The DHS Daily Open Source
Infrastructure Report covers the publicly reported material for the preceding
day(s) not previously covered. This weekly summary provides a selection
of those items of greatest significance to the InfoSec professional.
Week Ending: Friday, July 31, 2009
Note: Be sure to read through to Friday, July 31,
2009. There are two serious issues there
that you must be aware of. However, do
not ignore Monday through Thursday.
Infrastructure Report for 27 July 2009
So
you believe Microsoft Office is the best tool!
Perhaps you should re-evaluate.
40. July 23, Computerworld – (International) Microsoft admits it can’t stop Office file format hacks. Microsoft’s plan to “sandbox” Office documents in the next version of its application suite is an admission that the company cannot keep hackers from exploiting file format bugs, a security analyst said on July 23. “What’s been happening is that Office has lots of vulnerabilities,” said Gartner’s primary security analyst. “For the past 18 months, hackers have been fuzzing Office file formats,” he said, referring to the practice of “fuzzing,” a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur. Fuzzing has been a hacker’s best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word. “What’s happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, ‘Okay, we can’t find, let alone fix, every vulnerability. So here’s a way to put a sandbox around the vulnerability.” The sandbox technique mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft’s bestselling Windows application suite. According to a senior security program manager with the Office team, Office 2010 will sport something called “Protected View” that isolates Word, Excel and PowerPoint files in a read-only environment. The sandbox, said the program manager in a post to a company blog this week, will have “minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data.” Source: http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks
Infrastructure Report for 28 July 2009
Running Internet Explorer 8? Have you applied the latest patch? You should!
45. July 27, Softpedia – (International) Critical out-of-band patch for Internet Explorer 8. Microsoft is cooking a security refresh for Internet Explorer 8, and earlier supported versions of the browser, that will be released on July 28. According to the Redmond company, the IE update will be accompanied by a security bulletin for Visual Studio. The software giant underlined that, although two separate security bulletins were scheduled for release come July 28, both updates were designed to resolve a single, overall security problem. The move comes as a necessity to ensure that customers benefit from the broadest protections possible explained the director of MSRC. “While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported,” the director noted. The patches coming July 28 are what Microsoft refers to as out-of-band security updates. Source: http://news.softpedia.com/news/Critical-Out-of-Band-Patch-for-Internet-Explorer-8-117601.shtml
Infrastructure Report for 29 July 2009
How
do you apply patches? Is it
formalized? Perhaps it should be!
37. July 27, DarkReading – (International) Nearly half of companies lack a formal patch management process. An open initiative for building a metrics model to measure the cost of patch management found that one-fourth of organizations do not test patches when they deploy them, and nearly 70 percent do not measure how well or efficiently they roll out patches, according to survey results released on July 27. Project Quant, a project for building a framework for evaluating the costs of patch management and optimizing the process, also rolled out Version 1 of its metrics model. Project Quant is an open, community-driven, vendor-neutral model that initially began with financial backing from Microsoft. “Based on the survey and the additional research we performed during the project, we realized that despite being one of the most fundamental functions of IT, patch management is still a relatively immature, inconsistent, and expensive practice. The results really reinforced the need for practical models like Quant,” said the founder of Securosis and one of the project leaders of the initiative. The survey of around 100 respondents was voluntary; participation was solicited mainly via metrics and patch management organizations, so the organizers say the respondents were most likely organizations that take patch management seriously: “The corollary to this interpretation is that we believe the broader industry is probably LESS mature in their patch management process than reflected here,” the report says. Even so, more than 40 percent of them have either no patch management process or an informal one in place. And 68 percent said they do not have a metric for measuring how well they deploy patches, such as the time it takes them to deploy a patch, etc. One-fourth said they do not do any testing before they roll out a patch, and 40 percent rely on user complaints to validate the success of a patch, according to the survey. And more than 50 percent do not measure adherence to policy, including compliance when it comes to patching. Source: http://www.darkreading.com/database_security/security/vulnerabilities/showArticle.jhtml?articleID=218600827
Infrastructure Report for 30 July 2009
Are you considering an underground
data center? A few things to consider!
42. July 28, Computerworld – (International) Data centers go underground. With a renewed focus on data center outsourcing and space in high availability facilities in short supply, investors have snapped up and renovated abandoned mines and military bunkers in the hopes of cashing in. An increase in extreme weather events, heightened concerns about security since the September 11th attacks and the need to provide higher levels of security to comply with regulatory requirements have made these spaces more attractive to some organizations. Before deciding to go underground, IT executives need to identify potential limitations, experts say. Ceiling height can be a challenge to providing sufficient airflow. Another concern is that while computer systems may be protected in a bunker, critical infrastructure needed during a disaster, such as generators, fuel tanks, and air conditioning cooling towers, may be above ground. That could be a problem if the catastrophe is a tornado, warns the chief technology officer at Westec Intelligent Surveillance. Another consideration is that these underground facilities tend to be in rural, out-of-the-way locations. The facilities may be too far away from a company’s primary data center, and finding local lodging for staff in a disaster situation may be difficult. The vice president and general manager at HP Critical Facilities says that security is the primary benefit of using an underground facility to host a primary or secondary data center. But for most of his clients, the ability to get people to the backup data center in a hurry, connectivity options, and finding a facility that meets budget are priorities. Underground facilities usually do not beat out above-ground sites in his clients’ evaluations, he says. The primary benefit of such sites, says an analyst with Gartner Inc., is that they are designed to be highly resilient — often to military specifications. That is important for some government data centers. “But for most commercial enterprises, it probably will not be such a major requirement,” he says. Source: http://www.thestandard.com/news/2009/07/28/data-centers-go-underground?page=0%2C0
Infrastructure Report for 31 July 2009
Today’s news contains two
serious issues…thus, sitback and read carefully!
Another virus which warrants your
immediate attention!
33. July
29, Spamfighter News – (International) Computer virus Hidrag.a
rapidly spreading across networks. Security researchers have found
Hidrag.a, a computer virus, which spreads through browser exploits, network
shares and IRC (Internet Relay Chat), as reported by Pc1news on July 10, 2009.
Researchers state that once the virus is executed, it stays inside the system’s
memory and attempts to infect .scr and .exe files running on the infected PC.
In addition, Hidrag.a might establish a backdoor that allows an intruder to
make an unhindered entry to the infected computer, putting possible banking and
financial data at risk. After execution, Hidrag.a makes its own duplicate copy
of approximately 36K in size and plants it on the Windows directory by naming
it svchost.exe, according to the researchers. Following this, the virus
registers the ‘.exe’ file within the auto-run key of the PC’s registry. The
researchers also state that Hidrag.a has a connection with various other files
like setup.exe, malware.exe and NoDNS.exe. In fact, other security companies
also analyzed this virus. While Symantec and McAfee refer Hidrag.a as
W32.Jeefo, Microsoft refers it as Jeefo.A. Other names given to Hidrag.a are Jeefo-3,
Virus.Parite.B, TROJ_FLOOD.AF, and so on. Meanwhile, the security researchers
said, the malicious Hidrag.a virus has caused the maximum number of infections
in the United States where an aggregate of 43,601 strains of malevolent web
traffic has been reported. China, which follows the United States, has as many
as 42,597 strains of malevolent traffic owing to Hidrag.a. Along with these
nations, Brazil, Japan and India are other countries that are infected with the
malicious Hidrag, while the United Kingdom, Germany, France, Italy and Russia
have also been infected. Source: http://www.spamfighter.com/News-12803-Computer-Virus-Hidraga-Rapidly-Spreading-Across-Networks.htm
Your
corporate antivirus is one you can trust.
What about the ones used by clients connecting into your network?
34. July 29, CNET News – (International) Report finds fake antivirus on the rise. Malware posing as antivirus software is spreading fast with tens of millions of computers infected each month, according to a report to be released on July 29 from PandaLabs. PandaLabs found 1,000 samples of fake antivirus software in the first quarter of 2008. In a year, that number had grown to 111,000. And in the second quarter of 2009, it reached 374,000, the technical director of PandaLabs said in a recent interview. “We’ve created a specific team to deal with this,” he said, of the rogue antivirus software that issues false warnings of infections in order to get people to pay for software they don’t need. The programs also typically download a Trojan or other malware. PandaLabs found that 3 percent to 5 percent of all the people who scanned their PCs with Panda antivirus software were infected. Using that and worldwide computer stats from Forrester, PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs. About 3 percent of the people who see the fake warnings fall for it, forking over $50 for an annual license or $80 for a lifetime license, according to the technical director. Last September, a hacker was able to infiltrate rogue antivirus maker Baka Software and discovered that in one period an affiliate made more than $80,000 in about a week, said a PandaLabs threat researcher. A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day. Source: http://news.cnet.com/8301-27080_3-10298253-245.html
Note: The DHS only maintains the last ten days
of their reports online. To obtain copies of earlier reports or complete
summaries, go to:
http://dhs-daily-report.blogspot.com/