11 total posts
Free Tool Paints Picture Of Stealthy Attacks
Honeynet Project's 'Picviz' gets a graphical user interface
The Honeynet Project has beefed up a free tool that helps spot attacks that can elude detection. The Picviz tool takes data from various log analysis sources and converts them into a multidimensional visual map of events.
Researchers have now added a graphical user interface to Picviz, which should make it easier to deploy and more attractive to a broader range of users. Picviz developers Sebastien Tricaud and Philippe Saade have published a paper (PDF) that details how Picviz works and how it gathers and renders data from traffic logs, database logs, SSH logs, syslogs, IPtables logs, Apache logs, and other sources.
Picviz's "parallel coordinates" approach represents an unlimited number of events in multiple dimensions, such as the protocol, URL, IP address, user agent, time frames, and other parameters. Parallel coordinates are multidimensional images used in aircraft collision-detection, as well as in other network tools. Picviz was developed to automate these images, according to Tricaud.
Continue reading in http://www.darkreading.com/vulnerability_management/security/intrusion-prevention/showArticle.jhtml?articleID=221901483
FreeBSD bug gives untrusted root access
A security bug in the latest version of the FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher said Monday.
The flaw is present in FreeBSD 8.0 and is known to affect versions 7.1 and 7.2 of the open-source OS, Nikolaos Rangos told The Register. He said it was "unbelievably simple" to exploit. Shortly after he disclosed the flaw on the Full Disclosure mailing list, other researchers said they were able to confirm the bug.
Trojan demands money for internet access
1 December 2009
There's nothing new about Windows trojans resorting to a little blackmail, but Computer Associates has now observed a new twist; a trojan which blocks internet access until the user enters an activation code. This is activation code is obtained by sending an SMS containing a particular number to an expensive premium rate phone number ? CA does not mention the sum involved.
The malware, dubbed 'Win32/RansomSMS.AH', infects computers by claiming to be the "uFast Download Manager" tool which, when run, accuses users (in Russian) of having breached their licence conditions. CA has kindly provided a free tool (via zip direct download) to enable users to generate the required code for themselves.
Continued here: http://www.h-online.com/security/news/item/Trojan-demands-money-for-internet-access-873853.html
From CA Security Advisor Research Blog:
Ransomware Blocks Internet Access
CA ISBU has come across an interesting ransomware that blocks internet access of an infected system.[...]
Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy
Get a registration code by sending an SMS with the following
code fw0004199 to number 7122
In response you will receive an activation message.
Enter the activation message received from the SMS response ________
CA detects this ransomware as Win32/RansomSMS.AH.
This malware was found to be bundled with software named uFast Download Manager. During our investigation the following activities were observed:
-Bundled software was installed in the system without informing the user.
-Using the uninstaller program will not remove the ransomware screen from the desktop or other installed components.
Continued (with screenshots) here: http://community.ca.com/blogs/securityadvisor/archive/2009/11/30/ransomware-blocks-internet-access.aspx
Kaspersky unveils Kaspersky KryptoStorage & Password Manager
Kaspersky announces the release of Kaspersky Password Manager, a robust password storage solution.
Every day an active user will encounter a large number of online services and programs which require authorization. In order to access email, instant messaging services, online banking and shopping accounts or social networking sites, users have to enter their credentials. A security-conscious user will create several usernames and passwords and try to remember the answers to a variety of secret questions that will help him recover login details if he loses or forgets them. Many programs that can store your credentials for you, including web browsers, typically keep them in a non-protected format, exposing the data to malicious attacks.
Kaspersky Password Manager has been designed by Kaspersky Lab to address this problem and a number of related issues. The solution ensures the security of passwords used to access websites and Windows applications. Kaspersky Password Manager stores passwords, usernames and other confidential data in a dedicated database that is accessed via a master password. Kaspersky Password Manager can automatically recognize and fill in text fields in lengthy online forms and authorization dialog windows in password-protected websites and programs. The product helps the user identify themselves to a website or a program with just one mouse click. All these functions and capabilities make the new product from Kaspersky Lab an important addition to the protection provided by Kaspersky Anti-Virus/Kaspersky Internet Security 2010.
Kaspersky announces the release of Kaspersky KryptoStorage (KKS). The product, with its user-friendly, intuitive interface, is designed to provide cryptographic protection and permanently delete data from computers running Windows operating systems.
Users of Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010, in particular, will appreciate the new product's features because those products in conjunction with Kaspersky KryptoStorage transform your computer into an impenetrable data storage that can withstand any form of attack.
Malware linked to the theft of users' confidential data is becoming more and more widespread. Encryption of the most critical user data provides an additional layer of defense against hacker attacks, including those that make use of various types of malicious programs.
Kaspersky KryptoStorage preserves the confidentiality and integrity of information by encrypting it. Data can only be read, modified or deleted by users who know the predefined password that was entered at the time of encryption.
Arguments against cloud-based antivirus
From Panda Research Blog:
With any advance in science and technology there will always be critics and people oppossed to change. This has happened over and over again in the course of history. Antivirus is no different. We saw resistance when we released behavioral analysis in 2004 (which is mainstream technology nowadays) and we have seen it recently with the release of Panda Cloud Antivirus.
In this post I have compiled a list of all arguments against cloud-based antivirus that I was able to find. Let us review these arguments against cloud-based antivirus and see why they are based on either misconceptions or simple lack of understanding and knowledge of how this technology works.
* A malware could cripple the Internet connection and render the cloud antivirus useless
* A cloud-based antivirus needs to check everything against the cloud. Takes more time
* It is an invasion of privacy. I do not want my files & documents to leave my computer
* Cloud-based antivirus do not protect while offline
* So that means that it provides lower protection while offline
* So if I have some old malware and disconnect from the Internet, can I infect myself?
* I’m worried about latency and response time
* Cloud-scanning is just the latest marketing buzzword
* Cloud-scanning is just a way for AV vendors to lower their cost of downloading signatures
* Cloud-scanning is only good as a second opinion
Their response on the above concerns is in http://research.pandasecurity.com/arguments-against-cloud-based-antivirus/
VB calls for collaboration amongst anti-spam vendors
VB finds that, when it comes to spam filtering, a combined effort outperforms individual products.
Virus Bulletin has discovered that running several spam filters in combination could be key to getting the best performance out of them. Following the last VBSpam comparative review of anti-spam products, the VB test team established that if the efforts of several filters were to be combined, the performance would be significantly better than that of any of the products on their own.
In the test, almost 200,000 emails were sent to 14 different anti-spam solutions which were required to classify them as either ham or spam. The test revealed that no legitimate mail was blocked by more than four products. After the test, VB's anti-spam team decided to look into this further and considered a hypothetical filter that marked an email as spam if at least five of the 14 products did so.
Unlike any of the individual products, the hypothetical filter generated no false positives at all, and combined this 0% false positive rate with an impressive overall spam catch rate of 99.89% (higher than any of the individual products VB has tested).
Microsoft: Black Screen of Death Unrelated to Patch Tuesday
Microsoft: Black Screen of Death Unrelated to Patch Tuesday Updates
Microsoft is contending that the Black Screen of Death reports circulating the Web are not due to the security updates the company issued in November. The 'Black Screen of Death' condition striking some users of Microsoft Windows is not the work of bugs in November's Patch Tuesday updates, the company stated.
Microsoft did not offer an explanation for the problem, but stated that it had investigated the matter and found none of its November updates were causing the situation.
"Our comprehensive investigation has shown that the November security updates, the Microsoft Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November do not make any changes to the registry as claimed," a Microsoft spokesperson said. "We do not believe Microsoft Updates are related to the behavior described in these reports."
"Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the spokesperson added. "The issues as described also do not match any known issues that have been documented in the security bulletins or KB articles."
And while you're at eweek.com, see also their article on 10 Reasons Why the New Windows Black Screen of Death Is Alarming
See earlier news on the above in yesterday's News thread:
PrevX apologizes - Windows Black Screen Root Cause blog
From PrevX blog:
The issue appears to be related to a characteristic of the Windows Registry related to the storage of string data. In parsing the Shell value in the registry, Windows requires a null terminated "REG_SZ" string. However, if malware or indeed any other program modifies the shell entry to not include null terminating characters, the shell will no longer load properly, resulting in the infamous Black Screen with the PC showing only the My Computer folder.
Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.
We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and task bar.
MSRC: Reports of Issues with November Security Updates
We've received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to "Black Screen" issues). We've investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues.
While these reports weren't brought to us directly, from our research into them, it appears they're saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.
We've conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don't believe the updates are related to the "black screen" behavior described in these reports.
We've also checked with our worldwide Customer Service and Support organization, and they've told us they're not seeing "black screen" behavior as a broad customer issue. Because these reports were not brought to us directly, it's impossible to know conclusively what might be causing a "black screen" in those limited instances where customers have seen it. However, we do know that "black screen" behavior is associated with some malware families such as Daonol.
Nominations Now Open for Nation's Top Honor in Public Intere
The Tides Foundation Pizzigati Prize will award $10,000 to an open source software developer whose work is helping nonprofits succeed
Nominations will open this month for the fourth awarding of the $10,000 Antonio Pizzigati Prize for Software in the Public Interest, the nation's top honor for software developers whose work has made an outstanding contribution to the nonprofit sector and ongoing efforts for positive social change.
Nominations for the prize, the largest annual award in public interest computing, will be accepted through February 1, 2010. The prize winner will be announced this April, in Atlanta, at the NTEN 2010 Nonprofit Technology Conference.
"In today's digital age, nonprofits simply cannot thrive without access to imaginative software applications that speak directly to the work they do," notes Diana Chavez, the Tides Foundation philanthropic associate who coordinates the annual Pizzigati Prize competition. "The developers who create these applications, in the open source spirit, make this access possible - and deserve an honor all their own."