Microsoft rolls out Vista SP1 release candidate 1

As I’ve been reporting throughout the course of our Vista deployment series, a majority of IT shops are moving as slowly as possible on their Vista deployments because of compatibility problems and a dislike of UAC-generated pop-up boxes. [See the latest case study here.]

As IT pros discuss these issues, they almost always talk about how they’re going to wait for the first service pack, which they hope will address the issues described above.

Microsoft, aware of this attitude, announced Wednesday that it’s launching the first release candidate of Vista SP1. Here’s what the folks at Microsoft had to say in the Windows Vista Team Blog:

“Today we’re making available the release candidate (RC) of Windows Vista SP1 via Microsoft Connect, and tomorrow subscribers to TechNet and MDSN will have access to those RC bits too. In addition, the RC will be available to the public next week via Microsoft’s Download Center. The release candidate phase of beta software is typically the final phase before the RTM (release-to-manufacturing) of a product and indicates that the code has attained a significant level of performance and stability. “

Nick White, a product manager on the Windows Vista team, described several changes made since the beta release of SP1 — many of which came about as a result of direct feedback from the beta-testing community:

• The size of the standalone installers have decreased significantly. For example, the standalone installer packages consisting of all 36 languages (x86 and x64 chip architectures) are smaller by over 50%. The standalone installer packages consisting of just the 5 languages (again, x86 and x64) slated for initial release are more than 30% smaller in size.
• The required amount of disc space for SP1 installation has also decreased significantly. Furthermore, with the RC, if more space is required to install SP1, an error message will now display exactly how much space is needed to complete the installation.
• Previous SP1 versions left behind a directory of files that wasn’t needed after installation and occupied about 1GB of space; the RC includes automatic disk clean-up to remove this directory.
• Installation reliability has been improved based on bug reports and error codes reported from Windows Update. Testing shows that these improvements have significantly increased the proportion of successful installations of the RC.
• Microsoft has improved the user experience of installing SP1 via Windows Update. During the beta release, users installed without much guidance from Windows Update. The RC now contains a series of screens with detailed information on SP1.

Hopefully, these changes will address some of the concerns we’ve written about.

Fixes arrive for Cisco Security Agent, OpenOffice

Two patching items to report this morning: one affecting Cisco Security Agent (CSA), the other OpenOffice.

First, the CSA flaw, as described in Cisco advisory cisco-sa-20071205-csa: A buffer overflow vulnerability exists in a system driver used by the Cisco Security Agent for Microsoft Windows. This buffer overflow can be exploited remotely and causes corruption of kernel memory, which leads to a Windows stop error (blue screen) or to arbitrary code execution. The vulnerability is triggered during processing of a crafted TCP segment destined to TCP port 139 or 445. These ports are used by the Microsoft Server Message Block (SMB) protocol.

Cisco has released free software updates that address this vulnerability.

Next, the OpenOffice issue as described in CVE-2007-4575: A security vulnerability in HSQLDB, the default database engine shipped with OpenOffice.org 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user. All versions prior to OpenOffice.org 2.3.1 are affected.

This issue is addressed in HSQLDB 1.8.0.9 and OpenOffice.org 2.3.1.

Attackers eye QuickTime exploit code

Attackers are trying to make use of the exploit code released last week for Apple’s popular QuickTime media player, prompting Symantec to raise its ThreatCon back to Level 2. Here’s the email advisory sent to customers of Symantec’s DeepSight threat management service:

The ThreatCon is currently at Level 2. As of December 1, 2007 the DeepSight honeynet has observed active exploitation of the Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability. This vulnerability was originally disclosed on November 23, 2007 and since this time we have seen numerous exploits targeting the flaw being released to the public. At the time of writing, there has been no vendor-supplied patch released for this issue.

The attack observed was hosted on 85.255.117.212  2005-search.com) over TCP port 554. Additionally the IP address is hosting a web server, which contains script code directing users to the exploit. The IP hosting the attack is referenced by another domain, resolving to 216.255.183.59.

Customers are urged to filter outgoing access to these IP addresses immediately to aid in immediate prevention of exploitation. Symantec is currently investigating this attack further. Currently the main script page users will come into contact with prior to exploitation is detected by Symantec as Downloader.

FBI launches Operation Bot Roast II

The FBI has just announced the results of its latest crackdown on botnet herders, designated Operation Bot Roast II. Since the first crackdown in June, eight people have been indicted, pleaded guilty or been sentenced for botnet crimes. Meanwhile, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation.

So far, the FBI says it has uncovered more than $20 million in economic losses and more than one million hijacked machines.

Says FBI Director Robert S. Mueller: “Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users.”

The individuals identified as part of Bot Roast II are:

Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet’s ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey’s targets of DDoS often resided on shared servers which contained other customer’s data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

Where to find the best IT security news roundups

A couple weeks ago at the monthly meeting of the National Information Security Group (NAISG) in Waltham, Mass., I gave a couple of PowerPoint presentations when the scheduled speaker hit some travel snags and couldn’t make it. I’m on the NAISG board of directors and it was my turn to take one for the team.

One of the presentations was about how SearchSecurity.com and Information Security magazine is focused like the proverbial laser beam on the security challenges of IT professionals. My goal was to make the point that it’s crucial for us to talk to IT admins on a regular basis to get the best sense of what their challenges are and what kind of information we can put in our stories to help them do their jobs better.

Whenever I finish this presentation and start taking questions from the audience, the conversation always shifts to which Web sites and blogs I visit each day to find the latest news and analysis. The vast majority of what I look at each day is more in the form of technical advisories and security dashboards fitted with the various threat level boxes kept by Symantec, IBM ISS and many other security vendors.

But the blogosphere is becoming an increasingly important source of news and analysis, and while I wouldn’t think of giving away all of my source material, I think it’s useful for me to flag some blogs you can all get some use from. Some are straight roundups of the news of the day, others are more opinionated summaries of the news and then there are blogs offering a bit of both.

And so here is a list of some blogs that have become favorite stopping points during my so-called morning scan, the daily ritual where I fire up the laptop at 5 a.m., coffee in hand, and browse cyberspace in search of breaking news that may require our fast attention:

Liquidmatrix: This is the site of IT security professional Dave Lewis, where he offers, among other things, a daily “Security Briefing” of whatever the big news of the morning may be. It’s set up to read like a scan of the morning newspapers.

The Daily Incite: This is another daily morning roundup — but with a heavier dose of attitude and analysis — from Mike Rothman, president and principal analyst of Security Incite. Once in awhile Mike will take issue with something written by me or one of my colleagues, but he offers a lot of fair analysis on the daily news that can be helpful when you’re trying to make quick sense of whatever has just happened.

Donna’s Security Flash: She keeps meticulous track of daily news items, summarizing and linking to various news stories of note.

The Breach Blog: This one reads like the typical advisory for software vulnerabilities, only the focus is on the latest reported data security breaches. Entries include the date an incident is reported, how many people affected and a summary of what specifically happened.

Techdirt: OK, this blog isn’t security-specific. It’s more of a wide-angle overview of technology news. But they include a ton of security news, helpful links and attitude that makes for interesting reading.

PogoWasRight.org: This is another daily roundup of security breaches and other privacy-related news such as legislative developments, linking to various news stories around the Web. One of the most impressive aspects of this blog is how up to date it is. You’ll usually find fresh data breach reports milliseconds after the news has broken.

Happy reading!

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

‘Massive’ malware barrage poisoning search sites

Those using Google, Yahoo! and other search engines face a new danger according to the folks at Sunbelt Software: seeded search results that will redirect the user to sites rigged with malware.

The Sunbelt blog describes tens of thousands of individual pages its researchers found that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages, wrote Sunbelt researcher Adam Thomas.

“For months now, our research team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums),” he wrote. “This network, combined with thousands of pages … have given the attackers very good (if not top) search engine position for various search terms.”

Thomas said many malicious pages contain an IFRAME link designed to exploit vulnerable systems. Those unlucky enough to encounter such links while browsing on vulnerable machines risk becoming infected with a family of malware Sunbelt calls Scam.Iwin.

“With Scam.Iwin, the victim’s computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker’s URLs without the user’s knowledge,” Thomas said. “The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the Internet.”

Scam.Iwin is also used to load malware for other groups, he noted. One such group is associated with the notorious RBN (Russia Business Network).

In a separate Sunbelt blog posting, company president Alex Eckelberry described a large amount of seeded search results leading to malware sites and using common, innocent terms. One researcher landed on a malware site while searching for alternate firmware for a router, he noted.

He reproduced several examples of Google search results showing malicious sites, including this one:

“Clicking on these links will expose the user to exploits which will infect a vulnerable system (in other words, a system that is not fully up-to-date with the latest patches),” he wrote.

Google has been notified, Thomas said.

UPDATE: Sunbelt confirmed late Wednesday that Google has removed all of the malicious sites.

UPDATE 2: Google’s security team admits the malicious activity Sunbelt discovered is probably the tip of the iceberg, and they’re asking for the public’s help in flagging additional sinister sites. Fom the Google security blog:

“Currently, we know of hundreds of thousands of websites that attempt to infect people’s computers with malware. Unfortunately, we also know that there are more malware sites out there. This is where we need your help in filling in the gaps. If you come across a site that is hosting malware, we now have an easy way for you to let us know about it. If you come across a site that is hosting malware, please fill out this short form. Help us keep the internet safe, and report sites that distribute malware.”

How to handle a data breach with some dignity

Say this for the unfortunate folks at Her Majesty’s Revenue and Customs: they know how to respond to a data breach. I’m not necessarily talking about the legal response or notification of citizens potentially affected by the HMRC’s loss of two discs containing personally identifiable information for 25 million UK residents. That’s boilerplate at this point. What struck me is the classically British way that the officials involved stepped up and shouldered the blame for the mishap. “This is the biggest privacy disaster by our government,” Jonathan Bamford, assistant information commissioner, told Cnet News. “Clearly on the facts available there appears to be a major contravention of data-protection laws.”

Those are not the kind of statements you see coming from government officials or company executives in the U.S. Here, the company PR operative would have blamed the courier service for losing the discs, then the CEO would have pointed out that they are password protected, so there’s nothing to worry about, and then we’d hear about how it happens to everyone and the criminals are really the ones at fault. Maybe some of the corporate and government CIOs should catch a flight to Heathrow sometime soon to confer with our British cousins on this.

SANS Top 20 released, but is it still useful?

The SANS Institute released its 2007 Top 20 threats list today (They still call it the Top 20, even though there are only 18 items on this year’s list), and the main takeaway is pretty much the same as last year: The bad guys are preying on gullible users and flawed applications such as Web browsers and media players to break into company networks and steal sensitive data.

In the bigger picture, the SANS Institute said it has observed:

– Significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, office software, media players and other desktop applications.

– A continuing trend where users practice careless Web-browsing habits on work machines, increasing a company’s overall risk.

– Web application vulnerabilities in open source as well as custom-built applications that account for almost half the total number of vulnerabilities discovered in the past year.

– Default configurations for many operating systems and services continue to be weak and continue to include default passwords.

– Attackers are finding more creative ways to obtain sensitive data from organizations.

During a conference call with reporters this morning, SANS Research Director Alan Paller and Rohit Dhamankar, director of the SANS Top 20 project and senior security research manager at TippingPoint, said the main lesson this year is that companies need to have more vigorous URL blocking and further restrict what users are allowed to do on company computers.

Looking over the details, I’m reminded of the reaction to the 2006 SANS threat report, when some questioned whether it’s still useful to even have these reports when the takeaway doesn’t change much from one year to the next. And so I reached out to several IT security pros this morning for some reaction.

I invite you to weigh in via the comments section in this blog. For now, here are some comments sent to me by email:

Cris V. Ewell, chief security officer of Seattle-based PEMCO Corp.: “In general, the report represents only the technical aspect of security and deals with the vulnerabilities in the applications and OS. This is not new, and while important, I expect the security engineers to deal with these types of issues on an ongoing basis. We have multiple systems to do vulnerability/threat/intrusion checks monthly, and mitigate the issues long before the Top 20 is published. The report is a good reminder of best practices that should be used in the enterprise, but there is nothing new in the report that would force me to change established practices and goals we have set for the company.”

Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif.: “What this gives is ammo to the administrator to lock down the browsing.”

Jeff Jarzabek, IT director for Oakbrook Terrace, Ill.-based Matocha Associates: “Do any of these specifically hit home at our company? No. Everything on the list except for the last 2 items is taken care of by educating your users. We have always told our users that if they suspect something is up, to notify a member of the IT staff. I think the SANS reports are now used mostly for raising awareness and as a reminder to some, myself included. I feel there is nothing new or shocking that most IT staffs shouldn’t already be doing considering the impact on the company if security is neglected.”

Gadi Evron, security architect for Afilias global registry services: “I believe this report reflects that indeed, client-side attacks are the danger most of us face today to our corporations being compromised, while agreeing that server-side attacks are once again on the rise by the use of web application vulnerabilities.”

RFID security could get better

Information Security magazine’s Senior Technology Editor Neil Roiter wrote a story about University of Massachusetts at Amherst researchers who developed a way to generate a unique set of random numbers to secure radio frequency identification technology (RFID) tags.

We’ve heard about security researchers cracking RFID chips. Security researcher Adam Laurie has been warning of RFID weaknesses. Laurie explained in a recent interview why he believes RFID vendors are ignoring RFID security and privacy issues. He has demonstrated how easy it is to copy an RFID tag, including those found in some passports.

Several years ago RFID seemed to have a lot of momentum. Billed to improve supply chain management, retailers, suppliers and manufacturers were lining up to see the benefits. SAP, Oracle and IBM were among the top vendors pushing the benefits and a package of technologies to tag, collect and analyze RFID data. Walmart helped push standards and directed its suppliers to begin tagging. But privacy and security issues, the cost of implementing RFID tagging and the storage requirements for RFID data collection seems to have stalled adoption.

It will be interesting to see if solving the security equation will result in a resurgence of interest in the technology. Stay tuned.

Potential crypto problem in CPUs has potential solution

Some security experts are counseling a bit of caution about the recent reports of a potential math error in a commercial microprocessor that could lead to mass compromises. The possible computational error–which is only a theoretical problem at this point–was raised by noted cryptographer Adi Shamir in a note circulated recently in the cryptography community. In short, Shamir, one of the co-authors of the RSA algorithm, posits that there could be an undiscovered mathematical mistake in any one of the microprocessors on the market which could enable skilled attackers to compromise any crypto key on a machine running the flawed processor.

“In this note we show that if some intelligence organization discovers (or secretly plants) even one pair of integers a and b whose product is computed incorrectly (even in a single low order bit) by a popular microprocessor, then ANY key in ANY RSA-based security program running on ANY one of the millions of PC’s that contain this microprocessor can be trivially broken with a single chosen message,” Shamir wrote in his note.

However, as it turns out, many, if not most, of the popular cryptographic libraries in use today already protect against this kind of attack.

“This is a neat extension to an existing attack and a good reason not to implement your own public key crypto, but if you use a mainstream library, you’re already protected,” said Nate Lawson of Root Labs. “It depends on there being a bug in the multiplier section of the CPU and using a poorly implemented crypto library. Luckily all crypto libraries I know of (OpenSSL, crypto++, etc.) guard against this kind of error by checking the signature before outputting it. Also, hardware multipliers are less likely to have bugs than dividers due to the increase in logic complexity for the latter, although I certainly wouldn’t claim they would be bug-free.”

This by no means discounts the seriousness of what Shamir proposed. The fact is, chip designers, like everyone else, make mistakes and those mistakes can lead to major problems. But thankfully, someone else has anticipated those mistakes and taken precautions against them. Shamir makes another point in his note that’s worth mentioning as well. He talks about the increased complexity of the multiplication units in CPUs being the root of these possible attacks. It’s often said that complexity is the enemy of security, and this is yet another example of this maxim.