Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Content

Document Sample
Content Powered By Docstoc
					HKCERT Newsletter 2008 May

Content
1…….…………….Information Security Guide for small business 2...….……………………Data protection 10.….….………………….Security Alert 16..….………………...….……Hot News

Information Security Guide for small business
HKCERT, OGCIO and Hong Kong Police Force has published the third edition of SME information security guide. It added information on business continuity planning facing by small and medium enterprises. The guide is now available at HKCERT’s website, which can be

Free SMS Service
SMS Alert Service is a FREE value-added service. You can receive updated security alert anywhere and anytime to allow you responding timely. Please visit HKCERT web-site for more details:

reached via the following link: https://www.hkcert.org/english/ subscribe_ssl.html http://www.hkcert.org/english/sguide_faq/ sguide/sme_guideline.pdf 1

HKCERT Newsletter 2008 May

Data Protection
The recent incidents of personal information leakage have attracted much public attention. Have you been worrying about your own data privacy? Do you know what risks are associated with storing data on the computer? What measures are available to mitigate these risks? Since this is a topic of such intensive interests, we have prepared this brief article to give you some idea. We have also collected some useful data protection tools for your reference. Most of these tools are free of charge, and many are popular items. We like to remind you to read through the user license agreement and scope of applicability for use. Furthermore, before installing any software, it is always a good practice to back up you critical data. Some publications by the Hong Kong Government and HKCERT are useful references. You may refer to the listed materials, the web link of which can be found at the end of this article.
¡´ ¡´ ¡´

The INFOSEC web site Information Security Guideline 3rd edition (2007) Pamphlets of Office of the Government Chief Information Officer(OGCIO)

A. What kinds of risks are associated with data? There are three kinds of data risks: data loss, data corruption and data leakage. The threats to data come s from the followings: I. Natural Disasters Water leakage, flooding and fire can cause drastic and permanent damage to computer systems in a short period of time, causing data loss and damage. II. Hardware Failure

Every computer component has its life cycle. Improper storage and stressing use of computers can accelerate the aging of the components. Physical impacts to the computer may also cause damage to the hardware. The hardware failure subsequently causes data loss.
III.System Crash Operating system and applications are continuously enhanced with new features and functions. The increase in complexity can bring about stability issues which are threats to data security. IV. Hacker/Malware Attack Hackers can attack computer systems via spread of malware and exploitation of security holes of the computer systems. They may steal personal data like email address and user credentials, or other data from the computers. They can use the data for extortion, fraudulent online transaction or other illegal purposes. V. Internal Disgruntled Staff Attack Disgruntled staff or commercial agents may steal company sensitive information like company transaction records and hand over to business competitors or for other personal interests. VI. Loss and theft Mobile computers and storage devices (e.g. USB drive) are very portable now. That also implies they can be left or being stolen anywhere at any time. The risk of data loss and leakage is quite high. VII. Human Error Ignorance, misunderstanding and carelessness of human user can cause data loss or damage by fault.

2

HKCERT Newsletter 2008 May
B. How to protect data effectively?

The amount of data that an average person came across daily is enormous. It is infeasible to protect all the data we are aware of. So we have to know what data is important to us and focus our resources to protect them. We have to establish clear management policy and adopt effective procedure and tools to implement the policy.
1. Firstly, we have to conduct data classification. Data of different criticality level requires different treatment in protection. Normally we classify data according to sensitivity (e.g. confidential, restricted, and unclassified). We have to assign department heads the responsibility to classify the data of their own department. The technical support department of the company only implements measures to protect of data after they are classified. 2. After classification, we can set priorities of protection according to the policy, and implement the protection via management and technological means. - segregate sensitive data from non-sensitive data and apply proper access control - prohibit staff from bringing sensitive data beyond the boundary of the working place, or storing them on portable media; prohibit storing sensitive data on the Internet or sending them via the Internet. If there is a necessity of doing so, data must firstly be encrypted. 3. You should require staff to report to management on any data security issues like data loss, damage or leakage.

4. You should communicate the above messages of the data protection policy to all staff without ambiguity. 5. If the company needs to involve a third party in data processing, e.g. involving a service provider in repairing computers, you should require the third party to comply with the data protection policy of your company. For safety, you can require the service provider to provide on-site service under your supervision. C. protect data concrete measures We will introduce some measures such as separate storage, backup, encryption, data recovery and permanently delete data in the following. I. Segregation of data storage Segregation (or separation) of data storage is a simple but important first step. Firstly, we can separate the operating systems from the data to make repair the system easier. For example, if the system fails or is compromised by hackers and malicious software, we can reinstall the operation system without affecting the data storage area. Secondly, we can separate sensitive data from common data to ease the administrator applying access control to reduce the risk for data leakage. Methods of segregation of data storage: i. Storing in different servers: It is applicable to business environment, where the personnel and financial data can be stored on different servers. The cost is high, but it is more secure. ii. Storing in different hard disks: It is applicable to desktop computers. When we need to restore the system, we do not need to touch the data stored. When we take a broken computer to repair, we can take out the hard disk which stores the data. iii. Storing in different partitions: It is applicable to notebook computer. The principle is similar to storing data in different hard disks. During restore the data stored is not touched. However, the hard disk cannot be removed during repair. II. Backup Backup refers to making copies of system, document files or database, so that when data security incident occurs, the data backup may be used to restore the original.

3

HKCERT Newsletter 2008 May
Backup media: You need to select the appropriate media which suit your needs. The following table is the comparison of characteristics and cost of different storage media. You can see that media with better portability ar usually of lower longevity. If your want store your data for a longer period, you should choose higher cost alternatives like Magnetic Tape or Network Access Storage (NAS). Capacity Speeds(MB/s) Convenience Longevity (years) 5-10 Cost

Network Access Storage(NAS)

160GB 31.2TB

12.5

Magnetic Tape

40GB 2TB

3.5 - 3600

Need NAS Server and Network equipment Need an equipment that can read/ write magnetic tape Just require an USB port Just require an USB port Need a DVD writer Need a CD writer

Medium/High

>10

High

External Hard Drive USB Flash Drive DVD-R/RW CD-R/RW

80 GB 1TB 512MB 8GB 3.95GB 9.4GB 650MB 800MB

50 10 10 10

2-7 1-3 2-5 2-5

Medium Low Low Low

Backup Managements: i. Backup Frequency

Data backup is not a one-time procedure. You should backup data whenever the data is modified. If the data is being modified all the time, you should schedule regular (for example daily or weekly) backups. ii. Backup Process Monitoring If some files were opened during the backup process, the locked files may be skipped or the backup job may fail totally. In this case, the data recovery in the future cannot be completed. So we should always check whether the backup process is completed successfully. iii. Assuring the Usability of the Backup Firstly, we should do recovery drill test regularly to ensure that your backup data can be recovered. Secondly, we need to ensure that during recovery we can quickly retrieve the backup media. Therefore, we should label the backup media (backup date and brief content description) clearly, and create an index table for backup media. iv. Storage environment We should note that different backup media has different environmental requirements for storage. - DVDR and CDR should be kept away from direct sunlight, moisture and chemical. - Flash drive and removable hard disk shall be kept in a dry and electrostatically free place. Furthermore, the physical security shall also be considered to avoid theft of storage media. Backup Tools: BackupPC (http://backuppc.sourceforge.net/index.html) is a backup server that allows multiple users of Windows, Linux and MacOS platforms to centralize their data backup on one system. Windows’s users can use the Windows file share

4

HKCERT Newsletter 2008 May
method, while Linux and MacOS users can use rsync method to backup their data. Here are tools which are suitable for use on a standalone machine:
i. ¡Ð ¡Ð Windows NTBackup.exe (built-in) Areca http://areca.sourceforge.net/

ii. Linux ¡Ð rsync (built-in) ¡Ð Areca http://areca.sourceforge.net/ iii. Mac ¡Ð TimeMachine (built-in) ¡Ð ¡Ð SilverKeeper http://www.lacie.com/silverkeeper/license.htm SuperDuper http://www.shirt-pocket.com/SuperDuper/SuperDuperDescription.html

III.Encryption Encryption is a process of scrambling and transforming data from an easily readable and understandable format into an unintelligible format that seems to be useless and not readily understandable by using passwords and some specific algorithms. To decipher a text, user must use the same password to decrypt and reinstate it to the initial text. There are two ways of data leakage. Firstly, data thief may steal the data residing on computers or storage media. Alternatively, data thief may intercept data on transport channel (e.g. E-mail). In both cases, data leakage can be prevented by encryption. Encryption methods and selection: There are many encryptions schemes to choose, such as using the built-in file system encryption mechanism in the operation system, external encryption program or external secure device. Some people use the encryption facility of Microsoft Office to encrypt documents. We would warn that such weak encryption can be easily broken, and hence it is not recommended for the protection of sensitive information. i. Encrypt the file which is stored on local computer: External encryption program

External encryption program requires users to set up a password, and use this password as the encryption key for the cryptographic algorithms to encrypt the files. When decrypting, the program requires users entering the same password. - External secure device The external secure device encryption scheme just puts the encryption key in the external secure device. The computer which has some secure encryption/decryption programs installed will verify that the correct secure device with the encryption key is plugged before displaying and opening any protected file. If the device is not plugged in to the computer, the protected files will stay invisible and cannot be opened. ii. Transfer encrypted files: When transfer an encrypted file, the sender need to inform the receiver the encryption key (the password) so that the receiver can use the key to decrypt the file. However, exchange the encryption key on the Internet is not safe. Therefore, people develop the two methods for key exchange. - For secret key encryption, use an alternate channel to exchange the secret key: In symmetric key encryption (where the same password is used for encryption and decryption), the sender should send the encryption key to the receiver via a different channel from the file transfer (e.g. SMS, telephone) to avoid people intercepting the encrypted file and the key in the same channel and crack the encrypted file.

5

HKCERT Newsletter 2008 May
- Public Key encryption In public key encryption, a pair of mathematically related, but different keys (a private key and a public key) is used. The receiver’s public key is shared publicly. The sender can encrypt the message with receiver’s public key. When the receiver receives the encrypted message, he uses his own private key to decrypt the message. Different people can use the same public key of the receiver to send files to him. It can solve the problem of memorizing a large amount of keys. However, the senders and receivers need to agree to use this mechanism in advance. Select secure encryption algorithms: Encryption programs provide different kinds of encryption algorithms for you to choose. It is worth to note that some older encryption algorithms (e.g. DES/3DES) have been broken or not strong enough as of today while other nonstandard and non-proven encryption algorithms have no assurance. You should choose the algorithms like AES or Blowfish. Both of them are designed by renowned cryptologists. The former is the new standard algorithm which is selected by National Institute of Standards and Technology of USA. Encryption Tools:
i. ¡Ð ¡Ð ¡Ð Windows Truecrypt (Free to use but not to include in other product or change the product) http://www.truecrypt.org/ Blowfish Advanced CS (Personal Edition) www.hotpixel.net/software.html OTFE http://www.freeotfe.org/

ii. Linux ¡Ð Truecrypt http://www.truecrypt.org/ ¡Ð OTFE http://www.freeotfe.org/ iii. Mac ¡Ð FileVault (built-in) ¡Ð Truecrypt http://www.truecrypt.org/

Note: most encryption programs or method are using the password to encrypt. If the password is too weak, it will render the sophisticated encryption program or algorithm useless. IV.Data recovery Data recovery is using some tools to recover deleted or corrupted data. When system deletes a file, it just removes the index of the file in File Allocation Table (FAT) but leaving the data on the hard disk intact. Therefore, you can use some tools to recover the data which is deleted by accident. Data recovery Tools: Helix CD http://www.e-fense.com/helix/ The Helix project produce a bootable CD that contains several good tools to recover data and wipe data. # wipe : Secure file deletion. # fatback : Analyze and recover deleted FAT files. # dcfldd : dd replacement from the DCFL

Here are some other tools:
i. ¡Ð ¡Ð Windows PC INSPECTOR File Recovery http://www.pcinspector.de/Sites/file_recovery/ Undelete Plus http://www.undelete-plus.com

6

HKCERT Newsletter 2008 May
¡Ð ¡Ð DATA Unerase Personal Edition http://www.octanesoft.com/data_recovery_free_edition.html DataRecovery http://tokiwa.qee.jp/EN/dr.html

ii. Linux ¡Ð R-Linux (free for Ext2fs) http://www.data-recovery-software.net/Linux_Recovery.shtml ¡Ð DCFLdd http://dcfldd.sourceforge.net/ ¡Ð Mondorescue http://www.mondorescue.org/ iii. Mac ¡Ð R-Studio (this is paid software) http://www.data-recovery-software.net/

In the normal circumstances, data loss due to software or hardware failures can be recovered with a probability of about 85 percent. But we would remind you that if you encounter data loss, you should stop all operations immediately and do not restart the computer. Otherwise, the success rate of data recovery will decrease. V. Permanent Deletion of Data In the pervious paragraph, we mention that during file deletion, the system only removes the index of the file in File Allocation Table (FAT) and leave data on the hard disk intact. We add here that even in disk formatting, we still are not removing the data on the hard disk completely. The disk format command just clears up the index of all sectors on the disk partition for allocation of data. Therefore, if you want to remove the data totally, you should overwrite all the sectors holding the old data. Standard data deletion and program should meet the U.S. Department of Defense Data Eraser Standard 522.22-M which requires using different combinations of bit patterns to overwrite the sectors on the partition to ensure that the data cannot be recovered. Some necessary checks and balances should be in place to ensure that the secure deletion process is performed and is successful. Some of the possible measures which you may consider include proper approval or logging of the whole process, sample check or verification of erase hard disks.
Permanently Delete Data Tools: i. ¡Ð ¡Ð ¡Ð ¡Ð Windows Eraser http://www.heidi.ie/eraser/ SysInternals SDelete http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx SS Data Eraser http://www.ss-tools.com/data-eraser/ DBAN http://dban.sourceforge.net/

ii. Linux ¡Ð Wipe http://wipe.sourceforge.net/ ¡Ð DBAN http://dban.sourceforge.net/ iii. Mac ¡Ð Finder has built in feature to securely erase data on Mac http://www.delamainit.com/articles_how-tos/apple-mac-osx/secure-erase-hard-drive.html

7

HKCERT Newsletter 2008 May
D. Useful Tools Table
Windows Linux Mac

Backup

- Backup.exe (built-in) - Areca http://areca.sourceforge.net/

- rsync (built-in) - Areca http://areca.sourceforge.net/

- TimeMachine (built-in) - SilverKeeper http://www.lacie.com/silverkeeper/ license.htm - SuperDuper http://www.shirt-pocket.com/ SuperDuper/SuperDuperDescription.html - TimeMachine (built-in) - SyncTwoFolders (non-commercial use) http://www.versiontracker.com/dyn/ moreinfo/macosx/30727 - JFileSync http://jfilesync.sourceforge.net/ index.shtml

Sync

- Syncback http://www.2brightsparks.com/ freeware/ - Unison http://www.cis.upenn.edu/ ~bcpierce/unison/ - JFileSync http://jfilesync.sourceforge.net/ index.shtml - Truecrypt (Free to use but not to include in other product or change the product) http://www.truecrypt.org/ - Blowfish Advanced CS (Personal Edition) www.hotpixel.net/software.html - OTFE http://www.freeotfe.org/

- rsync (built-in) - Unison http://www.cis.upenn.edu/~bcpierce/ unison/ - JFileSync http://jfilesync.sourceforge.net/ index.shtml

Encryption

- Truecrypt http://www.truecrypt.org/ - OTFE http://www.freeotfe.org/

- FileVault (built-in volume encryption) - Truecrypt http://www.truecrypt.org/

Recover

- PC INSPECTOR File Recovery http://www.pcinspector.de/Sites/ file_recovery/ - Undelete Plus http://www.undelete-plus.com - DATA Unerase Personal Edition http://www.octanesoft.com/ data_recovery_free_edition.html - DataRecovery http://tokiwa.qee.jp/EN/dr.html

- R-Linux (free for Ext2fs) http://www.data-recoverysoftware.net/-Linux_Recovery.shtml - DCFLdd (2006 version) http://dcfldd.sourceforge.net/ - Mondorescue http://www.mondorescue.org/

- R-Studio (this is paid software) http://www.data-recovery-software.net/

Data Eraser (DOD 5220.22M compliant)

- Eraser http://www.heidi.ie/eraser/ - SysInternals SDelete http://technet.microsoft.com/enus/sysinternals/bb897443.aspx - SS Data Eraser http://www.ss-tools.com/dataeraser/ - DBAN http://dban.sourceforge.net/

- Wipe http://wipe.sourceforge.net/

- Finder has built in feature to securely erase data on Mac http://www.delamainit.com/ articles_how-tos/apple-mac-osx/secureerase-hard-drive.html

8

HKCERT Newsletter 2008 May
E. References - Pamphlets of the Office of the Government Chief Information Officer (OGCIO): http://www.ogcio.gov.hk/ - INFOSEC website http://www.infosec.gov.hk/ - SME Information Security Guideline https://www.hkcert.org/chinese/sguide_faq/sguide/sme_guideline.pdf - Data Eraser Standard 522.22-M http://en.wikipedia.org/wiki/Data_remanence - Backup Media Comparison Table http://www.psyc.vt.edu/kb/kb-0002.html - Helix CD http://www.e-fense.com/helix/ - Free Secure (Destructive) File and Disk Deletion Tools http://www.thefreecountry.com/security/securedelete.shtml

9

HKCERT Newsletter 2008 May

Security Alert
Bugs, Holes and Patches
Date/Source Common Name Operating system/ Vendor/ Platform
All

Vulnerability System

Impact

Workarounds/ Solutions

2008/04/07

Apple QuickTime Multiple Vulnerabilities

- Apple QuickTime versions prior to 7.4.5

- Disclose sensitive information - Remote code execution - Remote Code Execution - Denial of Service - Exposure of sensitive information - Remote Code Execution - Denial of Service - Exposure of Sensitive Information

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/07

Cisco Unified Cisco Communications Disaster Recovery Framework Command Execution Vulnerability Novell Kerberos KDC Novell Multiple Vulnerabilities

- Cisco Unified Communications Manager (CUCM) 5.x and 6.x - Cisco Unified Communications Manager Business Edition - Cisco Unified Precense 1.x and 6.x - Cisco Emergency Responder 2.x - Cisco Mobility Manager 2.x - Novell Kerberos KDC 1.x

2008/04/07

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/07

Opera Multiple Vulnerabilities

Opera

- Opera 5.x - Opera 6.x - Opera 7.x - Opera 8.x - Opera 9.x - Symantec Mail Security for SMTP 5.x - Symantec Mail Security for Domino 7.x - Symantec Mail Security for Microsoft Exchange 5.x

- Remote Code Install the patch provided Execution by manufacturer. Please - Denial of Service visit our web-site for more details. http://www.hkcert.org - Remote Code Execution Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/09

Symantec Mail Security Attachment Parsing Vulnerabilities

All

2008/04/09

Lotus Notes Multiple Keyview Parsing Vulnerabilities

Windows

- IBM Lotus Notes 6.x - IBM Lotus Notes 7.x - IBM Lotus Notes 8.x

- Remote Code Execution

2008/04/09

Microsoft Visio Multiple Vulnerabilities

Windows

- Microsoft Office XP Service Pack 2 - Remote Code Execution ¡D Microsoft Visio 2002 Service Pack 2 - Microsoft Office 2003 Service Pack 2 ¡D Microsoft Visio 2003 Service Pack 2 - Microsoft Office 2003 Service Pack 3 ¡D Microsoft Visio 2003 Service Pack 3 - 2007 Microsoft Office System ¡D Microsoft Visio 2007 - 2007 Microsoft Office System Service Pack 1 ¡D Microsoft Visio 2007 Service Pack 1

10

HKCERT Newsletter 2008 May Bugs, Holes and Patches
Date/Source Common Name Operating system/ Vendor/ Platform
Windows

Vulnerability System

Impact

Workarounds/ Solutions

2008/04/09

Microsoft Windows Kernel Vulnerability

- Microsoft Windows 2000 - Windows XP - Windows Server 2003 - Windows Vista - Windows Server 2008

- Elevation of Privilege

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/09

Microsoft DNS Client DNS Spoofing Attack Vulnerability

Windows

- Microsoft Windows 2000 - Windows XP - Windows Server 2003 - Windows Vista

- Spoofing

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/09

Microsoft Internet Explorer Data Stream Handling Memory Corruption Vulnerability

Windows

- Microsoft Internet Explorer 5.01 Service - Remote Code Pack 4 Execution ¡D Microsoft Windows 2000 Service Pack 4 - Microsoft Internet Explorer 6 Service Pack 1 ¡D Microsoft Windows 2000 Service Pack 4 - Microsoft Internet Explorer 6 ¡D Windows XP Service Pack 2 ¡D Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 ¡D Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 ¡D Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 ¡D Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Windows Internet Explorer 7 ¡D Windows XP Service Pack 2 ¡D Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 ¡D Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 ¡D Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

11

HKCERT Newsletter 2008 May Bugs, Holes and Patches
Date/Source Common Name Operating system/ Vendor/ Platform Vulnerability System Impact Workarounds/ Solutions

¡D Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems ¡D Windows Vista and Windows Vista Service Pack 1 ¡D Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 ¡D Windows Server 2008 for 32-bit Systems ¡D Windows Server 2008 for x64-based Systems ¡D Windows Server 2008 for Itanium-based Systems 2008/04/09 Microsoft Windows ActiveX Object Memory Corruption Vulnerability Windows - Microsoft Windows 2000 Service Pack 4 ¡D Microsoft Internet Explorer 5.01 Service Pack 4 - Microsoft Windows 2000 Service Pack 4 ¡D Microsoft Internet Explorer 6 Service Pack 1 - Windows XP Service Pack 2 - Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Windows Vista and Windows Vista Service Pack 1 - Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 - Windows Server 2008 for 32-bit Systems - Windows Server 2008 for x64-based Systems - Windows Server 2008 for Itanium-based Systems - VBScript 5.1 and JScript 5.1 ¡D Microsoft Windows 2000 - VBScript 5.6 and JScript 5.6 ¡D Microsoft Windows 2000 ¡D Windows XP ¡D Windows Server 2003 - Remote Code Execution Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/09

Microsoft Windows VBScript/JScript Remote Code Execution Vulnerabi

Windows

- Remote Code Execution

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

12

HKCERT Newsletter 2008 May Bugs, Holes and Patches
Date/Source Common Name Operating system/ Vendor/ Platform
Windows

Vulnerability System

Impact

Workarounds/ Solutions

2008/04/09

Microsoft Windows GDI Overflow Vulnerability

- Microsoft Windows 2000 - Windows XP - Windows Server 2003 - Windows Vista - Windows Server 2008 - Microsoft Project 2000 - Microsoft Project 2002 - Microsoft Project 2003

- Remote Code Execution

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/09

Microsoft Project Memory Validation Vulnerability

Windows

- Remote Code Execution

2008/04/10

Adobe Flash Player Multiple Vulnerabilities

All

- Adobe Flash Player 9.x

- Remote Code Execution - Security Bypass - Cross Site Scripting

2008/04/15

ClamAV Upack Executable Processing Buffer Overflow Vulnerability

ClamAV

- Clam AntiVirus (ClamAV) version 0.92.1 and prior

- Remote Code Install the patch provided Execution by manufacturer. Please - Denial of Service visit our web-site for more details. http://www.hkcert.org - Denial of Service Install the patch provided - Remote Code by manufacturer. Please Execution visit our web-site for more details. http://www.hkcert.org - Remote Code Execution Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/16

ClamAV PeSpin and Archives Processing Multiple Vulnerabilities

ClamAV

- ClamAV versions prior to 0.93

2008/04/17

DivX Player Subtitle Parsing Client-Side Buffer Overflow Vulnerability

Windows

- DivX Player version 6.7 and prior

2008/04/18

CA Products DSM "gui_cm_ctrls" ActiveX Vulnerability

Windows

- CA BrightStor ARCServe Backup for Laptops and Desktops r11.5 - CA Desktop Management Suite r11.2 C2 - CA Desktop Management Suite r11.2 C1 - CA Desktop Management Suite r11.2a - CA Desktop Management Suite r11.2 - CA Desktop Management Suite r11.1 (GA, a, C1) - CA Unicenter Desktop Management Bundle r11.2 C2 - CA Unicenter Desktop Management Bundle r11.2 C1 - CA Unicenter Desktop Management Bundle r11.2a - CA Unicenter Desktop Management Bundle r11.2 - CA Unicenter Desktop Management Bundle r11.1 (GA, a, C1)

- Remote Code Install the patch provided Execution by manufacturer. Please - Denial of Service visit our web-site for more details. http://www.hkcert.org

13

HKCERT Newsletter 2008 May Bugs, Holes and Patches
Date/Source Common Name Operating system/ Vendor/ Platform Vulnerability System Impact Workarounds/ Solutions

- CA Unicenter Asset Management r11.2 C2 - CA Unicenter Asset Management r11.2 C1 - CA Unicenter Asset Management r11.2a - CA Unicenter Asset Management r11.2 - CA Unicenter Asset Management r11.1 (GA, a, C1) - CA Unicenter Software Delivery r11.2 C2 - CA Unicenter Software Delivery r11.2 C1 - CA Unicenter Software Delivery r11.2a - CA Unicenter Software Delivery r11.2 - CA Unicenter Software Delivery r11.1 (GA, a, C1) - CA Unicenter Remote Control r11.2 C2 - CA Unicenter Remote Control r11.2 C1 - CA Unicenter Remote Control r11.2a - CA Unicenter Remote Control r11.2 - CA Unicenter Remote Control r11.1 (GA, a, C1) - CA Desktop and Server Management r11.2 C2 - CA Desktop and Server Management r11.2 C1 - CA Desktop and Server Management r11.2a - CA Desktop and Server Management r11.2 - CA Desktop and Server Management r11.1 (GA, a, C1)OpenOffice.org versions prior to 2.4 2008/04/18 OpenOffice Multiple Vulnerabilities All - OpenOffice.org versions prior to 2.4 - Remote Code Install the patch provided Execution by manufacturer. Please - Denial of Service visit our web-site for more details. http://www.hkcert.org - Remote Code Execution - Denial of Service - Disclose Sensitive Information Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/18

Safari Multiple Vulnerabilities

Mac

- Apple Safari versions prior to 3.1.1

2008/04/18

Mozilla JavaScript Garbage Collector Vulnerability

All

- Mozilla Firefox versions prior to 2.0.0.14 - Mozilla SeaMonkey versions prior to 1.1.10 - Mozilla Thunderbird versions prior to 2.0.0.14 - ICQ version 6 (build 6043) and prior

- Remote Code Install the patch provided Execution by manufacturer. Please - Denial of Service visit our web-site for more details. http://www.hkcert.org - Remote Code Install the patch provided Execution by manufacturer. Please - Denial of Service visit our web-site for more details. http://www.hkcert.org - Remote Code Execution Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/22

ICQ Personal Status Windows Manager Vulnerability

2008/04/23

Adobe Products BMP Handling Buffer Overflow Vulnerability

Windows/ Linux

- Adobe After Effects CS3 - Adobe Photoshop Album Starter Edition 3.x

14

HKCERT Newsletter 2008 May Bugs, Holes and Patches
Date/Source Common Name Operating system/ Vendor/ Platform
Cisco

Vulnerability System

Impact

Workarounds/ Solutions

2008/04/25

Cisco Network Admission Control Shared Secret Vulnerability

- NAC Appliance software version 3.5.x - NAC Appliance software version 3.6.x - NAC Appliance software version 4.0.x - NAC Appliance software version 4.1.x

- Remote Code Execution

Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web-site for more details. http://www.hkcert.org

2008/04/28

HP Software Update HPeDiag ActiveX Control Multiple Vulnerabilities

Windows

- HP Software Update version 4.000.009.002 and prior

- Disclose Sensitive Information - Remote Code Execution - Privilege Escalation

2008/04/29

WordPress Cookie Integrity Protection Privilege Escalation Vulnerability

All

- WordPress versions prior to 2.5.1

2008/04/29

StarOffice/StarSuite Multiple Vulnerabilities

All

- Sun StarOffice 7 - Sun StarOffice 8 - Sun StarSuite 7 - Sun StarSuite 8

- Remote Code Execution - Denial of Service

* Please check instructions carefully on related web site before applying the solutions

15

HKCERT Newsletter 2008 May

Web sites staying infected with malicious software for longer April 01, 2008 Increasing numbers of legitimate sites are unknowingly hosting malware and compromised sites are staying infected for longer, according to the latest threat report from Scansafe. Some sites are not being cleaned up for two months as the site operators remain unaware of the malicious software's existence. (from Vnunet) Link spammers go on social networking rampage April 02, 2008 Spammers have found a fertile new marketplace on social networking sites such as Facebook and MySpace.

Hot News
program so far in 2008 — plugs vulnerabilities in how the player handles Java and PICT image files, parses some data objects and uses Animation codec content, among others. Nine of the 11 bugs patched Wednesday were characterized by Apple as allowing "arbitrary code execution," a phrase the company uses to describe the most serious threats. Unlike vendors such as Microsoft Corp. and Oracle Corp., Apple doesn't rank the bugs it fixes with a scoring or labeling system. (from Computer World) U.S. reveals plans to hit back at cyberthreats April 04, 2008

fascinated that the director of the FBI would use a foreign e-mail address, that the form didn't appear to have been prepared by a native English speaker and that the FBI would provide "advance fee" fund-transfer services. Nonetheless, some recipients of the email have likely taken the bait and found their self-assurance and bank balances thus reduced. (from Computer World)

HSBC loses customer data April 07, 2008 HSBC has lost a disc containing details of 370,000 of its customers, in an incident which will raise further questions about firms' data security policies. The loss occurred four weeks ago when HSBC used the Royal Mail to transport its disc between the bank’s offices in Southampton and Folkestone, an HSBC spokesman told IT Week. The disc was password protected and contained names, life insurance cover levels, dates of birth and whether or not a customer smokes, said HSBC in a statement. “There is nothing else that could in any way compromise a customer and there is no reason to suppose that the disk has fallen into the wrong hands. " (from Vnunet) Breaking into a power station in three easy steps April 08, 2008

Air Force Cyber Command (AFCYBER), a U.S. military unit set up in September 2007 to fight in cyberspace, is due to become fully operational in The 'wall' feature on Facebook is being the autumn under the aegis of the U.S. abused by spammers to post deceptive Eighth Air Force. Lieutenant general Robert J. Elder Jr., who commands the messages, linking to spam sites such as online "pharmacy" shops. The tactic Eighth Air Force's Barksdale base, told ZDNet.co.uk at the Cyber Warfare is similar to the long-standing linkConference 2008 that Air Force is spamming approach which involves interested in developing its capabilities posting misleading links to spamvertised sites on blogs and forums. to attack enemy forces as well as defend critical national infrastructure. Facebook wall spamming is a recent "Offensive cyberattacks in network variant on the theme. Spammers are warfare make kinetic attacks more using genuine users’ profiles to effective, (for example) if we take out disseminate these messages and are buying or ‘renting’ these identities from an adversary's integrated defense online thieves, according to preliminary systems or weapons systems," Elder said. "This is exploiting cyber to research by security appliance firm achieve our objectives." Fortinet. (form CNET) (from The Register) Apple patches 11 QuickTime bugs in year's third update April 03, 2008 Opinion: Phishing in the backyard April 06, 2008

"I will tell (you) how to break into a nuclear reactor," Ira Winkler, president of security firm ISAG said as he launched into his presentation on "How The best phishing e-mail I've seen to Take Down the Power Grid" at RSA recently purported to come from none Apple Inc. patched QuickTime late other than the head of the FBI. "Robert 2008 on Tuesday night. Wednesday to fix 11 flaws in the Mac Mueller" offered to ensure the safety of and Windows versions of the media First, you set up a Web server that player. All but two of the bugs could be a money transfer from a confidential downloads spyware onto the computers third party, if only the recipient would used by hackers to hijack users' that visit. provide his bank information in an machines. official-looking form. Second, you send an e-mail to people QuickTIme 7.4.5 — the third security who work inside a power station that Being the inquisitive sort, I was update Apple has released for the

16

HKCERT Newsletter 2008 May
entices them to click on a hyperlink to the Web server with the spyware. Warning them that their human resources benefits are going to be cut and sending them to a Web site with "hr.com" in the domain would work, according to Winkler, who said he has done this several times in companyapproved penetration tests. Third, you wait as the recipients--and everyone else they forwarded the email to--visit the server and get infected. (form CNET) Kraken stripped of World's Largest Botnet crown April 09, 2008 RSA If you're looking for a good reason why security professionals might want to pool their research about botnets and other cyber threats, look no further than findings released earlier this week about a botnet dubbed Kraken. Zombie hunters at Damballa said they were tracking a new bot army that claimed more than 400,000 infected machines and had managed to infiltrate at least 50 networks belonging to Fortune 500 companies. The malware at the heart of Kraken, as they dubbed the botnet, was undetected on 80 percent of computers running antivirus protection. (from The Register) Planning a company social network? Don't forget privacy issues April 10, 2008 have a hard enough time managing email without getting sucked into a black hole of endless texting and friending. We're the cold showers in charge of corporate policy, and you'll have to warm us to the idea of deploying a “CitiBook” or “myHomeDepot” for corporate staff. (from Computer World) Remote workers present biggest security threat April 11, 2008 The glitch, which sent some PCs into an endless round of reboots, was strangely similar to one faced by Vista users in February. Attackers have already tried to exploit that bug, which was patched last Tuesday -- as it turned out, two weeks after the newest build of Windows XP SP3 was released with the flaw fixed. (from Computer World)

Large corporations seem to be tripping over themselves in their rush to tap into the social networking phenomenon by deploying their own versions of online user communities. But by trying to shoehorn this generation's Microsoft patched critical Windows Woodstock into a corporate wingtip, bug in XP SP3 early they may be assuming risks that even April 13, 2008 the best social networks haven't fully addressed. The appearance and disappearance of a I have to admit: I'm one of those over- Windows XP installation snafu indicates 35 types who think they're hip because that Microsoft Corp. patched a critical they have a BlackBerry but are deaf to vulnerability in XP's still-unfinished Service Pack 3 (SP3) weeks before it the siren songs of text messaging and fixed any other version of Windows. Facebook. People like me think we

Security experts warn against Web 2.0 charlatans and 'premature Remote and branch workers are judged AJAXulation' April 14, 2008 to be the highest security risks by IT managers, but sales staff are RSA Forget a wave of Web 2.0 threats considered the worst offenders in consuming network bandwidth for non- taking down your software, stealing your data or exposing users - the real work related activities, according to danger is posed by some existing recent research by network attack techniques. And it's IT optimisation firm Blue Coat Systems. charlatans peddling over-night AJAX solutions that'll leave you vulnerable. The survey asked a range of network security and resource questions to both Two security experts from Microsoft network managers and security and Hewlett Packard have warned managers to determine the biggest challenges facing corporate networks in against "premature AJAXulation" - the practice of using quick fixes to turn the UK. existing software in into Rich Internet (from Vnunet) Application wonders - saying these are architecturally flawed. (from The Register) Presidential campaigns clueless about Net threats April 12, 2008 Employee file transfers put firms at risk The 2008 presidential campaigns are April 15, 2008 apparently oblivious to many of the threats that could damage their Companies are being warned of the candidates' reputations and funddangers posed by third-party web raising abilities, or disclose sensitive transfer services, and the use of insider information, a security instant messaging and social researcher said Friday. networking sites to send personal information. "There's just a general lack of awareness that this is a problem," said This is despite recent high profiles Oliver Friedrichs, director of emerging cases which have highlighted the technologies at Symantec Corp. and a dangers of using postal services to researcher on electoral cybercrime. transfer personal data. (from Computer World) (from Vnunet) Oracle patches 'sitting duck' database vulns April 16, 2008 Oracle posted 41 patches on Tuesday as part of its regular quarterly patching cycle, with core database vulnerabilities being heavily represented.

17

HKCERT Newsletter 2008 May
The patch batch covers 17 updates for Oracle Database products, 11 updates for Oracle E-Business Suite, three updates for Oracle PeopleSoft Enterprise products, along with six updates for Oracle Siebel SimBuilder products, among others. The load is less than previous security updates, but their impact on key vulnerable databases (in particular) is potentially serious, security watchers warn. (from The Register) Hackers issue BT Home Hub warning April 17, 2008 Ethical hacking group GNUCitizen.org has warned that the default settings on one of the UK's most widely used wireless routers is leaving customers open to attack. The group showed in a blog posting that the BT Home Hub, the wireless router supplied to BT Broadband customers, uses algorithms that make the device easy to crack when in default mode. Using reverse-engineering techniques the group said that the hub's Wired Equivalent Privacy (WEP) keys can be predicted in just 80 guesses, but had decided against making its automated guessing program publicly available. (from Vnunet) Notorious eBay hacker arrested in Romania April 18, 2008 Vladuz, the notorious hacker who repeatedly accessed off-limits parts of eBay's network and then publicly bragged about it, has been arrested, the online auctioneer says. The hacker was arrested by Romanian law enforcement officials with the help of the US Secret Service, the FBI and eBay's global fraud investigation team, eBay said. The company wouldn't discuss additional details, and representatives from the Secret Service and the FBI couldn't be reached for comment. (from The Register) CNN cyberattack called off April 18, 2008 A planned cyberattack against CNN's Web site fizzled out Saturday as the group backing the event called it off. "Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic," wrote a group called "Revenge of the Flame," according to a translation posted on the "Dark Visitor" blog. "At an unspecified date in the near future, we will launch the attack." (from Computer World) ISP typo pimping exposes users to fraudulent web pages April 20, 2008 ToorCon Comcast, Verizon and at least 70 other internet service providers are putting their customers at serious risk in their quest to make money from mistyped web addresses, security researcher Dan Kaminsky says. Speaking at the ToorCon security conference in Seattle, Kaminsky demonstrated an exploit class he dubbed PiTMA, short for provider-inthe-middle attacks. A variation of manin-the-middle attacks, it stole authentication cookies and injected arbitrary content into trusted web pages by exploiting weaknesses in an ad server Earthlink used when returning results for non-existent addresses. (from The Register) Hacker redirects Obama's Web site to Clinton's April 21, 2008 Someone exploited a weakness in Democratic presidential hopeful Barack Obama's Web site and redirected visitors to rival Hillary Clinton's site over the weekend, according to a posting on the blog of security firm NetCraft. Basically, visitors to the community blogs section of Obama's site on Saturday night were sent to Clinton's site. Someone using the alias "Mox" claimed credit for the hack on Obama's site late on Sunday. (form CNET) New malware-infected site found every five seconds April 22, 2008 The first quarter of 2008 has been marked by a "dramatic increase" in web-based threats, with a new infected webpage being discovered every five seconds, security experts warn. Sophos identified an average of more than 15,000 newly infected web pages each day from 1 January to 31 March 2008.The security firm warned that 79 per cent of these malware-hosting sites are found on legitimate websites that have been hacked. February saw the website of UK broadcaster ITV fall victim to a poisoned web advert campaign which targeted Windows and Mac users. In March a Euro 2008 football ticket website was hacked by cyber-criminals in an attempt to infect unwary fans. In contrast, just one in every 2,500 emails is now infected, compared to one in every 909 in 2007. (from Vnunet) Hidden card fraud taxes UK.biz April 23, 2008 Headline losses from credit card fraud are only part of the problem facing UK ecommerce firms. Chargeback costs from failed transactions are also costing them dear. Credit card fraud protection specialist The 3rd Man reckons "card not present" crime in the UK is far higher than official statistics suggest and is getting worse. More than £500m of fraud was attempted during 2007, it reckons. (from The Register) Microsoft didn't crush Storm, counter researchers April 24, 2008 Microsoft Corp. didn't crush the Storm botnet as it has claimed, rival security researchers argued today. Instead, the criminals responsible for the army of compromised computers diversified last year to avoid attention and expand their business. Paul Ferguson, a network architect, and

18

HKCERT Newsletter 2008 May
Jamz Yaneza, a research project manager, both at Trend Micro Inc., disputed Microsoft's contention that its Malicious Software Removal Tool (MSRT) had beaten Storm into submission. (from Computer World) Security professionals aim to end data breaches April 25, 2008 Preventing data breaches is the highest priority for today’s IT security professionals, two new surveys have concluded. But delegates at the Infosecurity Europe show in London last week were divided on the most effective method for securing data – and protecting corporate reputations. Server. Rather, he says, the attacks are made possible by SQL injection exploits, and he points Web developers to the company's list of best practices to prevent such attacks. (form CNET) Yahoo! pimping malware from banner ads April 28, 2008 Over the past three days, Yahoo has been exposing visitors to banner ads that try to trick them into installing malware, and there's no indication anyone at the company is even aware of the problem.

According to Microsoft MVP Sandi Hardmeier's "Spyware Sucks" blog, the ads are displayed across a wide swath of the web portal's sprawling empire, The Department for Business including Yahoo Mail, Yahoo Groups Enterprise and Regulatory Reform and Yahoo Astrology. Hardmeier first (Berr’s) biennial security survey sounded the alarm on Saturday, and showed 77 per cent of firms now regard protecting customer information yet on Monday, Yahoo continued to run as a priority. Yet only eight per cent of the rogue ads, she reported. El Reg emailed three different Yahoo PR reps those polled encrypt data stored on but never did get a response. laptops. (from The Register) (from Vnunet) Antivirus vendors slam Defcon virus contest April 26, 2008 Chernobyl coverage blows up in Radio Free Europe's face April 29, 2008

Websites run by Radio Free Europe There will be a new contest at the Defcon hacker conference this August, have been under a fierce cyber attack one that antivirus vendors already hate. that coincided with coverage over the weekend of a rally organized by opposition to the Belarusian opposition. Called "Race to Zero," the contest will invite Defcon hackers to find new ways The distributed denial of service of beating antivirus software. Contestants will get some sample virus (DDoS) attack initially targeted only the RFE's Belarus service, which code that they must modify and try to starting on Saturday was inundated sneak past the antivirus products. with as many as 50,000 fake pings (from Computer World) every second, according the this RFE account. On Monday, it continued to be FOR FURTHER affected. At least seven other RFE sites INFORMATION, Microsoft denies fault in hacks for Kosovo, Azerbaijan, Tatar-Bashkir, April 27, 2008 PLEASE CONTACT Farda, South Slavic, Russia and Microsoft is denying that a recent rash Tajikistan, were also attacked but have mostly been brought back online. of Web server attacks are the Tel: (852) 8105 6060 Fax: (852) 8105 9760 (from The Register) company's fault. e-mail: hkcert@hkcert.org Web Site: http://www.hkcert.org In a blog posted late Friday night, Bill Sisk, of the Microsoft Security Hong Kong Computer Emergency Response Response Center, wrote that the Team Coordination Centre attacks are not due to any new or unknown security flaws in Internet Information Services or Microsoft SQL

19


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:161
posted:11/3/2009
language:English
pages:19