How is Microsofts SeaPort.exe Affecting Your Network?

August 25th, 2010

computer_inspectionIf you’ve recently installed the Microsoft Live service in the last few weeks, months or even years you may or may not have noticed a not-so-quiet program called SeaPort.exe running in the background that’s eating up processing speed and even chews up a fair amount of network bandwidth (especially when you’ve got multiple workstations).

Research has indicated this process may be detrimental to your network security and workstation operating capacity.

What is it?

SeaPort.exe typically comes bundled as part of the Microsoft Live Search Enhancement application pack.  In addition, there’s a plethora of “helpful” web downloads from Microsoft including the Bing and MSN toolbars that this application is included as a part of.

You’ll notice in the description field of the Services Administrator Tool that Microsoft describes that it:

“Enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement Applications.  Also provides server communication for the customer experience improvement program.  If this service is disabled, search enhancement features such as search history may not work correctly”.

How does it affect the workstation?

From the description one might infer that this “enhancement” should only run while browsers are open and actively searching history, etc.  But Seaport.exe runs not only on boot-up (drawing out an already lengthy startup process for your workstation), but also in the background on your OS whether any searches have been performed or not, or even whether or not there are any browsers open.

The service is automatic and begins churning and eating up approximately 4-7 MB (reports vary) of RAM upon install.  All this activity for a little used function, and in some cases a never-used function, seems like a waste of resources for what is already an overworked OS.

How could it be harmful?

The Microsoft description above is really quite open-ended for a service that indicates it’s transmitting some type of information about the workstation back to the mothership.

Researchers have published detailed evidence that Full URLs are being sent back to Microsoft for analysis by the Microsoft customer experience improvement program.  In addition, if you’re using poorly coded web applications that include the session ID, or even worse, username and password in them, it’s frighteningly possible that this information is being passed to Microsoft through SeaPort.exe.

What steps should I take?

Removing SeaPort.exe from any workstations running the process is the first step.  Once accomplished, use of good risk management techniques such as monitoring your users and applications/processes that are installed on their workstation should be continued.  A policy should be implemented against installing various toolbars and unauthorized applications and processes.

Brian Nelson from brighthub.com has a step-by-step process for deleting the Seaport.exe service.  You can view his blog by clicking HERE.

What does this mean going forward?

To date, most security analysts operate under the presumption that Spyware is defined as anything that “reports private information or activity to a remote host that the user may not be aware of”.  In most cases, SeaPort.exe is installed without the front-end user knowingly doing so.  When installing Microsoft Live, there’s no option to skip the Seaport.exe portion of the application set, it’s included no matter what selections are made.

SeaPort.exe should be considered armed and dangerous and network administrators need to understand that this process is gaining access and information about workstations that is better kept private.  In short, we’re not ready to call Seaport.exe “Spyware” but it’s teetering on the edge of the definition, which is uncharted territory for a major OS vendor.

Posted in Cyber Risk Management, Spyware, Technical Safeguards | No Comments »

Trojan Linked to 2008 Spanair Plane Crash

August 23rd, 2010

plane_lockAuthorities investigating the recent 2008 plane crash of Spanair flight 5022 discovered that there is a probability that the central computer system that’s used to monitor technical issues with the plane was infected with malware.

The plane, a McDonnell Douglass MD-82,  held 172 passengers and crew, crashed upon takeoff rolling to the right and split into two, exploding almost immediately.  154 people died and only 18 survived the crash, which was Spain’s deadliest in 25 years.

According to a preliminary report by the U.S. National Transportation Safety Board, the aircraft took off with its flaps and slats retracted, and there was no alarm that notified of the issues because the central computer system that typically delivers the power and message to the take-off warning system had failed.  In addition, there were two smaller earlier events that  also were not reported by the system.  In short, built-in safeguards that would have prevented the crash, failed to do so.

Head researcher, Jamz Yaneeza for Trend Micro indicated that malware on the infected computer system was a type of Trojan horse.  While there are a number of ways the malware could have entered the computers system, the most likely scenario is it was transferred via a USB stick.  This type of transfer of malicious code is not new to the transportation, or hi-tech industry, as the International Space Station was also infected in this manner in 2008.  Another possibility is that the infection occurred through a remote VPN connection.

A complete report is due in December of 2010 regarding the full investigation.  Researchers have indicated that a preliminary investigation indicates that it does not appear that the malware was specifically intended for the planes computer systems.

However, what this does bring to light is the bridging of the gap between two distinct types of risk management that historically have been on either end of the ravine.  Conventional risk management such as employee health and safety, transportation safety, process safety, and environmental protection are typically managed by a “risk manager” at most larger organizations while the cyber security is managed by a “technical officer” (or similar designation).

As technology develops, and cyber criminals begin to expand their operations, directed attacks towards this type of exposure can and should be expected, especially with regards to extortion and blackmail.  This incident is a classic example where the health and safety of employees, the public, owned materials and vehicles, company image and network security were all adversely impacted.

In this case, it’s likely that malware was not the direct cause for the flaps to be at the dangerous 0 degree angle, but they were a contributing factor to the crash occurring since the computer systems did not respond and communicate accordingly as they should have when alarming on the  problem.  It is certainly possible in the future that we’ll see more customized malicious attempts to hijack planes, vehicles and even automated equipment run by computers in an attempt to create harm or havoc for financial or terrorist gain.

UPDATE:

New information is now surfacing 3 days after this initial story ran at MSNBC and TechNewsDaily.  Apparently the internal Spanair Report that reported many of these issues and came to some of the determinations outlined in this blog may not have been entirely accurate according to security experts around the web.  So while the accuracy of this initial report is still up in the air, the overall message and threat of malware and cyber security concerns with integrated systems is still valid.  As technology develops, so too will the criminals and malicious entities that take advantage of it.

Posted in Administrative Safeguards, Business Process Risk Management, Cyber Risk Management, Technical Safeguards, Transporation Management | No Comments »

New and Dangerous Zeus Variant hitting users Bank Accounts

August 11th, 2010

A new and dangerous variant of the Zeus trojan has been discovered that uses a complex, highly skilled methodology to empty victims bank accounts.

Primarily hitting in the UK in the month of July, a new variant of Zeus is using web exploits, a money mule network and a highly skilled back-end command and control system to steal well over one million dollars from victims bank accounts.

The new variant, dubbed Zeus version 3, is now using encryption via https to communicate with the command and control networks. The initial exploit that infects users systems are coming from on-line advertising banner ads and legitimate websites that have been compromised.

Few anti-virus vendors are able to mitigate the attack and most intrusion prevention systems will have a difficult time detecting valid https traffic from the Zeus command and control due to the encryption being utilized.

Once user systems are compromised and under the control of the cyber-criminals, a network of “money mules” are used to transfer the funds from the victims accounts. Money mules are hired by cyber criminals posing as legitimate business companies that pay fees to recruited users for transferring funds.

This complex network of web based exploits, encryption and the theft of small dollar amounts that stay under the radar of anti-fraud systems at banks make this exploit extremely dangerous.

There are ways to mitigate systems and users against this exploit.

RiskAnalytics Cyber-RiskTools can actively block Zeus command and control activity in real time and escalate information on compromised systems to administrators in real time.

http://www.riskanalytics.com/cyberrisk.htm

Tags: , ,
Posted in Botnets, Cyber Risk Management, Email Scams, Technical Safeguards | No Comments »

OSHA Issues Final Rule on Cranes and Derricks in Construction

July 28th, 2010

craneAs of July 28, 2010 the Office of the Federal register has posted a special filing of the final rule for OSHA regulation 29 CFR 1926 – Subpart N – Cranes and Derricks in Construction.  The change in this rule came about due to the original rule (written in 1971) becoming more and more obsolete as new technologies have developed in the last 39 years.  For example, in 1971 hydraulic cranes were very rarely used in construction, whereas today they are considered the most prevalent form of lifting.  Additionally, with the recent crane accidents, injuries and deaths in the last several years, OSHA was pushed and responded by updating the regulation.

The rule becomes effective 90 days after August 9, 2010, the date the final rule will be published in the Federal Register. Certain provisions have delayed effective dates ranging from 1 to 4 years.

The final standard addresses additional advancements in design, related hazards and qualifications of employees which are needed to operate this type of machinery safely.  Also, the new standard will address the 4 main causes of worker deaths related to cranes and derricks: electrocution, crushed by parts of the equipment, struck by the equipment/load and falls.  Some highlights of the updated rule include:

  • Employers must assess the ground conditions prior to performing a hoist.
  • Employers must comply with local and state operator licensing requirements which meet the minimum criteria specified in § 1926.1427.
  • Employers must pay for certification or qualification of their currently un-certified or unqualified operators.
  • Written certification tests may be administered in any language understood by the operator candidate.
  • When employers with employees qualified for power transmission and distribution are working in accordance with the power transmission and distribution standard (§ 1910.269), that employer will be considered in compliance with this final rule’s requirements for working around power lines.
  • Employers must use a qualified rigger for rigging operations during assembly/disassembly.
  • Employers must perform a pre-erection inspection of tower cranes.

Additional compliance assistance will be released by OSHA in August of 2010 to assist construction companies with the additional regulations being set for for cranes and derricks.  BP RiskTools policies, programs and guidance documents will be updated to reflect the new rule as it becomes law.  To learn more about how to obtain our Environmental Health & Safety/Business Process risk management tools and software solutions, please Contact Us.

To view a full copy of the regulatory text, Download the PDF.

Posted in Business Process Risk Management, Construction, OSHA Construction Standards, OSHA General Industry Standards, Occupational Safety & Health, Regulations | No Comments »

Rite Aid to Pay Out $1 Million to Settle HIPAA Privacy Case

July 28th, 2010

prescriptionIn yet another groundbreaking privacy case, Rite Aid has recently agreed to pay out $1 million in a privacy case involving policy controls and procedures where employees where voluntarily disposing of prescription containers with Personal Identifiable Information (PII) written on them.  This action is a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, in addition there were violations that occurred that violate the Federal Trade Commissions (FTC) FTC Act.

Rite Aid is one of the nations largest chains of drug stores and will be required to implement best practices and  corrective actions to prevent the violations from occurring in the future.  Policies, programs and procedures should be implemented in this case as well as a strict education and training program for the employees handling and exposed to these types of containers with customers PII on them.  Amazingly, this is no the the first time this type of violation has occurred in the drugstore industry.  In February of 2009, CVS Caremark Corp. agreed to pay $2.25 million to settle identical violations of the HIPAA rule.  One might think a corporation would learn from their competitors mistakes, but this is yet another instance where corporations appear to not take the HIPAA rules seriously, and understand there are serious ramifications that can occur when not complied with.

Rite Aid was cited for several infractions from the Office of Civil Rights (OCR) and FTC, who handle HIPAA compliance:

  • Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • Rite Aid failed to adequately train employees on how to dispose of such information properly; and
  • Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Pretty straightforward controls that ALL companies that fall under HIPAA regulations should follow.  RiskAnalytics CyberRiskTools (CRT) Software platform provides the necessary policies and programs, training materials and best practice assessment tools to provide compliance and risk assessment for all of the above infractions.  Implementing the training, tracking the testing, and monitoring results are all benefits such a company can achieve by utilizing our innovative platform to achieve proper cyber risk management.

Click Here to read the official U.S. Department of Health & Human Services (HHS) news release.

Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Regulations | No Comments »

Dodd-Frank Act Signed into Law

July 22nd, 2010

President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (to be aptly named the “Dodd-Frank Act for short) into law on Wednesday July 21, 2010.  The complete act covers every bit of 2,300 pages and has bearing on almost every single financial services company and industry in the country.

The goals and basis of the Act include restoring “public confidence” in the United States financial system, preventing future crisis and predicting and foreshadowing future financial asset bubble inflations.  In addition, additional regulation of the financial services industry will spur change in the way financial institutions do business.

To read the bill in it’s entirety Click Here.

Below are some quick links to pertinent Business Process and Cyber Security related legislation within the Act:

Section 929I: Protecting Confidentiality of Materials Submitted to the Commission

Section 1071: Small Business Data Collection

Section 1082: Amendments to the Privacy Act of 1974

Section 1093: Amendments to the Gramm-Leach-Bliley Act

Section 1494: Study of Effect of Drywall Presence on Foreclosures

Section 1503: Reporting Requirements Regarding Coal or Other Mine Safety

Whether you manage Environmental Health & Safety or your businesses Cyber Security Risk, the Dodd-Frank Act will have an impact on your risk management efforts.  Continue to check back and read our blog about current events, regulations and risk identification, mitigation and controls to support your business operations.

Tags: , , ,
Posted in Administrative Safeguards, Business Process Risk Management, Construction, Cyber Risk Management, Dodd-Frank, Regulations | No Comments »

Microsoft confirms zero day outbreak that can effect SCADA systems

July 19th, 2010

Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw.

Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware – which has been detected in the wild – executes automatically if an infected USB stick is accessed in Windows Explorer.

All versions of Windows – including Win XP SP2, widely used despite the discontinuation of further security updates earlier this month – are vulnerable. Disabling Windows AutoPlay and AutoRun – the normal defense against malware on USB sticks – has no effect.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives.

Additional information can be found on the Internet Storm Center site: Click Here.

Tags: , ,
Posted in Botnets, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

States becoming more aggressive in HIPAA enforcement

July 19th, 2010

Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Obviously, the best policy is to ensure safeguards are in place to prevent these breaches from happening in the first place.

Administrative policy combined with technical controls and employee education are key to preventing these episodes from occurring. Breaches can effect an organization financially and can result in decreased productivity.

Tags: , ,
Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Personal Identifiable Information (PII) | No Comments »

FBI Warns of New Social Networking Scam

July 7th, 2010

The FBI is warning of e-mail and social networking accounts being compromised and used in a social engineering scam to swindle consumers. Portraying themselves as the victim, the hacker uses the victim’s account to send a notice to their contacts. The notice claims the victim is in immediate need of money due to being robbed of their credit cards, passport, money, and cell phone; leaving them stranded in London or some other location. Some claim they only have a few days to pay their hotel bill and promise to reimburse upon their return home. A sense of urgency to help their friend/contact may cause the recipient to fail to validate the claim, increasing the likelihood of them falling for this scam. If you receive a similar notice, you should always verify the information before sending any money.

Tags:
Posted in Cyber Risk Management, Email Scams, Phishing | No Comments »

Microsoft XP and Server 2003 Vulnerability

July 7th, 2010

Microsoft is warning of increased attacks against a security vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003.  Microsoft says it is working a patch to fix the flaw, but in the interim suggests users apply a short-term fix that disables the vulnerable component. The short-term fix is available from Microsoft at: http://support.microsoft.com/kb/2219475.

Tags:
Posted in Cyber Risk Management, Technical Safeguards | No Comments »

« Older Entries