IT Trenches


September 16, 2009  6:31 PM

Would you click if it showed on the NY Times website? – Really would you?



Posted by: Troy Tate
ad revenue, browser security, computer network, hardware, information security, information security management, licensing, malicious software, malware, network access, PC, permit, Security, social engineering, software, user education

Yesterday Fierce CIO reported that New York Times falls victim to rogue ad. This is a trend that seems to be happening more frequently. Rogue malware ads are appearing in a lot of places these days in areas most people would trust as authoritative and reliable sources of information. It is unknown how much the rogue malware “seller” may have gotten by putting the ad on the NY Times website but they likely made something from unsuspecting users. The NY Times did suffer some amount of loss since they disabled all third party ads until the rogue ad was removed. What would you do if an ad popped up on a trusted website saying your computer was infected? Most IT professionals would disregard the message as their systems SHOULD already be protected. However, how much of the general population is not an IT professional (at least outside of their own home ;) )?

What can and should the security industry do to educate users about these social engineering tactics? Should computers be “licensed” or “permitted” to be on the internet to reduce threats to unsuspecting users? That’s a thought for you… what governing body would issue these computer use permits? What would the rate infrastructure be like – based on processor/memory or bandwidth? Where would the permit fees go? Would there be some internet oversight body that uses the fees to have inline malware filters?

Thinking out loud here folks – offer some suggestions. Your input is welcome and appreciated.

Thanks for reading and let’s continue to be good network citizens!

=========================

20090918 Update:

E-Week reports that there is a surge in click fraud. According to the article this is similar to the NY Times advertisement malware threat discussed above. I fear this trend will only get worse. What is a legitimate advertiser or web services organization to do?

September 14, 2009  1:49 PM

Microsoft does not patch vulnerability for supported version of Windows



Posted by: Troy Tate
information security, Microsoft, Microsoft support, patches, risk, risk management, support, tcp, tcp-ip, tcp/ip, threat, vulnerability, Windows, windows 2000

Last week was the September issue of Microsoft “patch Tuesday”. The September 2009 Microsoft Security Bulletin lists a number of vulnerabilities. Microsoft held the bulletin webcast on Wednesday, September 9, to discuss the vulnerabilities and customer concerns.

One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.

I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.

Thanks for reading & let’s continue to be good network citizens.


August 28, 2009  4:57 PM

Performance monitoring dashboard – designing and instrumentation



Posted by: Troy Tate
application management, application performance, network design, network diagnosis, network management, network performance, pathping, ping

One of my biggest challenges as a network manager is when users cry “the network is slow”. Some of you may have tools available to you where you can instantly dig in and see what the user might be seeing. There are some vendors out there with application and network monitoring tools. Netscout is one that comes to mind. However, I don’t have tools like that available so I have to work through several layers of data collection methods and tools to get a picture of what might be happening. Maybe you are in the same boat. Getting an answer to “the network is slow” is not a simple or quick activity. How do you deal with this? Following are some ways that I use to try and address the situation.

Continued »


August 28, 2009  4:21 PM

BlackHat USA technical presentations available online – not just for hackers



Posted by: Troy Tate
antivirus, blackhat, bootkit, Database, Development, education, hacker, information security, infosec, least user authority, least user privilege, malware, research, rootkit, threats, vulnerabilities

The media archives have now been posted on the BlackHat website from the BlackHat technical conference held in July 2009. This is the place to go if you want to see some of the latest information security research and the threats that are REAL and may become real someday. I posted a previous blog entry on the presentation about the Bootkit – rootkit – malware bypasses disk encryption!

Some of the presentation titles:

I Just Found 10 Million SSN’s

Sniff Keystrokes With Lasers/Voltmeters
Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage

Anti-Forensics: The Rootkit Connection

Reversing and Exploiting an AppleĀ® Firmware Update

The Language of Trust: Exploiting Trust Relationships in Active Content

Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way

The Conficker Mystery

These are just some of the titles available in the BlackHat 2009 Technical Conference media library. Check it out even if you are a web developer or an IT professional who manages desktops or networks or staff members who perform these tasks. You need to know what you are up against and possible methods to fight the threats.

Thanks for reading & lets continue to be good network citizens!


August 24, 2009  8:33 PM

Red alert – automated SHIELDS Up – malware becomes smarter!



Posted by: Troy Tate
bot, command and control, information security, malware, malware research, threat, vulnerability

If you haven’t recently kept up to date on the malware front, a recent article at DarkReading may come as a surprise to you. ALERT: Malware has become intelligent!

Rare Malware A Hint Of Threats To Come shows that malware has come a long way and has gained some significant intelligence to avoid detection. The article mentions that some attacks are more directed than broad. These attacks go at specific organizations and even specific data at those organizations. Once the data is collected, the malware can clean up after itself and disappear.

Other “intelligent” behavior seen by researchers includes command and control systems that can determine if a device is actually an owned bot or a researcher imitating a bot. In these types of cases, the command and control system can actually blacklist the researcher’s network range so it cannot intrude on the malware environment.

Quite intriguing stuff and this is what is really happening today! You should be familiar with this stuff if you manage a computer network and are responsible for security. Remember in secURITy – U R IT (you are IT).

Thanks for reading & let’s continue to be good network citizens!


August 19, 2009  6:21 PM

Can a botnet make me sexy?



Posted by: Troy Tate
antivirus, autoupdate, botnet, command, command and control, configuration manager, control, infection, mcafee, Microsoft, parasite, systems center

Ponder this question. Are there botnets that are sexy and make you more attractive? I got this idea from the Animal Planet (Discovery) show: Monsters Inside Me: Can a Parasite Make Me Sexy? Consider a good botnet (parasite) for a minute. Is something like the McAfee ePolicy Orchestrator or Microsoft’s Systems Center Configuration Manager something like a command and control system for a good botnet? Would that be considered a sexy parasite? Is this just a symbiotic relationship that is good for all?

So, think about it… what are you infected with today that’s doing you good?

Well… maybe it’s not always good to be infected with a parasite so that’s why I say: thanks for reading & let’s continue to be good network citizens.


August 18, 2009  2:25 PM

FTP – is it old or is it still useful? Do you need “glamorous” file transfers?



Posted by: Troy Tate
file transfer, file transfer protocol, ftp, technology, technology update

We use FTP to provide a file transfer mechanism between users, customers & suppliers. I regularly get asked if FTP is the best and easiest mechanism for this purpose. My answer is: “it works”. The command line client is also available in most operating systems and there are a lot of GUI clients available out there to make the process easier for the user. So, what is driving this questioning of the “old” FTP method? What are users seeing out there that makes them think FTP is no longer useful or unable to meet the business needs?

Is it things like iTunes Store? Something like CNet’s Download.com? What do you think? Does FTP still have enough capabilities to make it in today’s technology market? What file transfer solutions do you use? What are the advantages and pitfalls of your chosen solution(s)?

My ears and eyes are open on this topic. Share your feedback with the ITKE community. Stand up and be heard!

Thanks for reading. Let’s continue to be good network citizens.


August 14, 2009  12:48 PM

Bootkit – rootkit – malware bypasses disk encryption!



Posted by: Troy Tate
antivirus, blackhat, bootkit, hacker, least user authority, least user privilege, malware, research, rootkit, threats, vulnerabilities

If you have not been nervous before about someone infecting computers without your knowledge then you should be much more nervous after reading this article.

In 1987 the Stoned boot sector virus came out and was one of the most prevalent viruses of the early personal computer era. As with most malware concepts, this old threat has been made new again.

An 18-year old security specialist gave a presentation on a bootkit/rootkit (STONED) at the annual Blackhat security conference. This bootkit is not your typical bootkit in that it can bypass disk encryption and load itself into memory before the disk encryption software is activated. The demonstration showed the bootkit loading before disk encryption is activated. Once the malware is loaded from the master boot record (MBR), it is then in memory and can download other malware such as trojans to capture banking credentials.

The bootkit software can be installed either by having physical access to the device or by a user with administrative credentials (this makes a good case for the “least user authority” (LUA) principle). Once the malware is installed and activated it is very difficult to detect. According to one article:

Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory, says Kleissner. Stoned runs in parallel with the actual Windows kernel. Even an anti-virus function in the BIOS can’t stop the bootkit, as modern Windows versions modify the MBR without referring to the BIOS.

Our challenge as infosec professionals is laid out before us. How we deal with threats like these and protect our users and organizations becomes more difficult all of the time. We have to stay on top of our game because the rules and game conditions are always changing.

Thanks for reading & let’s continue to be good network citizens.


August 12, 2009  4:01 PM

Improve IT service levels at little or no cost – Microsoft’s Spotlight on Costs



Posted by: Troy Tate
best practices, cost reduction, cost savings, infrastructure management, Service Level Agreement, sla, technology services

Microsoft has released a video & whitepaper series on optimizing an organization’s core infrastructure. This series reviews 31 best practices that can improve IT service levels at little or no cost. It seems to me that the series is obviously Microsoft solution-centric but the series may still be of use to your organization. Take some time and at least look through the 29 page whitepaper and see if the suggestions will help improve the top or bottom line at your organization.

How about leaving some tips or feedback here for other ITKE readers. Let us know what works and what didn’t in your organizations to improve service levels and/or reduce costs.

Thanks for reading & let’s continue to be good network citizens.


August 12, 2009  3:33 PM

Interested in Microsoft Certifications? – Microsoft Certification 101



Posted by: Troy Tate
certification, job skills, mcp, mcse, Microsoft, Microsoft Certification, Microsoft TechEd, TechEd 2009, technical certification

Check out this interview during TechEd 2009 with David Elfassy. You will find out answers to many of your burning questions like:

  • How much does certification really matter?
  • Is an MCSE still valuable?
  • Which certifications should you pick?
  • Would certification be a good way to switch into another area of expertise?
  • What changes are happening around Piracy with test development?
  • What are his recommended steps to get started with prepping for the exam?

Thanks for reading & let’s continue to be good network citizens.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: