Personal Income & Finance Consulting Group

The mildest patch update from Microsoft since it skipped one in March 2007 took place this week, and LANDesk launched its Gateway Appliance for managing patches and other updates for remote devices.

If you were looking for a Macrovision patch from Microsoft as the Critical issue being repaired on Tuesday, keep looking.

They did fix the problem with URI handling in Windows. We reported on the URI handling problem in July, where the issue with Internet Explorer’s failure to validate input posed a threat when a URI handler passed it along.

“Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7,” Microsoft said in the update. “However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.”

A second issue corrected by Microsoft fixed a vulnerability in DNS that could have enabled a successful spoofing attack. That would have allowed traffic to be redirected from a legitimate site to a different destination, without the individual realizing what had happened.

Such issues compound work for security pros who have to manage an increasingly remote workforce. We talked to LANDesk ahead of Microsoft’s Patch Tuesday releases about their new Gateway Appliance aimed at that task.

Nathan McLain, product manager at LANDesk, said the new device enables remote management of patches and updates on those mobile platforms.

The Gateway Appliance is a hardened Linux device using the 2.6 kernel, and the minimum features needed to make it suited for the purpose. It can handle 5,000 concurrent connections, with a background agent taking care of the work on the remote device.

Companies with large sales teams tend to have a need for this capability, as the background agent works with the Appliance to take care of the updating needed without user intervention. This keeps those distant workers from suffering unprofitable downtime during the update period.

More: continued here

The company’s latest service, on-demand log management, arrived to complement Alert Logic’s product line.

Our chat with Alert Logic marketing VP Chris Smith proved informative, beyond the log management product the company rolled out to customers. As those with compliance needs know, logs form the core of what auditors want to see a firm collect, review, and archive.

The demands of archiving alone mean the expense of running a tape library, or expanding the capacity of a storage area network. Logs grow continually as a business operates. As Smith noted, this can get messy when multiple machines start churning out terabytes of log data each week.

Alert Logic’s approach utilizes an appliance that collects data in syslog format from machines on a network. This happens as an agentless process, so it’s just a matter of permitting the appliance to do a remote procedure call to machines meriting this attention.

Providing this log management system makes it the first one created in the software-as-a-service mold. The company’s other products, handling network security and policy compliance, work the same way. Security pros take note: SaaS could aid your work in certain circumstances.

Consider what Smith cited as Alert Logic’s log management capabilities. Its software can pull out potential client concerns automatically. Reports may be accessed through a web browser; for the obsessive types, data may be exported to assess it with other tools like Crystal Reports.

With over 300 clients buying in to this subscription model, and Alert Logic “re-earning” them at a rate over 98 percent, they have tapped an interest in security and intrusion detection delivered by SaaS in the middle market.

That represents companies with up to 10,000 employees, and Smith touted Alert Logic’s appeal to compliance-heavy industries like healthcare, financial, education, and oil & gas as a strength. The most common demand has been for user access information, which would indicate potential internal issues requiring attention.

Alert Logic may draw some extra attention, too, that of the external customer variety. The model is interesting enough to merit attention, and as long as it can function seamlessly and securely, cost-sensitive executives should be compelled to seek it out for review.

More: continued here

Email security company Commtouch unveiled its Malware Outbreak Center and associated tools today, to provide a look at various aspects of spam and viruses.

Commtouch delivered new goodies for security pros to play with on its website. The Malware Outbreak Center provides virus outbreak reports, spam outbreaks, and other services to visitors.

Their virus outbreak reporting shows email-borne malware that Commtouch has picked up on and blocked as it arrives at a mailbox it is protecting. By clicking on an entry in the virus outbreak report, the viewer can see details about the virus.

The report shows how quickly a number of common antivirus solutions had a signature available to combat the new threat. Some picked up on it right away, others took time to deploy a signature, while a few did not deploy a solution during the analysis period Commtouch used.

Commtouch’s Real-Time Outbreak Monitor shows where new outbreaks of spam are taking place. Information from mousing over the outbreak location shows its location, subject line, and URL. They also graph the number of attackers and the massiveness of the outbreak.

Other features offered include a spam calculator, to determine how much spam costs a company based on the time it takes to delete it and other factors; and a set of spam statistics showing countries, domains, and other information about spam outbreaks.

More: continued here

The murder of Alexey Tolstokozhev ended with a calling card - a final head shot by the killers.

UPDATE!: McAfee thinks this tale of spammer punishment may be a hoax. More here.

Alex Loonov blogged about Tolstokozhev’s murder after seeing it on Russian television. Tolstokozhev had been shot several times in a luxury home near Moscow.

Apparently the shooter pumped a final shot into Tolstokozhev’s head. Loonov said this was a trademark of Russian hitmen.

Tolstokozhev had been a big-time pharma spammer, selling Viagra and other drugs via spam links to pharmacies. These paid Tolstokozhev a piece of the action, which may have been worth up to $2 million just in 2007.

Though Loonov said one has to suspect one of the billion people who have been aggravated by his spamming as the killer, this sounds more like criminal competition. It won’t be surprising to hear of an Organizatsiya connection, should the authorities probe the murder deeply.

Multi-million dollar profits in a country where Loonov said the average monthly salary is about $400 will attract criminal attention. The crime sounds like it was meant to send a message - play ball or else - to other spammers being offered certain “partnerships” with organized crime.

More: continued here

Dr. Paul Mockapetris had some comments to make after the federal General Services Administration caused California IT pros grief with a shutdown of their domain record.

The shutdown due to a hacked server on a ca.gov server wiped out that domain, and the ability for people working on that domain to get work done on the Internet.

Dr. Mockapetris, he of the RFCs 882 and 883 that gave the Internet the ability to use domain names, told SecurityProNews the shutdown GSA initiated didn’t have to happen. It also didn’t need to impede California workers.

He said IT administrators need to ensure that a top-level domain problem like ca.gov’s can’t be allowed to bring web and email traffic to a halt. People have the same needs for government services each day.

Those admins have to monitor their networks for problems on a 24/7 basis. In our earlier report, it was noted that the GSA notification of the shutdown ended up in the inbox of someone who would not ordinarily handle such an issue.

That’s no excuse for not realizing something bad happened, or for not having a ready fallback in place for state workers.

The good doctor also had chastising words for the GSA, saying, “you don’t necessarily turn off a domain because there are some bad users in there.”

There is blame to go around for the Ca.Gov fiasco. Ultimately, better communication could have averted the problem.

More: continued here

Fixes for Adobe Reader and Acrobat versions 8.1 or prior need to be installed to mitigate a critical vulnerability and the exploits flying around the Internet trying to penetrate those flaws.

The critical Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability, listed here, affects Windows XP users with Internet Explorer 7 in place. Vista is not affected by this problem.

Although Adobe has released fixes for the issue, criminal spammers have been trying to hit people who are slow to update their products. Security firm McAfee reported on their Avert Labs blog the presence of such an exploit in spam messages today.

“Successful exploitation leads to a batch file being executed on the victim’s machine that disables the built-in windows firewall,” said Vinoo Thomas, “and then downloads a password stealer from an IP address located on the RBN network.

Regular readers of SecurityProNews won’t be surprised to learn this exploit has ties to Russia, as so many spam campaigns have over time. RBN, also known as the Russian Business Network (have to love that spammer humor), may be a legitimate business, but it hosts plenty of criminal efforts.

It also comes as no surprise that Russian law enforcement has enjoyed no success in policing RBN for illicit activity, according to reports from other computer security companies.

Security pros should ensure their systems and networks have the Adobe updates in place as needed.

More: continued here

The Sixth Circuit will hear an appeal by the US Government that seeks to treat email as being outside the usual Fourth Amendment protections against unreasonable search.

Send an email and any reasonable expectation of privacy you have about that message departs along with it. The Bush Administration believes that sending an email through an ISP that monitors the message automatically means the sender forfeits Fourth Amendment protections for it.

Mark Rasch at SecurityFocus noted the Sixth Circuit will hear an appeal by the federal government in the case of Warshak v United States. In an earlier case as part of an investigation of Warshak, investigators obtained email from an ISP, and did not notify Warshak until more than a year later of their subpoena.

A court document from the Sixth Circuit noted the Justice Department erred in failing to notify Warshak:

The government has conceded that it violated the statute by waiting for over a year without providing notice of the e-mail seizures to Warshak or seeking extensions of the delayed notification period, and it appears to have violated the magistrate’s decision for the same reason.

Whether or not the Constitutionality test passes the full Sixth Circuity seems to depend on the interpretation of privacy expectations. The US Government believes they end whenever an email passes through an ISP with a stated policy of monitoring emails at its discretion.

Rasch noted an earlier decision where the Government cited antivirus scanning and anti-spam filtering as automated processes that examine email contents, thus eliminating an expectation of privacy.

The reasonableness of such actions and the privacy people expect look like the central issue. The Feds want to be able to go to the ISP and obtain email as they see fit, without a subpoena, without providing notification to the target and without the target being able to complain of an unreasonable search.

Law enforcement enjoys the ability to obtain a subpoena as necessary, to perform investigations as needed. They can require an ISP to retain evidence; they don’t need to have the Fourth Amendment rendered irrelevant for electronic communications.

“This appears to be more than a mere argument in support of the constitutionality of a Congressional e-mail privacy and access scheme. It represents what may be the fundamental governmental position on Constitutional e-mail and electronic privacy — that there isn’t any,” wrote Rasch.

More: continued here

One person with an administrator password and access to critical systems can cause chaos within a business.

The time has arrived to crack down before something really sensitive gets compromised.

Back in September, a simulated remote attack on an electrical generator left the machine a smoldering wreck.

With enough access to such critical systems, one person could cause a lot of damage.

Multiply that potential by the national power grid, and you get the kind of responses CNet cited from Rep. Jim Langevin (D-R.I.), who wants much more stringent controls and security standards for the nation’s infrastructure.

On the topic of infrastructure, Xceedium CEO Cheryl Traverse said in a chat with SecurityProNews the real threat comes from the high risk users who can touch many parts of an enterprise system.

Administrators, developers, and anyone whose access rights cross systems and structures poses a risk.

Traverse claimed 86 percent of internal attacks come from insiders or outside people brought in and given too much access.

It’s a situation that her company believes it can address through technology.

In this case, infrastructure virtualization will serve to compartmentalize what people can see in the system, limiting them to where they are authorized to be.

Traverse said the control takes place at the socket layer, so if an insider tries to jump from an authorized place to an unauthorized one, that access will be stopped.

Various tracking tools show what people do in the system.

Traverse noted that reporting functions will show compliance with established policies is in effect, an important piece of the compliance puzzle for publicly traded firms in particular.

Corporate losses to insider actions should make Xceedium and competitors that will certainly follow a business decision to be considered.

If the technology can work on a practical level as advertised, its benefits should outweigh the costs of implementation and ongoing monitoring needed to benefit from it.

More: continued here

Two laptops were removed from a locked office during the first weekend of September at Carnegie Mellon University; these laptops contained personally identifying information about students.

It took Carnegie Mellon a month to alert students to the theft of two laptops from the office of a computer science professor. The information was not encrypted on the machines, according to a report from the student newspaper, The Tartan.

Though the theft took place on or about September 2, the school did not notify students until September 29. One student told The Tartan that his request for Carnegie Mellon to pay for credit monitoring was refused by the school.

The director of the school’s Information Security Office, Mary Ann Blair, thinks students who took the unnamed professor’s courses between summer 2004 and spring 2006 could be impacted by the theft.

Investigators think the thefts were for the laptops’ value as a commodity, and not for their data. The rationale for that holds the thieves would try to sell them for a quick profit.

However, that view doesn’t account for the potential misuse a buyer could do with the information on those machines. We don’t think it’s likely the thief or thieves will vet their buyers for good intentions.

More: continued here

Microsoft gets way too much blame for needing lots of patches for their products; Oracle will ship 51 fixes for its products in October.

Patch Tuesday arrived for Oracle administrators today, and it’s a doozy. Oracle releases patches on a quarterly basis. Today’s scheduled bundle of joy will give Oracle’s customers plenty to apply to their software.

Oracle’s critical patch pre-release announcement called for 51 patches covering products across their spectrum of software. Patches for Oracle’s signature database products total 27 of the 51 planned for release.

From their statement, the Oracle database components affected by vulnerabilities that are fixed in this Critical Patch Update are:

•  Advanced Queuing
•  Advanced Security Option
•  Core RDBMS
•  Export
•  Import
•  Oracle Database Vault
•  Oracle Net Services
•  Oracle Text
•  Spatial
•  SQL Execution
•  Workspace Manager
•  XML DB

On the Oracle Application Server, seven of the eleven security fixes arriving for that product represent patches for remotely exploitable issues. An attacker would not need a username/password combination to exploit them.

Oracle said the Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

•  Oracle Containers for J2EE
•  Oracle HTTP Server
•  Oracle Internet Directory
•  Oracle Portal
•  Oracle Process Mgmt & Notification
•  Oracle Single Sign-On

Fixes for some PeopleSoft products are in the release, but there are no new security bulletins for JD Edwards products, Oracle said.

More: continued here

Someone accidentally sent an email containing all the whistleblower email addresses to the entire list of addresses that submitted tips about abuse in the Justice Department. Then it gets worse.

The House Judiciary Committee has been looking into firings of US attorneys since Democrats regained control of Congress. To facilitate the investigation, they established an online tip form during this past summer.

In the words of Terry Pratchett, that effort just turned pancake-shaped. An email sent to all of the tipsters placed all of their email addresses in the To: field, rather than the preferred BCC: field. As TPM Muckraker found, another email address made it into the list:

There are more than 150 recipient addresses revealed in the email. Some of the email addresses appear to be transparently fake, but there’s also, much more troubling, a vice_president@whitehouse.gov carbon copied on the email, which is the public email address for Vice President Dick Cheney.

In other words, an email containing the email addresses of all the whistleblowers who had written in to the committee tipline was sent to public email address of Vice President Cheney.

To put the final insult cherry on top of the injury sundae, the email sent to the tipsters illustrated new procedures the Committee planned to use to review the tips that had been submitted.

House Judiciary Committee, Justice Department, US Attorney, Firings

More: continued here

Criminals who are registering domain names that resemble legitimate websites for campaigning Presidential candidates hope to infect visitors with malware.

There is no particular method to how politicians and their campaigns have registered the official websites for each candidate. Latecomer Fred Thompson has his official site at www.fred08.com while John McCain has www.exploremccain.com, and many Democrats have domains that are simply firstnamelastname.com.

Someone clicking a link in a web search to what looks like a real candidate website could be in for the kind of unpleasant surprise they wouldn’t normally get until the candidate has been in office for a couple of months.

Security firm Webroot said fraudulent sites have been cropping up in searches for candidates. Malware hidden in videos or screensavers offered for download on these fake sites could cause problems for people.

“We initially saw these types of spoofs surrounding the Barack Obama and Ron Paul websites,” said Webroot COO Mike Irwin. “But we are finding that the spoofs intensify at the end of the month and will expect to see them intensifying as the candidate sites begin to see more traffic during the later phases of the campaign or during major fund-raising drives.”

Hundreds of fake sites exist, as Webroot has discovered to date. They have provided a list of candidates and their legitimate online presences as a public service:

Joe Biden: http://www.joebiden.com/

Sam Brownback: http://www.brownback.com

Hillary Rodham Clinton: http://www.hillaryclinton.com

Rudy Giuliani: http://www.joinrudy2008.com

Chris Dodd: http://chrisdodd.com

Mike Huckabee: http://www.mikehuckabee.com

John Edwards: http://johnedwards.com

Duncan Hunter: http://www.gohunter08.com

Mike Gravel: http://www.gravel2008.us/

John McCain: http://www.exploremccain.com

Dennis Kucinich: http://www.dennis4president.com

Ron Paul: http://www.ronpaul2008.com

Barack Obama: http://www.barackobama.com

Mitt Romney: http://www.mittromney.com

Bill Richardson: http://www.richardsonforpresident.com

Tom Tancredo: http://teamtancredo.org

Fred Thompson: http://www.fred08.com

More: continued here

Invitation-only music tracker OiNK.cd has been shut down, with its 24-year-old administrator arrested in Britain in connection with the investigation.

OiNK has been a thorn in the side of the International Federation of the Phonographic Industry (IFPI) for a couple of years. IFPI claimed in a BBC report the OiNK.cd site leaked 60 major albums before their release in 2007.

Though OiNK operated as a members-only torrent tracker, once music made it to the site’s members, it quickly flowed to other outlets online. That gained the site a reputation as a major source of new music.

Today, visitors to the site are greeted by this message: “A criminal investigation continues into the identities and activities of the site’s users.” British and Dutch authorities have been involved in the investigation, as has Interpol.

“OiNK hosted hundreds and thousands of torrents with over a million peers which makes it more popular than most public trackers,” said torrent news blog TorrentFreak.

While the unnamed administrator and his father have been arrested in Britain, servers in Amsterdam hosting OiNK.cd were also shut down. The administrator has not been identified, but a whois lookup for the domain lists the name ‘Alan’ as the registrant, with a Middlebrough address.

More: continued here