Security Protection – Harry Waldron (WP) Rotating Header Image

January, 2011:

Microsoft Security Essentials 2.0 — PC Magazine Review

PC Magazine has published a review of the new version. MSE offers good basic protection when complimented with best practices.

Microsoft Security Essentials 2.0 — PC Magazine Review http://www.pcmag.com/article2/0,2817,2376220,00.asp

QUOTE: Technically the product name is still just Microsoft Security Essentials, but the About box clearly shows a version number beginning with 2.0. This version has a few new features. It can automatically ensure firewall protection by enabling Windows Firewall if necessary. In Windows Vista and Windows 7, Microsoft Security Essentials’ new network inspection system adds specific protection against network-based attacks. The app also claims better malware-fighting skills, though in my testing it seemed little improved.

* Pros — Simple user interface. Insulates user from confusing details, while making details available if desired. Good ratings from independent labs. Free.
   
* Cons — Protection weaker under Windows XP. Mediocre results in hands-on malware blocking and malware removal tests. Left some threats running after alleged removal.
   
* Bottom Line — If using a Microsoft product gives you a warm, safe feeling you may consider relying on Microsoft Security Essentials for antivirus protection. The independent labs give it good ratings, for the most part. In my own testing, though, it didn’t shine. Other free products offer better protection.

Google Chrome – Prefetches DNS requests

The ISC shares an interesting account of how Chrome may prefetch DSN info when web addresses are entered into the browser. This option can be turned off if desired, but may slow browser performance a little.

Google Chrome – Prefetching DNS requests http://isc.sans.edu/diary.html?storyid=10312

QUOTE: Thomas, wrote about weird DNS requests that he is seeing coming from his machine. After spending some time he found out that Chrome is sending those requests that he could not explain every time it is started. Since I spent some time on this (long) time ago, I decided to pay more attention to Chrome’s DNS request.

So, in order to speed up browsing Google Chrome does a lot of DNS requests in advance (DNS prefetching – this can be even turned on and off in Chrome’s options). When Chrome is started it will lookup domain names for previously opened web pages early in the startup process so if the user clicks on one of those links Chrome can connect to the target site immediately.

How bad is this? Well, it’s not too bad but it is certainly causing some extra traffic, especially since it depends on caching of (mostly) negative answers. Now, good thing for those wanting a bit more privacy is that you can turn of DNS prefetching in Chrome’s Options menu so it won’t try to resolve domain names as you type 

MORE INFORMATION – Chrome – Prefetching DNS requests https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching

Targeted Attacks being sent to Human Resource departments

Human Resource departments usually process many job applications and resumes from the general public.  They should always be alert for malware and made technically secure, as many documents are received from non-secure sources.  They avoid all suspicious documents, as targeted attacks to specific companies are circulating. 

Targeted Attacks emailed to Human Resource departments http://blogs.pcmag.com/securitywatch/2011/01/malware_aimed_at_human_resourc.php
http://www.ic3.gov/media/2011/110119.aspx

QUOTE: The IC3 (Internet Crime Complaint Center) is reporting that businesses are receiving fake job applications in e-mail with malicious attachments. The malware is a Bredolab variant, connected with the Zeus/Zbot botnet. “Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release. In this case the attachment is actually an executable file, svrwsc.exe, which means that many security and e-mail systems would strip it out on that basis alone. Outlook, for example, strips .EXE attachments by default.

First PC Virus – Turns 25 years old

Cake The first computer virus appeared short after the advent of the first IBM PC and was relatively harmless and they spread via infected floppy disks as this was prior to the Internet and infections via email.

What would you ask from the creators of the very first PC virus? http://www.f-secure.com/weblog/archives/00002087.html

QUOTE: It’s now January 2011. Which means the Brain virus is now 25 years old. Brain, spreading on 5.25″ floppy disks was the first PC virus. Which means that the PC virus is now 25 years old.

F-Secure — Brain Virus Decription http://www.f-secure.com/v-descs/brain.shtml

QUOTE: Virus:Boot/Brain is possibly the oldest virus known on the DOS platform, as it first detected in January ’86. Several variants of this virus are known, but most of them are fairly harmless. One harmful variant has been reported, which was designed to attack on May 5. 1992.  This virus is rather large and most of it is located in sectors that are marked as “bad” in the FAT. One of the most interesting details regarding the Brain virus is the following text, which appears inside it: 

  •  Welcome to the Dungeon    (c) 1986 Basit & Amjad (pvt) Ltd.    BRAIN COMPUTER SERVICES    730 NIZAB BLOCK ALLAMA IQBAL TOWN    LAHORE-PAKISTAN    PHONE :430791,443248,280530.    Beware of this VIRUS….    Contact us for vaccination…

Facebook – Malicious application photo links

Sunbelt Security continues to highlight the danger of clicking potentially malicious links.  This includes photo links offered by malicious applications, which can compromise your Facebook account or even your PC:

Phony Facebook Photos lead to malware http://sunbeltblog.blogspot.com/2011/01/phony-facebook-photos-lead-to-malware.html
http://www.mywot.com/en/forum/8966-new-facebook-malware-spreading?comment-58324

QUOTE: This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content. Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more “Foto” related spam and the whole process begins again.

Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications. Either way, regardless of how the link is delivered the end-user will find themselves on a page containing nothing but a tantalising message regarding their photo hunt.

Oracle Critical Patch Update Advisory – January 2011

Numerous security updates were released for Oracle data bases and business products recently:

Oracle Critical Patch Update Advisory – January 2011 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

QUOTE: Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 April 2011
19 July 2011
18 October 2011
17 January 2012

Bohu Trojan – New Anti-Cloud Malware

Lightning The Microsoft Malware Protection Center has identified a new trojan which blocks cloud based AV technologies.  While these attacks are centered in China currently, these concepts could surface in other future malware attacks.

Storm Bohu Trojan – New Anti-Cloud Malware http://blogs.technet.com/b/mmpc/archive/2011/01/19/bohu-takes-aim-at-the-cloud.aspx

QUOTE: The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu (TrojanDropper:Win32/Bohu.A)..  The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more interesting part of Bohu is that the malware blocks cloud-based services now commonly featured in major Chinese antivirus products. Specifically, Bohu uses a number of different techniques in order to attempt to thwart Cloud-based AV technologies.

Storm Bohu Trojan – Technical Description http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Bohu.A
http://www.symantec.com/security_response/writeup.jsp?docid=2011-012002-5122-99&tabid=2

QUOTE: Win32/Bohu.A is a trojan that drops Trojan:Win32/Bohu.A!Installer – a trojan that filters an affected computer’s network traffic in order to stop malware-related data from being sent to information-gathering networks that belong to particular AV companies in China. It has been distributed in the wild with the file name “Bohu high-definition video player.exe” or similar.

Master Boot Record – Importance of protecting against malware

The MBR area can be altered by malware so that Windows systems cannot boot properly. It is important to keep this area protected and clean as noted below:

Master Boot Record – Importance of protecting against malware http://blogs.technet.com/b/mmpc/archive/2011/01/14/re-boot-this-year-clean.aspx

QUOTE: It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the threats targeting the MBR.   The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a small amount of executable code called the master boot code, the disk signature, and the partition table for the disk.
 
The master boot code performs the following activities:

1. Scans the partition table for the active partition.
2. Finds the starting sector of the active partition.
3. Loads a copy of the boot sector from the active partition into memory.
4. Transfers control to the executable code in the boot sector.”

HOW TO FIX A DAMAGED MBR http://technet.microsoft.com/en-us/library/cc977213.aspx

Job Interviews – CareerBuilder lists Worst Mistakes

Below is an interesting survey of mistakes made during prospective interviews:

Job Interviews – CareerBuilder lists Worst Mistakes http://www.careerbuilder.com/share/aboutus/pressreleasesdetail.aspx?&siteid=cbpr&sc_cmp1=cb_pr614_

QUOTE: When asked what the most outrageous blunders they had encountered interviewing candidates were, hiring managers reported the following:
* Provided a detailed listing of how previous employer made them mad.
* Hugged hiring manager at the end of the interview.
* Ate all the candy from the candy bowl while trying to answer questions.
* Constantly bad mouthed spouse.
* Blew her nose and lined up the used tissues on the table in front of her.
* Brought a copy of their college diploma that had obviously been white-outed and their name added.
* Wore a hat that said “take this job and shove it.”
* Talked about how an affair cost him a previous job.
* Threw his beer can in the outside trashcan before coming into the reception office.
* Had a friend come in and ask “HOW MUCH LONGER?”

In addition to the most unusual gaffes, employers shared the most common mistakes candidates made during an interview:

* Answering a cell phone or texting during the interview – 71 percent
* Dressing inappropriately – 69 percent
* Appearing disinterested – 69 percent
* Appearing arrogant – 66 percent
* Speaking negatively about a current or previous employer – 63 percent
* Chewing gum – 59 percent
* Not providing specific answers – 35 percent
* Not asking good questions – 32 percent

Microsoft's Secure Developer Tools

Microsoft’s Secure Developer Tools
http://isc.sans.edu/diary.html?storyid=10294

QUOTE: During Blackhat DC, Microsoft released some updates to its secure development tools. Microsoft did some very nice work with these tools. While these tools are not necessarily limited to .Net, I highly recommend that .Net developers take a look at them.

http://www.microsoft.com/security/sdl/getstarted/tools.aspx

http://blogs.msdn.com/b/sdl/archive/2011/01/17/announcing-attack-surface-analyzer.aspx