|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums, according to security software firm PC Tools.
The artificial intelligence of CyberLover's automated chats is good enough that victims have a tough time distinguishing the "bot" from a real potential suitor, PC Tools said. The software can work quickly too, establishing up to 10 relationships in 30 minutes, PC Tools said. It compiles a report on every person it meets complete with name, contact information, and photos.
"As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," PC Tools senior malware analyst Sergei Shevchenko said in a statement.
Dec. 3, 2010 | Bloomberg
McAfee Inc., the security software maker that lured customers from larger Symantec Corp. to drive its stock 35 percent higher this year, is about to come under attack.
Symantec is fighting back with discounts of as much as 70 percent and a new product that has caught up with McAfee features to stop more viruses and spam, block intruders and control how computers enter the network. Microsoft Corp., with its history of undercutting prices in markets it enters, has readied its own security software.
McAfee Chief Executive Officer Dave DeWalt will be forced into steeper price cuts, said Morgan Stanley analyst Peter Kuper. He expects McAfee's profit-margin expansion to slow within six months, after doubling to 20 percent of sales in the past year.
``McAfee may have reached its peak growth,'' said Kuper in Boston. ``Symantec has to stop the share loss, and discounting is the obvious approach.''
Kuper says to sell Santa Clara, California-based McAfee, the second-largest maker of software protecting computers from hackers, while most analysts advise clients to buy. He predicts it will fall an additional 16 percent from today's close to $32, from a peak of $41.35 on Oct. 31.
McAfee fell 67 cents to $38.28 at 4 p.m. in New York Stock Exchange composite trading. Symantec, down 16 percent this year as it reorganized its sales force and struggled with product delays, fell 28 cents to $17.52 on the Nasdaq Stock Market.
Corporations, government agencies and institutions are the primary battleground, spending $2.15 billion on antivirus software last year, according to Gartner Inc.
Almost all companies already own programs to protect their systems, said Natalie Lambert, an analyst at Cambridge, Massachusetts-based Forrester Research Inc. ``The market is saturated, so every single customer win is a rip-and-replace.''
For two years, Cupertino, California-based Symantec has been most likely to be ripped out. Its programs, including AntiVirus Corporate Edition and Symantec Client Security, were harder to manage than its competitors', analysts said. The company struggled to integrate eight acquisitions, leading to disarray in its sales team.
General Electric Co. stopped using Symantec to protect 350,000 computers and switched to Sophos Plc, the Abingdon, England-based security vendor said in June.
McAfee was the biggest benefactor from Symantec's missteps. The company convinced 85 corporations to defect in the most recent quarter. Most switched from Symantec, McAfee spokesman Joris Evers said in an e-mail.
Symantec's worldwide market share for antivirus software sold to institutional accounts fell 1 point to 38 percent last year, while McAfee's share widened by 1.8 points to 25.4 percent, according to Stamford, Connecticut-based Gartner.
McAfee made 58 percent of its $1.14 billion in 2006 revenue providing security software to organizations, and the rest from sales to consumers.
Symantec got $2.02 billion, or 38 percent of revenue, from large security customers in the fiscal year ended March 30, while consumer sales totaled $1.59 billion. The company also sells data storage services.
McAfee used a more than one-year head start on an easier- to-manage security product, Total Protection for Enterprise, to win sales while charging more than Symantec.
``We deliver more value than anyone else,'' said Bill Gardner, McAfee's director of competitive marketing.
Symantec's response is Endpoint Protection, released in September. The product allows customers to install and manage antivirus, anti-spyware and network-access technologies on thousands of computers from one console.
Symantec is giving Endpoint Protection to clients who pay maintenance fees for some earlier products. To displace rivals, Symantec will also trim 45 percent off Endpoint's list price, and resellers may cut even further, said Kevin Murray, senior director of product marketing. A highly sought client may get as much as 70 percent off in ``rare'' instances, he said.
McAfee will probably be forced to follow suit, said Kuper and Amrit Williams of competitor BigFix Inc.
``McAfee will do extremely competitive discounting deals when they aren't the incumbent,'' said Williams, chief technology officer of the Emeryville, California-based maker of programs combining system- and security-management. ``Customers are demanding more and they want to pay less.''
Eighteen analysts suggest buying McAfee, seven recommend holding, and four say sell. McAfee has shown it can market new technologies faster, said Walter Pritchard, an analyst with Cowen & Co. in San Francisco, who advises investors to buy both McAfee and Symantec and doesn't own either stock. ``I'm willing to bet more on McAfee's ability to execute than on Symantec's.''
Pressure on McAfee may be heightened now that Microsoft, the world's biggest software maker, began offering its Forefront programs for computers and servers on July 1.
Forefront can't protect against as many kinds of attacks as some other products, analysts and competitors said. Microsoft's pricing has put pressure on Symantec and others, Murray said.
``Microsoft can thrive on good enough,'' said Lambert, who predicts the company will further commoditize security software. ``Vendors become scared, add functions and lower prices to become competitive.''
Microsoft earlier undercut prices for databases, taking sales from Sybase Inc. and Oracle Corp. The same thing occurred with file servers, where Windows hurt Unix server sales. ``Even if a customer doesn't choose Microsoft, it will use the idea of choosing Microsoft to get a better discount,'' Lambert said.
Microsoft has implemented ``competitive but fair pricing models'' for its security products, Steve Brown, director of product management, security and access, said in an e-mail. The company wouldn't discuss Forefront features in detail.
McAfee's margin expansion may slow as prices drop and the company acquires technologies to fend off more online threats, Kuper said. ``You will start to see the beginning of the decline two quarters from now.''
To contact the reporter on this story: Rochelle Garner in San Francisco at firstname.lastname@example.org
July 16, 2007 | security-watchdog.co.uk
Scammers donating your money to charity
Look out for small but unauthorised charitable donations from your credit card, it could be scammers testing the validity of the card. In a warning, Cyber-Ark said that this is especially worrying for business debit and credit card account holders, as they tend to have less control over card use than their personal counterparts.
July 16, 2007
Commercial cyber crime boom
The commercialisation of cyber-crime is driving malware writing activity and will lead to progressively more serious IT security threats, according to research from Frost & Sullivan.
The analyst believes the global market for antivirus technologies reached $4.6bn in 2006, up 17.1 per cent from $4bn in the previous year.
22 June 2007
Since May 1st, we have found 3,896 URLs that have been compromised, over 1,627 different domains. The subject matter of the hacked sites covers as wide a range of topics as you can imagine. Clothes boutiques, driving instruction, nude beauty pageants, celebrity gossip, hypnotherapy through to handmade musical instruments. Most worryingly, there are some fairly popular sites within the list, including a fairly large bank (this site was hacked last week). Taking a deeper look at the data, we can gather further information about this campaign.
As you can see from the following graph (note the log scale on the y-axis), the vast bulk of the compromised pages are being served up from sites in the United States, closely followed by Brazil, Canada and the UK.
It should be noted this data is based on the country in which the host web server resides - it does not indicate the locale of the site itself. For example, several '.co.uk' domains were found to be hosted within the US.
To get a true impression of the scale of such an attack, looking at domain names alone is insufficient. We have encountered previous cases where initial data based on a plethora of compromised domains has suggested a large campaign, only to find that they all were as the result of the hacking of a handful of boxes within a single service provider (Troj/EncIfr-A for example). Looking at this data from an IP perspective reveals 324 unique IP addresses, the bulk of which are hosting a low number of compromised sites.
As might be expected, we can see that in several cases, once the hackers have managed to hack a server, they have compromised several sites hosted there.
Probing further, we can try to identify the operating system and web server application. As you can see below, the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix.
Though we cannot deduce the method employed by the hackers to compromise the servers, such data is nonetheless interesting. Gathering and analysis of such data provides us with valuable information to assist in the fight against web attacks. As ever, it is imperative that web servers are maintained and patched to the latest level. If you outsource the responsibility of this to your ISP, ensure they follow good practice. Remember, their failure could lead to your loss of credibility if it is your site that gets hacked into a malicious drive-by.
Fraser, SophosLabs UK
For home users:
* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
* Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
* Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
* Enable the "Automatic Update" feature in your Windows operating system and apply new updates as soon as they are available.
* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
* Free security tools are available at www.trendmicro.com
Several hundred pornography sites are surprising unwitting users with a smorgasbord of exploits via Mpack, the already notorious hacker toolkit that launched massive attacks earlier this week from a network of more than 10,000 compromised domains.
Trend Micro has spotted nearly 200 porn domains -- most dealing in incestuous content -- that have either been hacked or are purposefully redirecting users to servers hosting Mpack, a professional, Russian-made collection of exploits that comes complete with a management console.
Even though there are far fewer porn sites in this newly discovered infection chain than in Monday's "Italian Job" attack -- called that because most of the 10,000+ hijacked sites were legitimate Italian domains -- they've managed to infect twice as many end-users' PCs, said Trend Micro in a posting to its malware blog.
"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.
Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.
"The MPack gang appears to be using an IFRAME manager tool to automate the task on a large scale," said Amado Hidalgo, a Symantec security analyst. The tool, which Hidalgo said was basically an FTP updater using MySQL as a back-end database, regularly checks a large list of sites to inject the malicious IFRAME code.
Hidalgo also spelled out how hackers have been getting into legitimate sites, which puzzled investigators earlier this week. "It takes as input a list of Web site administrator accounts, possibly obtained in the black market," he said. Those administrator accounts are recorded in MySQL, and the manager can be left running so that it re-infects sites that have been purged of the IFRAMES code. "A simple clean-up of the page is not sufficient," advised Hidalgo. "The site administrator's credentials need to be changed."
Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry Friday. That's not always the case, said Ron O'Brien, senior security analyst at Sophos. "Overall, hacked sites are about evenly split between Apache and [Microsoft] IIS servers, but in this subset it's almost entirely Apache." Another interesting factoid, said O'Brien: "Of all the sites we've tracked that serve malicious code, about 80 percent have been hacked."
Still other researchers rooted out details of Mpack, including its price and the nom-de-plume of its creator. Ken Dunham, director of VeriSign-iDefense's rapid response team, said Mpack sells for around US$1,000, and that the man [or woman] behind it goes by "$ash" in the Russian hacker underground. The latest version of Mpack, .90, includes exploits for eight different vulnerabilities, six of them flaws in Windows or Internet Explorer, including the dangerous ANI bug that affected Vista earlier this year.
"This is a powerful Web exploitation tool," Dunham said.
Be careful in searching for porn sites, you may get other forms of "malicious" content that is definitely undesireable.
Just a few days after the infamous Italian Job malware, Trend Micro found another one with a similar modus operandi, but instead of hacked Italian web sites, the infection chain starts on certain pornographic sites.
The pornographic sites, which tend to specialize on incestuous content, has an obfuscated IFRAME code appended at the end of the HTML code. This IFRAME redirects to another domain that will serve a script file to download a copy of TROJ_AGENT.QMN. Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES.
The detections for web pages containing the obfuscated IFRAME code, as well as the script file that downloads TROJ_AGENT.QMN are still being created as of writing.
This particular attack uses the tookit MPack v0.86, the same one used in the Italian Job attack, and, despite only having 197 domains with IFRAMEs (as compared to the Italian Job's 10,000++ domains), are able to infect twice as much as the Italian Job.
It is most likely this attack was made online sometime last week, around June 17, based on Trend Micro's World Virus Tracking Center.
Also known as W32/Downloader (F-Secure), W32/HLLP.Philis (McAfee), Win32.Looked, Win32/Looked!Dropped!Worm, W32.Looked.P (Symantec), W32/Looked-AV (Sophos), Worm.Win32.Viking (Kaspersky)
Based on your sample Phillis/Looked is a file-infecting worm that spreads via network shares. The size of executable is 72,316-bytes compressed Win32 executable. The worm also drops a 33,680-byte DLL which is used to download and execute binary executables.
When executed, Win32/Looked copies itself to the %Windows% directory using the following filenames:
C:\WinNT\uninstall\rundl132.exe 72,316 bytes
C:\WinNT\Logo1_.exe 72,316 bytes
C:\WINNT\RichDll.dll 33,680 bytes
I can confirm that inoculation against this worm/virus can be achieved by setting the key
Virus does infects most or all .EXE file it finds on accessible partitions during the initial launch.Infected files are larger then original by 72/73K (72316 to be exact). The virus scans all the drives it can reach on startup. So if server has some network drives mapped, the results are predictable -- all EXE files on remote drives are infected. It looks like newly mounted partitions (for example USB drives mounted after computer was infected) are unaffected
I would like to stress it again: all EXE files belonging to all installed applications on servers are affected: Notes, Oracle, Java, you name it. Microsoft patches are infected too ;-) If the server is infected with several worms executables like algore32.exe they are infected too :-).
The purpose of this program is to remove the Ole garbage left in the registry after installing and deinstalling several Ole (Com) dlls. This program can be especially useful to those who build dlls in Visual Basic. They know what I mean.
File: [Bleeding] / sigs / VIRUS / WORM_Allaple (download)
Revision: 1.8, Fri Mar 16 08:52:23 2007 EDT (5 days, 1 hour ago) by jonkman
CVS Tags: HEAD
Changes since 1.7: +1 -1 lines2003484: Adding threshold#by Matt Jonkman alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003292; rev:5;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Inbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003293; rev:5;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003294; rev:4;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003295; rev:4;) #Matt Jonkman alert tcp any any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE WORM Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003483; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003484; rev:3;)
Date: March 16th, 2007
Subject: Warning -- floods of Allaple worm alerts.... sid:200329(2-5)
List-id: Bleeding Sigs <bleeding-sigs.bleedingthreats.net>Hi Over the last 24 hours we have had about 50 sources fire 20 million ping packets containing the string that triggers the Allaple signature. The only affect it has has is to gum up my snort database. I don't believe this is worm traffic and if is a ddos it is pretty feeble. It was however a fairly effective dos against my snort system -- two sensors saw this traffic so that's a total of over 40 million events in the database. :( I have now disabled all those rules and am (slowly) deleting all the records from the data base. Can I suggest that these rules be disabled by default with a comment saying why. Anyone got any idea why this traffic was sent (I doubt if they were really trying to attack my snort system). They have sent enough traffic to random addresses to map our network 200 times over. Russell.
Published: 2007-03-14,This comes from one of our friends over at the Finish cert team CERT-FI / FICORA.
Last Updated: 2007-03-14 23:54:52 UTC
by donald smith (Version: 1)
"CERT-FI has been tracking the situation with the Allaple worm
for about 8 months now. We have traced the evolution of the
worm since the first variants came out.
Allaple is a polymorphic worm. The first variants spread through
Radmin installations that had weak passwords.
Every variant so far also tries to locate
all html files on the harddisk to prepend an <object> -tag
into the file to ensure activation of the worm when a local
webmaster views the files. Traces of this behaviour can be
seen on some websites: There's an <object> tag right below the
<html> tag in the page, with the source pointing to a random
The first variants were DDOSsing only 1 target and the DDOS was a basic
SYN flood. Shortly there after another target was added to the DDOS routine in the
A bit after that the spreading mechanisms were changed from
Radmin scans to basic catering of Windows exploits,
and yet another target or victim was added.
The SYN DDOS routine has been the same from the first variant
to the latest variant available. Early in the winter code was
added to do HTTP GETs on the target websites. A few other ports
were also targeted. One site is currently getting gentle packet
love on tcp ports 22,80 and 97. Another site is getting packets and
HTTP gets on port 80, and yet another is getting packets on
ports 80 and 443.
The worms have absolutely no Command and Control channels in them.
Once released, there is no way to make them disappear. Their sole
purpose is to spread and DDOS.
In case you are in the correct position, and you feel you would
want to help in this pesky problem, here are a few tricks you can
use to identify Allaple variants on the loose in your networks:
1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi",
sans quotes, in the payload.
2) Echo requests to entire networks including host octets of 255 and 0.
We have reason to believe that there will be more variants,
it's just a matter of time when a new one pops out into the open.
CERT-FI is interested in any information or observations regarding the DDOS
or the malware itself. We can be contacted at cert(at)ficora.fi"
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.
When a Microsoft Windows-based computer becomes vulnerable, an attacker typically uses the resources of the Windows-based computer to inflict more damage or to attack other computers. This kind of attack typically involves activities such as starting one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides this activity from the Windows-based computer itself, you can capture and identify this activity. Therefore, looking for indications of this kind of activity can help you determine whether a system is vulnerable.
The Port Reporter tool is a program that can run as a service on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server 2003-based and Windows XP-based computers, the Port Reporter service can log the following information:
The data that is captured by the Port Reporter service may help you determine whether a computer is vulnerable. The same data is also useful for troubleshooting, for gaining an understanding of a computer's port usage, and for auditing the behavior of a computer.
- The ports that are used
- The processes that use the port
- Whether a process is a service
- The modules (.dll, .drv, and so on) that a process loads
- The user accounts that start a process
PR-Parser is a tool that parses the logs that the Port Reporter service generates. For additional information about the Port Reporter service, click the following article number to view the article in the Microsoft Knowledge Base: 837243 (http://support.microsoft.com/kb/837243/) Availability and description of the Port Reporter tool The PR-Parser tool provides the following three basic functions:
The PR-Parser tool has a Windows Graphical User Interface (GUI) that makes it easier to review the logs. By using the GUI, you can sort and filter the data in a number of ways. The PR-Parser tool helps you identify and filter the data that you are interested in. The tool provides the following functionalities:
- Identifies processes that you are interested in that are running on a computer
- Tries to identify when a process that uses the name of a legitimate process is run from the wrong folder on a computer
- Identifies the modules, such as .dll and .drv, that are loaded on a computer
- Helps determine the time when the Internet Protocol (IP) addresses, fully qualified domain names (FQDNs), or computer names that you are interested in are communicating with a computer
- Identifies the ports that are used on a computer
- Helps determine when the user accounts are active on a computer
The PR-Parser tool provides some log analysis data also. This data can help you understand the usage of a computer. This data includes the following:
- A ranked list of local Transmission Control Protocol (TCP) port usage
- A ranked list of local process usage
- A ranked list of remote IP address usage
- A ranked list of user context usage
- Svchost.exe service enumeration
- Port usage by hour of the day
- Microsoft Internet Explorer usage by user
Allaple.b worm was discovered somewhere in late 2006 and was active for several month after that.
It propagates rather slowly and does not create "avalanche epidemics" but it does propagate and at the beginning signatures for detecting and removing the worm were very weak. In March 2007 they got better and for example F-secure (which uses Kaspersky engine) which was unable to disinfect strain B completely with signatures older then, say, Feb 28, 2006 ( I do not know the exact date) now is doing better, although far from perfect, job. It looks like with signatures later then March 3, 2007 DrWeb detects it but still cannot disinfect completely this particular strain of the worm (I checked a free version called cureit)
Allaple is a polymorphic network worm which contains just one executable. Polymorphism means that every copy of the worm is slightly different from each other as for the content (probably due to polymorphic decryptor), but paradoxically the length of all instances is constant (57856 bytes)
Also when scanning the drive for HTML files and generates and drops a lot of executables with random names that contain exactly eight characters. The only exception in the first executable which always has name urdvxc.exe which is hardwired in the worm code (see below).
Also when worms executable runs it behaves like old polymorphic file viruses -- the polymorphic decryptor decodes the body and then control is passed to the this static part of the worm code that allocates a memory buffer and extracts the main worm's code into it. Only after then the control is passed directly to the extracted worm's code. At the same time while going to such length as for encryption the worm body author(s) left the size of the worm's executable file constant.
NetBIOS-free SMB protocol on port 445 in Windows 2000-XP
Jay Ts jay at toltec.metran.cx
Wed Aug 29 21:52:52 GMT 2001
- Previous message: NetBIOS-free SMB protocol on port 445 in Windows 2000/XP
- Next message: NetBIOS-free SMB protocol on port 445 in Windows 2000/XP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]Chris Hertel wrote: > Yes, we know. Have known for over a year. > I think it was Tridge who convinced Microsoft to use port 445. Cool. So can I assume that it will be no problem to add support for it? And are plans for such in process? - Jay Ts ------------------------------------------ > > Hi, > > > > Yesterday a friend forwarded to me this URL at Microsoft: > > > > http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP > > > > It is about support in Windows 2000/XP for running SMB for > > file and printer sharing over port 445, with no overhead of > > NetBIOS. > > > > The question of course is, are the Samba Team aware of this, > > and can it be supported in future versions of Samba? > > > > The webpage says it is possible to set up a Win 2000/XP network to > > only use the new protocol, and shut out SMB/NetBIOS networking on > > ports 137-139 entirely. > > > > - Jay Ts
Adobe PDF (2.89 MB)
February 08, 2007 Techworld.com Hackers mostly try obvious passwords, exploiting poor security, rather than performing difficult exploits, according to a study which left computers online with weak passwords.
The four Linux computers were hit by some 270,000 intrusion attempts - about one attempt every 39 seconds, during a 42-day period, according to the study by a researcher at the University of Maryland who wanted to see how hackers would attack them
Among the key findings: weak passwords really do make hackers' jobs much easier, and an improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.
The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems - and what they do once they gain access.
Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.
Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between 14 November and 8 December at the school.
Cukier was not surprised by what he found. 'Root' was the top guess by dictionary scripts in about 12.34 percent of the attempts, while 'admin' was tried 1.63 percent of the time. The word 'test' was tried as a username 1.12 percent of the time, while 'guest' was tried 0.84 percent of the time, according to the experiment's logs.
The dictionary script software tried 43 percent of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.
Once inside the systems, hackers conducted several typical actions, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, and loading and installing a program.
For IT security workers, the study reinforced the obvious. 'Weak passwords are a real issue,' Cukier said.
At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.
"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."
Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.
February 08, 2007 (IDG News Service) -- Microsoft Corp. has quietly released a patch aimed at improving the performance of Internet Explorer 7's phishing filter ahead of the company's regular patching schedule, which occurs on the second Tuesday of every month.
The update was made available last week on on Microsoft's Web site, according to a blog entry on IEBlog, which is written by the IE team at Microsoft.
This update addresses an issue some users experience when navigating to a page with multiple frames, or where frames are being navigated simultaneously, according to the post by IE Program Manager Steve Reynolds. This kind of navigation occurs when the IE phishing filter, which attempts to block access to sites that may try to defraud Web users, evaluates a Web page when a user navigates to it. The result is multiple simultaneous evaluations for the same page, Reynolds wrote in his post.
In addition to being available on Microsoft's Web site now, the patch will also be released later this month for Windows XP and Windows Server 2003.
Phishing filter performance is not the only complaint IE7 users have had since the final version was released in October. Frequent crashes and other performance problems such as excessive memory consumption that results in slow page loads have been reported.
December 15, 2006 Internet Explorer 7 browser in which Google, not Windows Live Search, is the default search engine.
The customized version of IE7 can be downloaded from Google.
In addition to using Google as the default search engine, Google's customized version of IE7 provides users with the Google Toolbar and a Google home page they can personalize.
According to a posting on Microsoft's IEBlog by Tony Chor, Microsoft's group program manager, Google and other companies, including Yahoo Inc. and USAToday.com, were able to build customized versions of IE7 by using the Internet Explorer Administration Kit.
Microsoft released the tool kit so developers could customize IE, as well as to provide companies with help to configure and deploy the browser through the corporation, Chor wrote in his posting.
Microsoft released IE7 for Windows XP on Oct. 18. IE7 is also included in Windows Vista, which is currently available in full release only to business users. Windows Vista will be available to consumers on Jan. 30.
January 10, 2007 (IDG News Service) -- The U.S. agency best known for eavesdropping on telephone calls had a hand in the development of Microsoft Corp.'s Vista operating system, the software vendor confirmed yesterday.
The National Security Agency stepped in to help Microsoft develop a configuration of its next-generation operating system that would meet U.S. Department of Defense requirements, said NSA spokesman Ken White.
This is not the first time the secretive agency has been brought in by private industry to consult on operating system security, White said, but it is the first time the NSA has worked with a vendor prior to the release of an operating system.
By getting involved early in the process, the NSA helped Microsoft ensure that it was delivering a product that was both secure and compatible with government software, he said.
"This allows us to ensure that the off-the-shelf security configuration that the DOD customer receives is at a level that meets our standards," White said. "It just makes a lot more sense to be involved upfront, than it does to have the tail wag the dog."
The NSA's involvement in Vista was first reported yesterday by The Washington Post.
The NSA has provided guidance on how best to secure Microsoft's Windows XP and Windows 2000 operating systems in the past. The agency is also credited with reviewing the Vista Security Guide published on Microsoft's Web site.
Microsoft declined to allow its executives to be interviewed for this story. But in a statement, the company said that it asked a number of entities and government agencies to review Vista, including the NSA, the NATO and the National Institute of Standards and Technology.
Still, the NSA's involvement in Vista raises red flags for some. "There could be some good reason for concern," said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). "Some bells are going to go off when the government's spy agency is working with the private sector's top developer of operating systems."
Part of this concern may stem from the NSA's reported historical interest in gaining back-door access to encrypted data produced by products from U.S. computer companies.
In 1999, then-Rep. Curt Weldon (R-Pa.) said that "high level deal-making on access to encrypted data had taken place between the NSA and IBM and Microsoft," according to EPIC's Web site.
With Vista expected to eventually power the majority of the world's personal computers, it would be tempting for the government agency to push for a way to gain access to data on these systems, privacy advocates say.
The NSA provided guidance on Vista's security configuration, but it did not open any back doors to Windows, White said. "This is not the development of code here. This is the assisting in the development of a security configuration," he said.
While the NSA is best known for its surveillance activities, the work with Microsoft is being done in accordance with the NSA's second mandate: to protect the nation's information system, White said. "This is the other half of the NSA mission that you never hear much about," he said. "All you ever hear about is foreign signal intelligence. The other half is information assurance."