Network Sentry

Microsoft letting Win2k and XP users fend for themselves?

2009-09-08T20:54:00.006-05:00

Read through the MS09-048 advisory. See anything out of the ordinary? Read through it again. Notice the asterisks? Looking for a patch for Windows 2000 SP4? Sorry, "No update available". Need a patch for Windows XP SP2, SP3 or Windows XP x64 SP2? You don't need one because it's not vulnerable. Or is it? There's an asterisk - "Default configuration not affected".

In Microsoft's defense, patching Win2k would require the OS to be rearchitected which may introduce stability issues with existing software. But still - if you ask me, the product is under support and now has three unpatched remote exploits. Hopefully on tomorrow's call they can clarify the issue. Maybe it's not as bad as it seems, but as it stands it sounds like Win2k can be DoSed remotely if even a single TCP port is listening - firewalled or not.

They have no defense for Windows XP. Most XP systems I've seen have listening ports. Maybe in the office you are firewalled, but what about road warriors using a hotspot? Can a malicious person head to his/her local Panera and plant a back door on all the Windows machines?

The most important aspect of this post is "what can I do to protect myself?" Well:

If your platform has a patch, apply it.
If you can afford it, upgrade machines to a platform that is supported.
If you have an unsupported platform, use a host firewall to block inbound connecti0ns.
If you have road warriors, make it a priority to educate them on this issue, how to utilize the firewall when on a public/untrusted network and how to conduct business while out of the office.

Hopefully tommorrow Microsoft will offer more details on this and it won't be as bad as it seems. I can think of a few ways of protecting devices but again, the dust needs to settle first. In the meantime, firewall off as many devices as you can and use host firewalls to your advantage.

Small Business Information Security Fundamentals

2009-08-27T08:14:00.002-05:00

Today I read about a new DRAFT document published by NIST (National Institute of Standards and Technology) titled "Small Business Information Security: The Fundamentals". I must say that this is a great document and if you are a small business, please take a look at it. It attempts to explain in plain language some of Information Security's best practices.

If you've read Brian Krebs' blog about the increasing occurrence of small businesses being targets of money theft from Eastern European criminals, the stats in the NIST document's overview section really drives home the importance of Infosec for small business. These businesses are vital to our economy and unfortunately lack the resources of larger businesses who do invest in information security. If small businesses don't act to protect themselves, their customers or their employees, we're headed down a dangerous path.

Milw0rm offline again?

2009-08-20T14:59:00.003-05:00

I haven't been able to get to Milw0rm yesterday or today. Anyone have a similar experience? Anyone have any news as to what's up? I know there was talk about the demise of the site in July, but I thought str0ke decided to keep the site up. If you have any info, please post a comment.

Thanks!

P.S. I did spell it with a zero, not the letter O. Thanks Blogger ;-)

Reports of MS09-039 in the wild

2009-08-18T09:32:00.001-05:00

We have read in several places about a report of MS09-039 being actively exploited in the wild. Nothing has been verified, but according to the ISC and their DShield data, there has been a HUGE increase in port 42 being targeted. Looking at the graph, port 42 as the destination hovers around 1,000-2,000 targets a day normally. On the 17th of August, there were nearly 70,000 targets.

That's a 70x increase. Just a coincidence? I don't think so, but unfortunately this is our only fact so far. Hopefully someone can get a malware sample to add more credibility to the lone report of active exploitation.

Nmap 5 released

2009-07-21T09:54:00.002-05:00

Yes - a little late, I know. Nmap 5 was released on July 16th. Some of the new cool features include Ncat and Ndiff.

Ncat is like Netcat but supposedly better. I have not tried this so I don't want to comment on it.

Ndiff sounds really cool. You can run nmap scans on 2 different occasions and use ndiff to see the difference. One immediate application I can think of would be tracking changes to a network over time. Perhaps run it daily and when a new service appears on a given host, use swatch or some script to alert you. Really cool new tool if you ask me. I can't wait to check this one out!

OWC ActiveX exploits starting to increase

2009-07-16T09:42:00.002-05:00

A few days ago Microsoft released a security advisory (973472) for a vulnerability in Microsoft Office Web Components (OWC). This is being actively exploited. Proof of concept code is here and there is at least one Metasploit module for this. We'll only be seeing an increase in exploit attempts so until a patch is released, you should start implementing workarounds.

Some things you can do to protect yourself:

Set killbits {0002E541-0000-0000-C000-000000000046} and {0002E559-0000-0000-C000-000000000046} per the Microsoft advisory. Thankfully, Microsoft has a slick fix it package here from KB973472.
Block known bad domains such as f1y.in (see SANS ISC post)
Keep your Antivirus updated!!
Use the Noscript plugin for Firefox
Don't use Internet Explorer until a patch is released

Microsoft SRD blog has more info.

Oracle's quarterly Critical Patch Update posted today

2009-07-15T10:29:00.004-05:00

Oracle released their quarterly patches today. If I have time, I'll post something more detailed. But for now I'll post a highlight. There are 30 patches in total (thanks to molecular updates, they can be applied individually), 15 of them are remotely exploitable without authentication. Only three of those are applicable to the venerable Database product.

Link to the Oracle page.

Johhny Long stranded while helping the needy...

2009-07-15T09:20:00.004-05:00

Johnny Long (of google hacking database fame) and his family are stranded in the middle of Africa while doing charity work because Paypal has 'frozen' his assets. Can you imagine going to a third world country to help out needy people only to end up being stranded there with hardly any money? Worse yet is you HAVE money but the people holding it won't give it to you. This is a good example of false positives and how they are working against Paypal's fraud detection service.

On a positive note, it looks like the community is starting to band together to help Johhny and his family. If you or anyone you know has any influence over Paypal...

Hackers for charity blog post

Martin Roesch is going to be in Chicago?!?!

2009-07-14T22:01:00.000-05:00

I know it's short notice, but Martin Roesch (of Snort fame) will be in town tomorrow and Thursday - http://www.sourcefire.com/news/webinars/#sem1q09

Killbits just arent enough in this case :-(

2009-07-10T14:58:00.000-05:00

Check this out: http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html

Apparently it's a little more complicated than Microsoft would have us believe. If the vulnerabilities lie in shared libraries, we're in a world of pain until the libraries are fixed and software compiled using old libraries are recompiled with patched libraries. At least that's my take...