- Updated Where Windows Malware Hides table
- Securityfocus creates Apple-specific security mail list
- Comments to my column on Bruce Schneier
- BackTrack Linux Live distro v.1.0 released
- Proof of concept macro virus created for Star Office
- Someone is claiming to have a remote Windows Vista Exploit for sale-probably bogus
- Will this event lead to mandatory data encryption?
- Amazon slow to fix book error
- Mac OS X kernel no longer open source on Intel platform
- Zero day MS-Word exploit in the Wild
May 31, 2006 | Comments: (0)
Updated Where Windows Malware Hides table
New list contains over 145 entries.
Here is an updated copy of my Where Windows Malware Hides MS-Word table.
Categories Summary
Applications-6
File-32
Folders-14
Other-10
Registry Locations-92
Total-145
Posted by Roger Grimes on May 31, 2006 10:44 AM
May 31, 2006 | Comments: (0)
Securityfocus creates Apple-specific security mail list
Apple security gets its own security mail list.
The mail list will be dedicated to proactive security steps and security discussions related to the Apple platforms. It will not be used to discuss new vulnerabilities specifically (that will still be done in bugtraq).
This is a great idea, especially to remind Apple users that they, too, need to follow good security practices.
Send an email message to focus-apple-subscribe@securityfocus.com
to subscribe.
----------------
Original Announcement from Securityfocus:
Objective
The Focus-Apple mailing list discusses security involving hardware and software produced by Apple or that runs on Apple platforms. Discussion may include security assessment, planning, and implementation for Apple technologies. This list is meant as an aid to network and systems administrators and security professionals who are responsible for implementing, reviewing and ensuring the security of their Apple hosts and applications.
What is appropriate content?
- Discussion of securing Apple hosts in various networked environments, including but not limited to integration with Active Directory or LDAP-based networks.
- Discussion of securing Apple hardware devices such as Airport base stations using wireless technology.
- Experiences in securing specific Apple technologies that would prove valuable to share with the community.
- "How-to" questions surrounding the assessment, implementation, or configuration of Apple technologies, as they relate to security concerns.
- Discussion of tools and/or products that may assist in auditing, securing, and/or patching Apple technologies.
- Follow-up discussion of Apple-related vulnerabilities as it relates to questions about identifying and securing vulnerable hosts and applications.
What is inappropriate content?
- Announcement of security vulnerabilities. (Post this information to Bugtraq)
- Product advertisements.
- Discussion of non-Apple related issues.
- Non-computer/network security related material.
- Discussion of forthcoming product rumours.
How do I subscribe?
Send an email message to focus-apple@securityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.
Posted by Roger Grimes on May 31, 2006 10:40 AM
May 30, 2006 | Comments: (0)
Comments to my column on Bruce Schneier
Comments about Bruce Schneier column.
Here are reader comments to my May 26, 2006 article (http://www.infoworld.com/article/06/05/26/78639_22OPsecadvise_1.html) on Bruce Schneier:
-------------------
From: Blaine Burnham
Sent: Tuesday, May 30, 2006 2:19 PM
Enjoyed your comments re Bruce. It turns out the Bruce is in very good company. He has many predecessors in the IA business, the people who invented the business in fact, who also have a history of extraordinarily insightful, and equally ignored writing. You might enjoy the following:
http://www.rand.org/publications/R/R609.1/R609.1.html
http://csrc.nist.gov/publications/history/ande72.pdf
http://web.mit.edu/Saltzer/www/publications/protection/
http://www.cs.virginia.edu/~evans/cs551/saltzer/
http://www.acm.org/classics/sep95/
http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jan-feb/schell.html
http://www.acsac.org/2002/papers/classic-multics.pdf
http://www.acsac.org/secshelf/book001/01.pdf
http://www.acsac.org/secshelf/book001/02.pdf
http://www.acsac.org/invited-essay/essays/2001-schell.pdf
I use these and a whole bunch more in my Foundations of IA class.
Best regards,
Blaine
----------
I really enjoyed your article. I've never had the opportunity to meet Bruce Schneier, but I've read all of his books and have subscribed to Crypto-Gram since its inception. I've always been impressed with his ability to cut directly to the chase and articulate concepts in ways that make one want to slap one's forehead and think: "Of course! Why didn't I think of that?" I would think that I would find it a very intimidating experience for me to try to interview him. And I'm not the dullest tool in the shed. Thanks for sharing your perceptions with the world. I wish everyone would read at least his later works . . .(probably not everyone wants to get into the fine points of cryptography). :)
Great article!
Cheers,
George Capehart
Posted by Roger Grimes on May 30, 2006 12:54 PM
May 30, 2006 | Comments: (0)
BackTrack Linux Live distro v.1.0 released
BackTrack is one of the newest and best Linux Live distros for penetration testers.
http://www.remote-exploit.org/index.php/Main_Page
It is replacing Whax and the Auditor distros. Comes with dozens of pre-installed penetration testing and hacking utilities.
You can install it on a Windows desktop easily. Just download the ISO image, download VMPlayer (www.vmplayer)http://www.vmware.com/download/player/, and modify the image to start up on the ISO instead of a virtual disk.
Helpful first time notes:
BackTrack might not come up with the menu and dhcp is disabled by default. To start the GUI menu type in Startx. To start the dhcp client daemon type in dhcpcd.
Posted by Roger Grimes on May 30, 2006 12:39 PM
May 30, 2006 | Comments: (0)
Proof of concept macro virus created for Star Office
StarOffice gets a macro virus.
http://www.infoworld.com/article/06/05/30/78762_HNstarofficevirus_1.html
Posted by Roger Grimes on May 30, 2006 12:37 PM
May 29, 2006 | Comments: (0)
Someone is claiming to have a remote Windows Vista Exploit for sale-probably bogus
Taken from Full Disclosure Mailing List [unconfirmed, probably bogus]
On 5/25/06, 0x80@hush.ai <0x80@hush.ai> wrote:
Due to the sucess of my IE vuln sale I have decided to sell a Windows Vista exploit I discovered. This one work remote and will run code.
Warning: Emails contain offensive language
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/45736?page=last
Not sure if this is a valid claim (I even hesitated posting it here), but just in case. I tried to find out more about the poster and these claims, but did not come up with anything.
But reflecting about it a bit, a Windows Vista exploit released now has little value. Released after Vista is popular, it would be much more valuable. So, if I had to guess, I would say this is a bogus post.
Posted by Roger Grimes on May 29, 2006 02:04 AM
May 24, 2006 | Comments: (0)
Will this event lead to mandatory data encryption?
Is the Veterans' data theft the tipping point event needed for regulators to require default encryption on all mobile devices and media for confidential data?
http://www.msnbc.msn.com/id/12953600/
Posted by Roger Grimes on May 24, 2006 12:44 PM
May 22, 2006 | Comments: (0)
On Friday I noticed that Amazon had the wrong information listed on my latest book, Professional Windows Desktop and Server Hardening http://www.amazon.com/gp/product/0764599909. They have the wrong book picture and much of displayed text is wrong. My book sales rank went from 8,000 to 60,000 in a few days. It's been three days, and still the problem is not fixed.
Amazon's fix-it request response said it could take up to 5 days for the problem to be fixed.
Come on, Amazon! You're a multi-billion dollar e-store.
Posted by Roger Grimes on May 22, 2006 10:00 AM
May 20, 2006 | Comments: (0)
Mac OS X kernel no longer open source on Intel platform
Fellow InfoWorld writer, Tom Yager, released this bombshell.
http://www.infoworld.com/article/06/05/17/78300_21OPcurve_1.html
I don't think any of us would have applauded Apple's switch to Intel as much if we knew the outcome would close down the kernel. I find myself with thoroughly mixed emotions about the whole idea.
Posted by Roger Grimes on May 20, 2006 02:19 AM
May 19, 2006 | Comments: (0)
Zero day MS-Word exploit in the Wild
This is rated low-risk everywhere and it's not widespread -- still folks should be careful with suspicious Word documents.
MDropper Trojan - Exploits Zero Day vulnerability in MS Word
http://vil.mcafeesecurity.com/vil/content/v_139539.htm
http://www.sarc.com/avcenter/venc/data/trojan.mdropper.h.html
http://secunia.com/virus_information/29277/mdropper.h/
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ginwui.html
Trojan.Mdropper.H is a Trojan horse that downloads other risks onto the compromised computer. This Trojan exploits a 0 day Microsoft Word vulnerability to drop Backdoor.Ginwui.
Thanks to friend, Harry Waldron, for the update.
Posted by Roger Grimes on May 19, 2006 06:40 AM
May 19, 2006 | Comments: (0)
Windows File Association Command Line Tools
I should have put this in my book
I just learned two Windows command line utilities that I never knew existed: assoc and ftype.
Both will display or modify the file association list, and are essentially the command-line counterparts of the Windows Explorer GUI that we normally use to view and modify file extension associations.
Type either one in alone to view current file associations.
I learned both from the following website:
http://commandwindows.com
Thanks to friend Bryce Galbraith for the web site link.
Posted by Roger Grimes on May 19, 2006 02:09 AM
May 17, 2006 | Comments: (0)
Extract Potential Passwords from Web Pages
Tool creates password dictionary lists from web sites
Here's an interesting tool, Accent's (http://www.passwordrecoverytools.com/download.asp) Keyword Extractor.
http://www.passwordrecoverytools.com/store/ake_setup.exe
It extracts whole words from any inputted web site to create a password dictionary file for password cracking. The rationale is that in any large company, some small percentage of employees love their company and its products so much that they create their passwords using something identified by the company (and possibly listed on the company's web site). I can believe that. You work hard on a particular project for over a year, it's not hard to believe that you might choose a password that is related to your beloved product.
The beta tool is a free download. Install the product, then choose New, and type in a web page URL to browse.
On my XP SP2 IE 7 beta, it froze and locked up, but not before creating an out_all.dat file (which by the way was not the file name I had told it to create). Heck, it's beta.
Interesting if nothing else.
Thanks to Canadian student David McFarlane for this one.
Posted by Roger Grimes on May 17, 2006 07:20 AM
May 17, 2006 | Comments: (0)
If you're looking for big names with tech cred, it doesn't get much better than this.
Hosted by Gary McGraw, first one contains interview with Ari Rubin
http://www.cigital.com/silverbullet/
Posted by Roger Grimes on May 17, 2006 06:40 AM
May 17, 2006 | Comments: (0)
P2P software exposes SCADA system data
I bet this happens hundreds of times a day to many, many companies.
------------
[From Jon Kibler's Dshield posting]
Item from DHS Daily Open Source Briefing today:
May 15, Kyodo (Japan): Japan's power plant security info leaked onto Internet. Security data on a thermal power plant has been leaked onto the Internet from a virus-infected personal computer, the company in charge of the plant's security said Sunday, May 14. The information was passed onto the Internet through a file-sharing program called Share. The data includes the locations of various facilities in Chubu Electric Power Co.'s thermal power plant in Owase, Mie Prefecture, including the control room, instrument panel room and boilers, officials of the security company, a Chubu affiliate, said. Also leaked were manuals on how to deal with unconfirmed reports of intruders in the plant, as well as a list of the names and home addresses of the security firm's employees and other personal data on guards, they said. Chubu Power, based in Nagoya, operates five nuclear power reactors in Shizuoka Prefecture.
http://search.japantimes.co.jp/cgi-bin/nn20060515a3.html
Malware: The modern terrorist's best friend.
Posted by Roger Grimes on May 17, 2006 06:31 AM
May 17, 2006 | Comments: (0)
Spammers fight better than the good guys
Spammers shutdown yet another anti-spam organization. Interesting read.
http://wired.com/news/technology/0,70913-0.html?tw=wn_index_1
Posted by Roger Grimes on May 17, 2006 06:29 AM
May 16, 2006 | Comments: (0)
W2K3 SP2 coming out by year end
Microsoft will release W2K3 Service Pack 2 in the second half of 2006.
Posted by Roger Grimes on May 16, 2006 06:04 PM
May 14, 2006 | Comments: (0)
More Security Podcasts reviewed
Several security podcasts reviewed.
By Jim Weiler, Boston OWASP director
http://www.owasp.org/docroot/owasp/misc/SecPodcasts.txt
Posted by Roger Grimes on May 14, 2006 09:07 AM
May 10, 2006 | Comments: (0)
List of dozens of steps that can be used to secure Microsoft Windows
Download this Microsoft Word document table listing dozens of steps, ranked by criticality, that can be used to strengthen Microsoft Windows.
Table courtesy of my latest book, Professional Windows Desktop and Server Hardening (Wrox)
Posted by Roger Grimes on May 10, 2006 03:50 PM
May 10, 2006 | Comments: (0)
100+ Potentially Malicious Windows File Extensions
Table listing every Windows file type that has or can be used maliciously
Download this Microsoft Word document table listing over a 100 file types/extensions that can be used maliciously.
Courtesy of my latest book, Professional Windows Desktop and Hardening (Wrox).
Posted by Roger Grimes on May 10, 2006 03:46 PM
May 10, 2006 | Comments: (0)
A table listing over a 180 places where Windows malware can hide
Download a Microsoft Word document table listing every known Windows location where Windows malware can hide and launch from.
Download file
This is the most complete list of its kind. It comes courtesy of my latest book, Professional Windows Desktop and Server Hardening (Wrox).
Posted by Roger Grimes on May 10, 2006 03:42 PM
May 06, 2006 | Comments: (0)
Comments to my Monoculture column
People write in about my Monoculture article http://www.infoworld.com/article/06/05/05/78046_19OPsecadvise_1.html
----------------
Computing monoculture is a problem. When worms hit highly networked countries like South Korea that have 98% Windows running on all their computer systems, it brought the country's infrastructure down. Not just business and home computers, it also afflicted ATMs and cashier counters.
Our engineering campus with 4790 computers of 61% Windows, 23% Mac OSX, 8.7% Linux, 7% Unix (AIX, HP-UX, Irix, Solaris, BSDs, misc QNX) fared much better, while the Koreans were hurting. Sure our networks where slowed down somewhat, but most of us could get our work done.
Except for the poor system administrators who had to run around like decapitated chickens plugging and reloading Windows computers.
Departments with less Windows computers fared much better in the
2002-2004 Windows worm era.
If ones dependence on a single OS is so great, one massively destructive worm could collapse the infrastructure. Ask the Irish about the potato famine, or why one advises farmers not to grow a single crop in an area. Monoculture being harmful is common sense, your column only talks about having to patch multiple OSes as the reason why it’s difficult to maintain a secure environment. Which is a matter of manpower, not reducing exposure to vulnerability. Would you want your neighborhood nuclear power plant, Delta rockets, Trident missiles, GPS satellites, x-ray/CAT/MRI machines to all run on Windows? I sure as hell wouldn't, even if it was on OpenBSD. So me being against computing monoculture has nothing to do with being anti- Microsoft.
It’s about being against dependence on a single OS and trusting it to withstand the worst worm/virus spreading throughout the world.
Dan Geer was fired prematurely, his warnings were right on. Network worms that can choke a network switch is yet another reason not to rely on VoIP for businesses, but I digress. Here is a question, should we rely on a single source or single vendor to provide us with protection against all the pathogens in the world. If a single company in the world provided 95% of all the known vaccines for humans, wouldn't you be worried that there is a chance this company would not be able to protect you against the latest H5N1 or SARS outbreak? The government advisory boards are smart enough to realize such a dependence on a single contractor would be folly. It’s a shame the government and you don't realize the same is true for operating systems. Well, I should say not everyone in the government. Richard Clarke talked about this problem on the PBS show Cyberwar. I recommend you watch it sometime.
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/
Personally, I would feel better with 70% / 25% / 5% ratio of three major OSes globally. I'm not for supporting five different Unixes and 20 Linux distros either. Just less Windows, more Mac OSX or one Linux vendor, then to a lesser degree some other different OS to work on the servers.
________________
I'll agree with most of your items except the piece about MS-Office
and PDF. There's any number of save-to-PDF add-ons readily available
for Office, and ODF is being pushed as a replacement for DOC/XLS/PPT,
not for PDF format. The recent pushes by Massachusetts and the EU to
standardize on ODF for document storage confirm this.
By the way, OpenOffice saves to PDF and ODF natively, and is free.
_______________________
Okay, let me state my biases up front: I'm a Mac guy in a company that's roughly 2/3 Macs and 1/3 Windows, with all critical servers running on Xserves. I think Mac OS X is the best operating system around and believe that while Windows has made XP a mostly-tolerable operating system, it's still mediocre at best.
That said, I think that avoiding a monoculture is an important strategic goal and any long-term projects should bear that goal in mind. It's not necessary to have hard quota numbers (though, something like "10% of our desktops running non-Windows OSes by the end of FY '07" might be a very achievable milestone), but decisions should be evaluated in part on whether they perpetuate vendor lock-in.
For instance: If you're looking at an enterprise application with a Web front end, somebody should be asking the question, "How does this work with Firefox? With Safari? Does it depend on ActiveX?" If you're looking at a new hire, even if you're currently a Windows shop, maybe that DBA with SQL Server and MySQL experience might be a better choice than the guy with more MS SQL experience but nothing outside that specialty. If nothing else, a staff with diverse backgrounds will bring a fresher perspective to your enterprise than a group with cookie-cutter resumes.
As you also point out, application diversity is its own advantage, and also can be simple to accomplish. What percentage of your users have Firefox and IE both installed on their systems? Some will use one, some will use another, and at least part of your user base will be immune to whichever virus comes along.
There's a sweet spot between utter anarchy and regimented lockstep where a diverse enterprise can be more secure against zero-day vulnerabilities without losing the ability to manage systems. Hitting that sweet spot should be in every company's long-term objectives.
___________________
In your monoculture column - very convincing I might add so I'll not
be arguing that any more - you say you can't make PDFs for free.
Not true at all. OS X generates PDFs from every application that can
print - for free. And you can find Windows (and no doubt Linux)
applications that will do the same for free as well.
So you want to get into publishing seriously? Then you have to pay for InDesign or Acrobat Pro. So yes, if you want to do peer reviewing of documents with commenting sans Word, or generate print-quality PDFs with transparency and layers that you can modify without the original application when the document is at the printshop or service bureau, then you have to pay. Or create documents that people can fill in information in fields (like IRS 1040 forms, etc.) you need Acrobat pro.
As for OpenDocument replacing PDFs, what about this from Wikipedia?
There are already applications that currently read/write OpenDocument
that export Tagged PDF files (in support of PDF accessibility); this
suggests that much or all of the necessary data for accessibility is
already included in the OpenDocument format.
Why would they be concerned with PDF compatibility if it replaces it?
Besides, the whole publishing industry is moving to a PDF workflow.
PDF/X and other implementations of Postscript 3 are making PDFs the
dominant standard through which most publishing applications will
write to file formats that printers and service bureaus use. EPS is the past.
And so are proprietary Quark, InDesign and other formats. PDF is the
future of printing.
For the average business communication, or presentation, I can see
OpenDocument having a shot. But with the dominance of Microsoft
Office, and the brainwashed masses of MCSE graduates who make software purchasing decisions, is there really any hope of that happening?
Posted by Roger Grimes on May 6, 2006 12:51 AM
May 04, 2006 | Comments: (0)
My latest articles on SSL-bypassing trojans
E-commerce in crisis: When SSL isn't safe
http://www.infoworld.com/infoworld/article/06/05/01/77467_18FEsslmalware_1.html
Posted by Roger Grimes on May 4, 2006 02:08 PM
May 04, 2006 | Comments: (0)
Professional Windows Desktop and Server Hardening (Wrox)
http://www.amazon.com/gp/product/0764599909
I wanted to call it "Everyone Else's Windows Security Book Sucks", but my editors wouldn't let me do it. Go figure.
My fifth book on computer security covers how to securely configure any Windows PC. This is practical, hands-on advice. Not just nice-to-have information, but information, tables, and charts you can use to immediately increase the security of any Windows network or PC.
For instance, it contains a table that lists the 200 places Windows malware can hide. No other source has a table this complete. Another table tells you what file extensions can be used maliciously and which ones need to be blocked on the email gateway versus computer desktop.
It lists all the default file and folder permissions, and which ones can be abused. How can you protect Windows if you don't know the defaults?
My book tells you how to defeat Windows password cracking in four steps. When it teaches you IPSec, it tells you where to implement it. It comes with a few table summarizing all the advice and recommending which steps are high priority vs. nice-to-have.
I talk about where to use GPO's, versus security templates vs. local computer policy. I tell you how to get the most bang-for-the security buck.
I'm biased, but I know this is the best Windows security book. I dispell rumor and publish the facts. Facts like "security-by-obscurity" works! Facts like renaming the Administrator account really does work, even if hackers do SID enumeration. I talk about how the biggest threat to any computer system is malware, not the dedicated hacker.
Every company that has consistently followed my advice as laid out in the book has never suffered a single hacker or malware attack. Some day one of my clients may get hacked, but for the last five years the record stands unbroken.
Posted by Roger Grimes on May 4, 2006 01:42 PM
May 04, 2006 | Comments: (0)
A lawsuite filed against Yahoo states that Yahoo gains advertising revenue by using spyware companies and typosquatters.
If this is true, it would be very sad.
http://www.infoworld.com/article/06/05/04/78067_HNyahooclassaction_1.html
Posted by Roger Grimes on May 4, 2006 01:35 PM
May 02, 2006 | Comments: (0)
Microsoft Password Strength Checker web site
Checks to see how strong your password is.
http://www.microsoft.com/athome/security/privacy/password_checker.mspx
The password checker site is a neat idea for home users, and is welcome help for any casual user, but it suffers from weak algorithms. It believes password complexity can only be accomplished by mixing character sets and almost ignores password length (which is really the best way to prevent cracking). For example, if you only type in lowercase words in your passphrase (e.g. ilovemywifetilltheendoftime) it will say your password is weak, when obviously it would be uncrackable by any of today's tools.
Still, nice site for many users. It would get them on the right track.
Posted by Roger Grimes on May 2, 2006 04:12 AM
May 01, 2006 | Comments: (0)
CORE Impact vulnerability tester screenshots
Here are example screenshots from CORE Impact
As promised in my recent column http://www.infoworld.com/article/06/04/28/77787_18OPsecadvise_1.html, here are some example screenshotsDownload file"> from Core Impact
Posted by Roger Grimes on May 1, 2006 06:11 PM
TOP STORIES
WiMax OK for commercial useAgile mgmnt for small teams
Why developers avoid Vista
CBS to buy CNET Networks
Icahn's letter to Roy Bostock
Yahoo opens up Search Monkey
AT&T limits iPhone purchases
Silverlight gets put on Linux
Intel to develop PC with Alibaba
Cybercriminals can rent a botnet
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
