Category: Vulnebilities

Securing your Windows Machines

Paul

After a Long day at work, you sometimes feel like there isn’t much you want to talk about. Then this idea comes to me? Why do people blog and why do people talk about security?

I’ve come to realize something, I’m not one who was grew up understanding bits from bytes. I grew up as any family does fighting with my siblings.

Having been blogging the past few years, it seems like only yesterday that I started blogging. Cliche I know but still very much true. Most blogs do what they know, I aim to learn and teach each day I blog. Like days like this when the world is pretty much quite and the [intlink id=”3214″ type=”post”]remnants of the conficker[/intlink] worm dies to a rumble.

[ad#cricket-right-ez]So how do you secure your Windows Machine?

After a day long battle with  my wife’s system, I grow to wonder if there is something I should do differently with how to prevent Viruses and Worms on her system.  So I’ve groomed my Knowledge base and come up with 5 good points when it comes to locking down your Windows Machines:

  • [intlink id=”994″ type=”post”]Lock down your Router/Modem[/intlink]  — Some people don’t know that having an insecure router with weak passwords is a way to get on another system.   This can easily be prevented if the users takes some steps to prevent. it.  Although if a hacker wants to break your encryption and find your Signal there is really nothing you can do but try to prevent that.

  • [intlink id=”2205″ type=”page”]Firewall and Anti-virus[/intlink] —  Although I know people think I am a broken record this will always be something I encourage for everyone who reads my blogs.  I will never stop beating people over the head with this.   Seeing the [intlink id=”3272″ type=”post”]Conficker map[/intlink] tells me there are quite a few without an Anti-virus or a Firewall, which might of given someone a heads up find out if they do or not!!

  • [intlink id=”2984″ type=”post”]Disabling AutoRun[/intlink] —  This can prevent a USB stick from installing software it shouldn’t.  Remember Microsoft has issued an statement on how to disable it for sure.  Although I must say The Security Now episode 187 seems to talk about this really well and how to make sure you do disable it the right way.

  • Make sure it is a Limited user account —  Most people always run as administrator when in fact that sometimes makes you more vulnerable to viruses, worms, and trojans.   Any software you install as an administrator will automatically be given Administrator rights.  That can be very bad when it comes to virus and such.

  • [intlink id=”2883″ type=”post”]Keep your System up to date[/intlink] — This is essental for people who to prevent exploits to be used against you.  Although  if your like me and you want to make sure your software is up to date some of that can be done with [intlink id=”553″ type=”post”]APPSNAP[/intlink].

With These tips, your system can be a little more safer.  Just remember there is no perfect way to protect your systems 100% only some of the time.  The rest depends on you, because your the last layer of defense.  Also it isn’t a bad idea to [intlink id=”2407″ type=”post”]back up your system from time to time[/intlink].

Hackers Jump onto Power Point Exploits : KB969136

Paul

In my Previous post, we talked about Microsoft [intlink id=”3280″ type=”post”]Advisory for KB969136[/intlink] and the exploit was in the wild.  It looks like Trend Micro has published some new spam attempts to get the users to open up the Maleware for them to deposit TROJ_PPDROP.AB onto there systems.

[ad#cricket-right-ez]Trend Micro has some screen shots of the most common Fake Presentations for you to see just how they try to get you to open the file.

Although these are some common tactics for  attackers to use such as  nude pictures, Earth Hour, or Celebrities without Makeup,  users who don’t normally use PPT should check the files out before you load them.  You also should remember to save them to a file and [intlink id=”2205″ type=”page”]scan them with your Anti-virus software[/intlink], also it wouldn’t hurt to have a firewall software.  It looks like these exploits tries to connect to the internet and you might be able to find out by the request from the firewall.

According to Internet Storm Center, the CVE place Holder for this is CVE-2009-0556 and hasn’t become live yet. I do not think they will release that information until they get a chance for Microsoft to patch the systems.

This would be a good time to remind IT staff and anyone who might use Power Point that they should not open anything they aren’t expecting and even then they should verify with your IT staff that it is safe until Microsoft issues a patch for this. I expect that if this become widely used it will be released out of Cycle or even In May’s Patch Tuesday. According to Microsoft you could install Microsoft Office Isolated Conversion Environment (MOICE) but requires Office 2003 and Office 2007 systems. Find out how you can use this work around at Microsoft’s Advisory of KB969136 for further instructions.

Microsoft issues Advisory KB969136 (Zero Day Exploit in the Wild)

Paul

Well, this had to happen sooner or later.  It looks like Powerpoint can be exploited with a Remote Code Execution.   So Microsoft today has issued an Advisory for KB969136.

In there post they say:
[ad#cricket-right-ez]

At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. If you suspect that you were target for such an attack, you can scan your computer with the Windows Live OneCare safety scanner. The malicious PPT files are detected as Exploit:Win32/Apptom.gen. Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Products affected are Microsoft Office PowerPoint 2000 Service Pack 3, Microsoft Office PowerPoint 2002 Service Pack 3, and Microsoft Office PowerPoint 2003 Service Pack 3. Microsoft Office PowerPoint 2007 is not affected.
[Via Microsoft Blog]

Microsoft has even added a diagram on how an attacker could implement this into an email.

So what do you need to know:

If you receive a Power Point presentation from someone you aren’t expecting either scan it good with a[intlink id=”2205″ type=”page”] free anti-virus[/intlink]. There are no major workarounds to this because Microsoft is telling people not to open the Power Point files directly. I tend to agree you should however know if you are expecting something from someone by either emailing them back or if it’s an office situation pick up that phone for the time being. I am sure Microsoft will issue this patch in the coming months probably May or June at the earliest. I don’t think it will be April Patch Tuesday, they could however make this an out of cycle if enough hackers start to use this.

According to Micrsoft the Windows Live One care picks this up as Win32 Exploit so I am sure other [intlink id=”2205″ type=”page”]Anti-virus Software will do the same[/intlink].   Just for the time being you will want to scan any presentations that come your way.  I will update the blog as more information becomes available!!

Conficker Discussion Part 2 – Even more stuff to talk about

Paul

We’ve heard in the[intlink id=”3214″ type=”post”] coming days there will be an update for the Conficker.C Worm[/intlink] and Microsoft has Released even more information about it: For Instance:
[ad#cricket-right-ez]

Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.(was reported to Microsoft on February 20, 2009.)

Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker. (was reported to Microsoft on March 4, 2009.)

As you can tell, this seems to be two different Variants starting to emerge.  Now let’s go a little bit more deeper shall we.  According to US-CERT(United States – Computer Emergency Readiness Team) , They claim that this is Widespread infection and have posted about it on there website TA09-088A.

My one questions is Why is the US getting ready for this Conlicker worm, are they worried that what happened to the Parliament will happen to some branch of the White House.  This seems to be an even more hype building over this worm.  Everyone will tell you the same thing, they are not sure what will happen on April 1, 2009.  I think it will be a normal day and all because with all news about the Conficker worm, the person who wrote this won’t want the light shined on them before they get there foot hold in systems.  So you will most likely not notice anything special on April Fools day due the awareness of the worm.

But don’t forget to update your [intlink id=”2205″ type=”page”]Anti-virus software[/intlink] and also might be time to add a good [intlink id=”2205″ type=”page”]free firewall to help protect yourself[/intlink] from this worm.

The April fools Joke, You’ve got a computer worm!

Paul

Cluely’s blog talks about this and I thought I would talk about it a little myself!!

[ad#cricket-right-ez]This is the newest version of the Conflicker/Downadup variant of the little worm.  There seems to be people who are worried that April 1, there will be a major wake up in security no holds bar problems.

Some people have got rather confused as to what the April 1st deadline really means. The truth is that Conficker is not set to activate a specific payload on April 1st. Rather, on April 1st Conficker will begin to attempt to contact the 50,000-a-day potential call-home web servers from which it may receive updates.

[Via Graham’s Cluely Blog]

Now let’s talk about this a little, this worm won’t do anything else but ask for updates on April 1, and we don’t know when the virus writers will implement the update it could be a month down the line.  You could[intlink id=”3171″ type=”post” target=”_blank”] Backup[/intlink] your software and use the free program [intlink id=”2883″ type=”post” target=”_blank”]Autopatcher[/intlink] to help make sure your system is completely up to date with windows security.  You can’t forward the to that date to find out what will it call home to.    We don’t know what it will do when they update to the conficker.c program all we know it starts to try to call to certain domains on April 1, 2009.  So you should install [intlink id=”2205″ type=”page”]Anti-virus and Firewalls[/intlink] where you think it is needed.

I am sure though this will be an really big April Fools Joke from the Virus Programmers, they will be laughing at the hysteria of people trying to find out all the important information on April 1, and yet it might not start to happen until much later!!  You are the first line of defense from getting a virus or any malware.  So let’s keep our heads on straight and not go over board!  Only time will tell, and I am sure what happens on Apr 1, 2009 will be a new day.