Security Protection – Harry Waldron MVP Rotating Header Image

February, 2011:

Firefox 4 Beta 12 release

So far the latest beta version is working well in early testing Firefox 4 Beta 12 released http://isc.sans.edu/diary/Firefox+4+Beta+12+released/10459 Firefox 4 Beta 12 – Release Notes https://www.mozilla.com/en-US/firefox/4.0b12/releasenotes/ QUOTE: For those of you who would like to contribute to the future of Firefox, while not quite ready for final release, Firefox 4 Beta 12 is considered “stable and safe to use for daily browsing”.  There are still some known issues and the Mozilla people do warn that if you are a add-on user there may be some issues with your add-ons, but with the Add-on Compatability Reporter you can assist the add-on developers as well.

Hello world!

Welcome to Microsoft MVPs. This is your first post. Edit or delete it, then start blogging!

Microsoft Technet Blogs – The Servicing Guy

Star An Excellent resource for early Windows 7 SP1 issues:

Microsoft Technet Blogs – The Servicing Guy http://blogs.technet.com/b/joscon/

QUOTE: Tips and tricks from a Windows support engineer on issues related to servicing

Windows 7 Service Pack 1 released

Windows 7 SP1 is now available and should install properly in most cases.  However, the “Early Issues” link below is beneficial to review and adjust settings as applicable to avoid potential issues

Windows 7 Service Pack 1 HOME http://technet.microsoft.com/en-us/library/ff817622(WS.10).aspx

Windows 7 Service Pack 1 for IT Professionals http://technet.microsoft.com/en-us/library/dd349342(WS.10).aspx

Internet Storm Center – Early issues http://isc.sans.edu/diary.html?storyid=10453

QUOTE: Right now, there is no urgent reason to install this service pack and it should be tested first. A few areas to watch:

- Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1

- Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.

- Disk Encryption: In particular full disk encryption that modifies the boot process may find that some of the changes it did are undone by the SP install

- Custom hardware: If you are using drivers other then those that are included in Windows 7 (or 2008 R2), be careful.

Browser Security – Up to 80% may need one or more patches

While Windows Update or Firefox’s automatic update systems help keep browsers patched, there are components within that often need patching.  Keeping Adobe Flash and JAVA patched are also important security safeguards.

Browser Security – Up to 80% may need one or more patches http://sunbeltblog.blogspot.com/2011/02/researcher-at-rsa-80-percent-of.html
http://www.computerworld.com/s/article/9209958/Bulk_of_browsers_found_to_be_at_risk_of_attack

QUOTE: Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company’s BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.  “I really thought it would be lower,” said Kandek of the nearly 80% of browsers that lacked one or more patchesBrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, including Adobe’s Flash and Reader, Oracle‘s Java and Microsoft‘s Silverlight and Windows Media Player.

Solid State Drives – Difficult to erase deleted data

Just as it’s difficult to completely erase data from a hard drive, it’s even more difficult for some of the newest solid state storage devices.  There are some military grade programs that will erase the contents of a hard drive (changing everything to binary zeroes).  These should be used for disposal or equipment resale purposes.

Solid State Drives – Difficult to erase deleted data http://blogs.pcmag.com/securitywatch/2011/02/solid-state_memory_is_hard_to.php

QUOTE:  Even most novices know that erasing a file doesn’t necessarily remove it for good. Fully erasing data can be much trickier than it seems. And now it seems that the newest forms of storage are the hardest to erase. At this week’s Usenix FAST 11 conference on File and Storage Technologies in San Jose, California researchers published a paper examining the effectiveness of different secure erasure methodologies on Solid State Disks (SSDs). It turns out to be tricky.

Kim Komando offers free utilities to safely delete all hard drive information http://www.komando.com/downloads/categories.aspx?cat=Security

Zeus Malware containing forged Ariva certificate circulating

Digital Certificates should only be loaded from trusted sources as they are sometimes used in advanced malware attacks

Malware Digitally Signed With Fake Certificate http://blogs.pcmag.com/securitywatch/2011/02/malware_digitally_signed_with.php
http://techblog.avira.com/2011/02/21/malware-signed-with-fake-avira-certificate/en/

QUOTE: German security software company Avira has uncovered a malware sample digitally signed with a fake certificate listing them as the signer. The certificate is issued to Avira GmbH and is valid from 2011-02-10 until 2039-31-12.  The malware itself is a member of the well-known Zbot/ZeuS malware family, and is spread via spammed e-mail. Its behavior is not new in any way. After running it deletes the original executable, sets itself to run when Windows starts, and contacts a command server for further instructions.

Sarbanes-Oxley – How to assess Company Level Controls

An excellent article outlining SOX 404 compliancy testing and controls

Sarbanes-Oxley – How to assess Company Level Controls
www.journalofaccountancy.com/Issues/2005/Jun/AssessingCompanyLevelControls

QUOTE:  What are company-level controls? How do CPAs go about evaluating their effectiveness? As the compliance deadline for section 404 of the Sarbanes-Oxley Act approaches for some companies, many have yet to face a critical hurdle: the assessment of their company-level controls. The Public Company Accounting Oversight Board says public companies must assess the design and operating effectiveness of company-level controls in addition to examining detailed control activities at the process and transactional levels.

EXECUTIVE SUMMARY 

* THE ASSESSMENT OF COMPANY-LEVEL CONTROLS is a critical part of complying with section 404 of Sarbanes-Oxley. The PCAOB says public companies must assess the design and operating effectiveness of these controls in addition to examining detailed process- and transactional-level control activities.
 
* COMPANY-LEVEL CONTROLS ARE THOSE THAT PERMEATE an organization and have a significant impact on how it achieves its financial reporting and disclosure objectives. These controls are exemplified by the control environment itself including the tone at the top, corporate codes of conduct and policies and procedures.

* CPAs CAN FOLLOW SIX STEPS TO HELP ENTITIES comply with company-level control requirements. These steps are defining the project plan and key milestones, building a structure to assess the controls, obtaining input on the design of company-level controls, documenting and assessing the controls, testing their effectiveness, and engaging in gap remediation and continuous improvement.

* THESE STEPS ARE REQUIRED OF PUBLIC COMPANIES, but private companies and not-for-profit organizations also can benefit by looking at the process as a best practice that leads to stronger governance and better financial results.

Federal Hacking Incident – Some Lessons Learned

Below are a great list of best practices to help corporations mitigate outside hacking attacks.

Federal Hacking Incident – Some Lessons Learned http://isc.sans.edu/diary/HBGary+hack+lessons+learned/10438

QUOTE: Unless you’ve been living under a stone for last couple of weeks, you will have heard about the HBGary Federal hack. Seeing everything published about this probably makes every security professional think for at least a second, ‘Could this happen to me too? … So what can we learn from this hack? A lot of things that we already preach (or should be preaching):

* Do not use same passwords for multiple applications/sites. A lot of free, good utilities, such as Password Safe exist that will allow you to automatically generate strong passwords and store them in an encrypted key chain.

* No matter the size of your company, you should have change management processes that require all changes to be approved by appropriate personnel. While a CEO can request to open a port on the firewall, a security person in charge should approve any such request. If you don’t have multiple roles for this then make sure that appropriate authentication is in place – i.e. verifying such critical requests through other channels.

* You should regularly test your web applications – not only external, but also internal. While this does not guarantee that you will identify and eliminate all security vulnerabilities, it will certainly raise the overall security.

* Encrypt your backups and think twice if you need all those e-mails at one place. Gmail is certainly attractive for storing years of e-mails and searching through them quickly, but imagine what would happen if someone gets access to all your e-mail.

* While we’re on encryption – encrypt sensitive e-mails too – it may seem a nuisance, but it could save the day. PGP Encryption is not difficult to use, there are downsides, of course, so you should balance between usability and security.

* If you are a web-application developer, and have a need to store (hashed) user passwords remember that algorithms such as MD5 were built for speed! By using today’s GPUs, it is possible to crack hundreds of millions of MD5 passwords per second. Remember to use passwords salts to make rainbow tables useless (otherwise it’s usually a matter of seconds before a password is cracked).

* Finally on storing hashed passwords, try to use multiple algorithms to store passwords – something like – sha1(sha1(sha1(password))) will be unnoticeable for the end user, but will make rainbow tables useless and increase the time needed to crack a password (and increase the likelihood an attacker will have to make a custom cracking module for their purpose).

RSA 2011 – Signature Based Anti-Virus may not be effective

Malware continues to use highly polymorphic attacks, so that each new wave becomes a unique variant within the malware family. AV pattern recognition techniques alone may not detect early waves (usually a 30% coverage ratio of day one),   However, signature based AV may be more useful for cleanup and restoration actions.  Heuristic or behavioral based AV products can help improve protection.  Malware defenses cannot rely on a single defense system, as complementary layers of protection are always required in corporate environment.

RSA 2011 – Signature Based Anti-Virus may not be effective http://blog.trendmicro.com/from-rsa-2011-last-nail-in-the-coffin-for-signature-based-av/

QUOTE: Signature-based antivirus will continue to be a necessary but insufficient element of security measures. However, insofar as using it as the singular strategy to combat malware in the foreseeable future, its heyday is very much over. As Trend Micro CTO Raimund Genes said, signature-based technology is only good for system cleanup and in identifying the specific system modifications made in order to restore the system to its original state. Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.