it here.
2. Enable DEP on your system,

Until MSFT releases a patch for this I would recommend switching to another browser.

Tags: Malware, Virus

To all you online bill payer users using the CheckFree systems out there, you may not know who you are (check with your financial institution). There was a successful attack against them on Dec 2nd that modified their DNS records pointing their sites to a server in the Ukraine.

So whats the scope here. It seems that someone out there took over the DNS settings for CheckFree and redirected, high jacked, the CheckFree online bill pay sites to another web site. From what we are told, when a user attempted to access a checkfree bill pay site through their financial institution they were directed to a blank screen. How ever if you went directly to the online bill pay from check free you were directed to another site that was a replica of ChekFree’s that also attempted to install password-stealing software on the victims machine.

You can read more from Security Fix here and here.

In addition CheckFree has started to send out emails to users that they fell “could” have been effected by this attack.

December 7, 2008

First Initial, Last Name
Address
SAN DIEGO, CA Zip Code

Dear First Initial, Last Name,

We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may be infected with malicious software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

* You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
* You were using a computer with the Windows operating system, and
* You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
* After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. We have arranged with McAfee, the world’s largest dedicated security technology company, to provide you with an assessment of your computer’s hard drive and remove any malicious software. Please contact us at 877-800-4864 for further instructions or 800-564-9184, Option 1 for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.

We value your business and your trust, and we apologize for any inconvenience this recent incident has caused.

Thank you,

Art D’Angelo

Vice President, CheckFree Customer Operations

If you feel that you may have visited the Check Free site during those times or are just worried. Update your virus scan software and run a complete scan. You can also visit various AV vendors web sites for online virus scans of your computer.

Does this mean you should stop using online banking? No of course not, however you should look into browser toolbars that can help in identifying sites that are Phishing or just plain wrong. One of my favorites is the Trace tool bar from TraceSecurity. Most security tool bars out there only use what is called a blacklist, know bad sites, this is a method that is always reactive in nature (one step behind, like Antivirus vendors). The Trace tool bar using a whitelist. This method is more ideal in that it keeps a list of know good, and can alert you to any change in the location of your financial instutions web site. In the case of Check free DNS highjack, it could have alerted the user that the checkfree web site was no longer loading from the know good location. Read more about and download the Trace tool bar here.

Tags: Malware, OnLine Banking, Phishing

This week in SD

This week has been a busy one here in San Diego with the news. Some security related and others not so much. The two stories that caught my attention this week and have some security relevance are Economy Could Force Police Protection Cuts and Quake Drill Leaves San Diegans Shaken.

How would a city compensate for loosing around 19 officers? Seems like a knee jerk reaction in attempting to balance the budget. There has to be other areas they could cut budget. Idea – Instead of using city employees to manage and clean parks, call for a citizen group to volunteer their time in coming out to clean. Leave the police alone when it comes to budget. The last thing the city of Escondido needs is to cut loose some of its officers.

The Big One

What would you do if the big one struck southern California? Do you have all your items stored in containers that could resist fires, flooding, or just the collapse of your house? Well I can say not all of our “stuff” is protected to that nature and this drill does hit home a little. One thing we have done with our children is, to have a drill of our own. How to get out of the house in the event something happens. Some items that my family is thinking about when it comes to the “big one” or even a break in and theft of all our stuff are:

• How are our financials stored and backed up
• How do we store our birth certificates and other personal identifying information
• The storing of other valuable items will they make it through a fire, flood or other disaster

Some recommendations are:

• encrypt your hard drives or at least password protect and/or encrypt financial information on computer systems
• Make sure you have a backup of those items stored elsewhere – there are some good and inexpensive online backup companies (we use carbonite)

As you read this I am sure that you can come up with items yourself that needs to be mentioned please do so.

Tags: News, This Week in SD

Reminder to anyone that reads here. I will be teaching the above course here in San Diego starting December 9th. You can get event details here http://www.sans.org/mentor/details.php?nid=15064 and to register go here https://www.sans.org/registration/register.php?conferenceid=15064

Summary of the course.

This course addresses the latest cutting-edge insidious attack vectors and the oldie-but-goodie attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack-attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents, a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them, and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

I hope to see you there.

Tags: SANS, Training