Archive for the ‘Technical Safeguards’ Category

« Older Entries

How is Microsofts SeaPort.exe Affecting Your Network?

Wednesday, August 25th, 2010

computer_inspectionIf you’ve recently installed the Microsoft Live service in the last few weeks, months or even years you may or may not have noticed a not-so-quiet program called SeaPort.exe running in the background that’s eating up processing speed and even chews up a fair amount of network bandwidth (especially when you’ve got multiple workstations).

Research has indicated this process may be detrimental to your network security and workstation operating capacity.

What is it?

SeaPort.exe typically comes bundled as part of the Microsoft Live Search Enhancement application pack.  In addition, there’s a plethora of “helpful” web downloads from Microsoft including the Bing and MSN toolbars that this application is included as a part of.

You’ll notice in the description field of the Services Administrator Tool that Microsoft describes that it:

“Enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement Applications.  Also provides server communication for the customer experience improvement program.  If this service is disabled, search enhancement features such as search history may not work correctly”.

How does it affect the workstation?

From the description one might infer that this “enhancement” should only run while browsers are open and actively searching history, etc.  But Seaport.exe runs not only on boot-up (drawing out an already lengthy startup process for your workstation), but also in the background on your OS whether any searches have been performed or not, or even whether or not there are any browsers open.

The service is automatic and begins churning and eating up approximately 4-7 MB (reports vary) of RAM upon install.  All this activity for a little used function, and in some cases a never-used function, seems like a waste of resources for what is already an overworked OS.

How could it be harmful?

The Microsoft description above is really quite open-ended for a service that indicates it’s transmitting some type of information about the workstation back to the mothership.

Researchers have published detailed evidence that Full URLs are being sent back to Microsoft for analysis by the Microsoft customer experience improvement program.  In addition, if you’re using poorly coded web applications that include the session ID, or even worse, username and password in them, it’s frighteningly possible that this information is being passed to Microsoft through SeaPort.exe.

What steps should I take?

Removing SeaPort.exe from any workstations running the process is the first step.  Once accomplished, use of good risk management techniques such as monitoring your users and applications/processes that are installed on their workstation should be continued.  A policy should be implemented against installing various toolbars and unauthorized applications and processes.

Brian Nelson from brighthub.com has a step-by-step process for deleting the Seaport.exe service.  You can view his blog by clicking HERE.

What does this mean going forward?

To date, most security analysts operate under the presumption that Spyware is defined as anything that “reports private information or activity to a remote host that the user may not be aware of”.  In most cases, SeaPort.exe is installed without the front-end user knowingly doing so.  When installing Microsoft Live, there’s no option to skip the Seaport.exe portion of the application set, it’s included no matter what selections are made.

SeaPort.exe should be considered armed and dangerous and network administrators need to understand that this process is gaining access and information about workstations that is better kept private.  In short, we’re not ready to call Seaport.exe “Spyware” but it’s teetering on the edge of the definition, which is uncharted territory for a major OS vendor.

Posted in Cyber Risk Management, Spyware, Technical Safeguards | No Comments »

Trojan Linked to 2008 Spanair Plane Crash

Monday, August 23rd, 2010

plane_lockAuthorities investigating the recent 2008 plane crash of Spanair flight 5022 discovered that there is a probability that the central computer system that’s used to monitor technical issues with the plane was infected with malware.

The plane, a McDonnell Douglass MD-82,  held 172 passengers and crew, crashed upon takeoff rolling to the right and split into two, exploding almost immediately.  154 people died and only 18 survived the crash, which was Spain’s deadliest in 25 years.

According to a preliminary report by the U.S. National Transportation Safety Board, the aircraft took off with its flaps and slats retracted, and there was no alarm that notified of the issues because the central computer system that typically delivers the power and message to the take-off warning system had failed.  In addition, there were two smaller earlier events that  also were not reported by the system.  In short, built-in safeguards that would have prevented the crash, failed to do so.

Head researcher, Jamz Yaneeza for Trend Micro indicated that malware on the infected computer system was a type of Trojan horse.  While there are a number of ways the malware could have entered the computers system, the most likely scenario is it was transferred via a USB stick.  This type of transfer of malicious code is not new to the transportation, or hi-tech industry, as the International Space Station was also infected in this manner in 2008.  Another possibility is that the infection occurred through a remote VPN connection.

A complete report is due in December of 2010 regarding the full investigation.  Researchers have indicated that a preliminary investigation indicates that it does not appear that the malware was specifically intended for the planes computer systems.

However, what this does bring to light is the bridging of the gap between two distinct types of risk management that historically have been on either end of the ravine.  Conventional risk management such as employee health and safety, transportation safety, process safety, and environmental protection are typically managed by a “risk manager” at most larger organizations while the cyber security is managed by a “technical officer” (or similar designation).

As technology develops, and cyber criminals begin to expand their operations, directed attacks towards this type of exposure can and should be expected, especially with regards to extortion and blackmail.  This incident is a classic example where the health and safety of employees, the public, owned materials and vehicles, company image and network security were all adversely impacted.

In this case, it’s likely that malware was not the direct cause for the flaps to be at the dangerous 0 degree angle, but they were a contributing factor to the crash occurring since the computer systems did not respond and communicate accordingly as they should have when alarming on the  problem.  It is certainly possible in the future that we’ll see more customized malicious attempts to hijack planes, vehicles and even automated equipment run by computers in an attempt to create harm or havoc for financial or terrorist gain.

UPDATE:

New information is now surfacing 3 days after this initial story ran at MSNBC and TechNewsDaily.  Apparently the internal Spanair Report that reported many of these issues and came to some of the determinations outlined in this blog may not have been entirely accurate according to security experts around the web.  So while the accuracy of this initial report is still up in the air, the overall message and threat of malware and cyber security concerns with integrated systems is still valid.  As technology develops, so too will the criminals and malicious entities that take advantage of it.

Posted in Administrative Safeguards, Business Process Risk Management, Cyber Risk Management, Technical Safeguards, Transporation Management | No Comments »

New and Dangerous Zeus Variant hitting users Bank Accounts

Wednesday, August 11th, 2010

A new and dangerous variant of the Zeus trojan has been discovered that uses a complex, highly skilled methodology to empty victims bank accounts.

Primarily hitting in the UK in the month of July, a new variant of Zeus is using web exploits, a money mule network and a highly skilled back-end command and control system to steal well over one million dollars from victims bank accounts.

The new variant, dubbed Zeus version 3, is now using encryption via https to communicate with the command and control networks. The initial exploit that infects users systems are coming from on-line advertising banner ads and legitimate websites that have been compromised.

Few anti-virus vendors are able to mitigate the attack and most intrusion prevention systems will have a difficult time detecting valid https traffic from the Zeus command and control due to the encryption being utilized.

Once user systems are compromised and under the control of the cyber-criminals, a network of “money mules” are used to transfer the funds from the victims accounts. Money mules are hired by cyber criminals posing as legitimate business companies that pay fees to recruited users for transferring funds.

This complex network of web based exploits, encryption and the theft of small dollar amounts that stay under the radar of anti-fraud systems at banks make this exploit extremely dangerous.

There are ways to mitigate systems and users against this exploit.

RiskAnalytics Cyber-RiskTools can actively block Zeus command and control activity in real time and escalate information on compromised systems to administrators in real time.

http://www.riskanalytics.com/cyberrisk.htm

Tags: , ,
Posted in Botnets, Cyber Risk Management, Email Scams, Technical Safeguards | No Comments »

Microsoft confirms zero day outbreak that can effect SCADA systems

Monday, July 19th, 2010

Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw.

Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware – which has been detected in the wild – executes automatically if an infected USB stick is accessed in Windows Explorer.

All versions of Windows – including Win XP SP2, widely used despite the discontinuation of further security updates earlier this month – are vulnerable. Disabling Windows AutoPlay and AutoRun – the normal defense against malware on USB sticks – has no effect.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives.

Additional information can be found on the Internet Storm Center site: Click Here.

Tags: , ,
Posted in Botnets, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

Microsoft XP and Server 2003 Vulnerability

Wednesday, July 7th, 2010

Microsoft is warning of increased attacks against a security vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003.  Microsoft says it is working a patch to fix the flaw, but in the interim suggests users apply a short-term fix that disables the vulnerable component. The short-term fix is available from Microsoft at: http://support.microsoft.com/kb/2219475.

Tags:
Posted in Cyber Risk Management, Technical Safeguards | No Comments »

Microsoft will retire XP SP2 July 13th

Monday, June 7th, 2010

Half of the enterprise computers running the aged Windows XP operating system are still relying on the soon-to-be-retired Service Pack 2 (SP2), a researcher said today.

SP3 was released two years ago. Similar situations have existed with Internet Explorer 6 being phased out and being a security risk but users are reluctant to upgrade.

Microsoft will officially retire Windows XP SP2 on July 13. After that date, although it will continue to provide security updates for XP SP3, it will stop issuing patches for the older SP2.

This will make defending XP SP2 systems increasingly more difficult.

Patching is one leg in a multi-layer defense in depth security strategy. Many forms of malware are easily defeated by keeping systems patched and up to date. Other tiers of that strategy need to include network monitoring for malware and dynamic blacklisting, all features of RiskAnalytics Cyber Risk Tools S2 sensor.

Tags:
Posted in Administrative Safeguards, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

Is it possible to measure IT security success?

Friday, May 28th, 2010

It is a commonly held principle in many areas of business that if you can’t measure something “quantitatively”, it will be difficult to raise the quality objectively. The applicability of this statement to the world of IT security is clear. Without having some form of metrics in place, it is tough, if not impossible, to judge whether security is getting better over time. Indeed, it is probably fair to say that many organisations have only one way to assess security – namely, “did anything go wrong” – but this is hardly a metric for the forward-looking.

Meanwhile, of course, the drivers for proactively monitoring ’security’ and the associated effectiveness of security solutions are becoming increasingly high-profile. Regulatory pressures on organisations to secure their operations are more explicit than in the past, while customers and shareholders are less prepared to tolerate IT security breaches. The continuing spread of legislation dictating that organisations actively notify affected parties when data is potentially lost or at risk is certain to add to the pressure to demonstrate that security measures are properly established.

This is exactly what RiskAnalytics Cyber Risk Tools does. It monitors and defends in real time but also offers a wealth of quantifiable information on exactly which way is IT security headed in an organization. Is it getting better or worse? More importantly from a productivity standpoint, the system will tell you what areas represent the largest risk to the organization and thus IT should focus efforts to “clean up” those issues first.

We have many clients that when they started with us, they would swear their network was clean, in reality, most are massively infected with malware and employees often engage in electronic policy violations that can lead to information leakage.

CRT will alert in real time to security and policy issues that face an organization. Over time, the combination of real time alerting of events, shunning malware and addressing user policy issues will lead to a measurable reduction in security issues.

Tags: ,
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Physical Safeguards, Technical Safeguards | No Comments »

Microsoft SharePoint bug exposes credentials, sensitive data

Friday, April 30th, 2010

A cross-site scripting vulnerability has been confirmed in SharePoint Server 2007 and is likely also present in earlier versions of the content management system software, a Microsoft advisory warned. It allows adversaries to inject malicious javascript into the application by appending commands to the address of the targeted system.

“The vulnerability exists due to failure in the ‘/_layouts/help.aspx’ script to properly sanitize user-supplied input in ‘cid0′ variable,” the advisory states. “Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.”

Microsoft was notified of the bug on April 12, but only made the report public on Thursday.

A Microsoft spokeswoman said Thursday that researchers are in the process of drafting a security advisory that includes mitigation and workaround details. With 17 days notice, it’s unclear why Redmond’s security team didn’t already have that information ready to go.

XSS bugs are by far the most common form of vulnerability plaguing the web. Web masters and software makers often downplay them as insignificant, because the severity of many of them is minimal in their opinion. What they tend to not understand is the ability for compromised sites to hand out malware to unsuspecting users and redirector type attacks.

Tags:
Posted in Cyber Risk Management, Passwords, Personal Identifiable Information (PII), Phishing, Technical Safeguards | No Comments »

McAfee Update shutting down millions of Windows XP computers

Wednesday, April 21st, 2010

A bad McAfee update for Windows XP has shut down thousands, possibly millions, of computers around the world.

Twitter has been buzzing with the news this afternoon that McAfee updates were shutting down XP PCs, and we’ve heard that California sent out an email to state workers a little while ago warning them of the problem. Also apparently affected: the University of Illinois at Urbana-Champaign, over 100,000 computers serviced by a UK IT firm, and presumably countless others based on the reports that keep coming in.

“DAT update 5958 deletes the svchost.exe file, which then triggers a false-positive in McAfee itself and sets off a chain of uncontrolled restarts and loss of networking functionality.”

McAfee has issued the following statement:

“McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).
Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.
The faulty update has been removed from all McAfee download servers, preventing any further impact on customers. We are not aware of significant impact on consumers and believe we have effectively limited such occurrence.
McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

This highlights two things. Organizations should be wary of depending on anti-virus as the only means of defense and obviously, it can have issues. Second, applications running on a host machine can have unintended consequences. This is especially true of un-vetted software such as malware. If a big name anti-virus company can bring down production systems, so can malware creators. The best policy is to not have un-vetted software gain a foothold on your systems in the first place.

Tags:
Posted in Administrative Safeguards, Cyber Risk Management, Technical Safeguards | No Comments »

Microsoft bypasses kernel update on root kit infected machines

Friday, April 16th, 2010

Microsoft’s latest batch of patches contains a kernel update designed not to install on machines infected with a rootkit. This really highlights the case that the machine that never gets infected in the first place is the best policy.

The move is designed to prevent the confusion that occurred when one of the patches released in February resulted in a Blue Screen of Death and continuous reboot cycles on some Windows XP machines.

Microsoft copped a fair bit of criticism for the incident before the cause was pinned down to the interaction between the hard-to-detect Tdss rootkit and a Windows kernel security update. Rootkits are a type of malware that attempt to avoid detection by anti-virus scanners by burying themselves in the likes of Windows kernel code.

Redmond’s April patch batch also contains a Windows kernel patch. In an effort to prevent the same snafu as February, Microsoft is using technology designed to prevent the update from installing onto malware-compromised machines.

RiskAnalytics monitoring and network defense products are designed to prevent workstations from getting infected in the first place through a combination of real-time monitoring and by-directional shunning of aggressor IP addresses.

Tags: , ,
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Technical Safeguards | No Comments »

« Older Entries