Microsoft Snapshot Viewer Attack

The Microsoft Snapshot viewer, which is part of all versions of Microsoft Access except Access 2007, has a vulnerability that is being actively exploited by rouge web pages (or web pages that were not secure to begin with). The vulnerability allows the attacker to run a program on your computer, like a keystroke logger, or other ‘bot’ software that gives the attacker full control of your computer.

More information here at the Internet Storm Center http://isc.sans.org/diary.html?storyid=4672 . Microsoft’s advisory is here http://www.microsoft.com/TechNet/security/advisory/955179.mspx

Be careful out there!

Backing Up For Disasters via Carbonite

What are you doing about your backups of your home computer?

If your home computer is anything like mine, there are tons of pictures on there. Some (or perhaps most or all) of those are probably irreplaceable.

The events of the past couple of months (urban fires, earthquakes, tornados, floods) have gotten me thinking about what would happen if that computer ‘went away’. All of those pictures gone. Not to mention some other important files.

In the past, I’ve tried several things. I’ve backed up files to CD (and DVD), but that takes a while. I bought an external hard drive (they are getting quite inexpensive), and copied files to it. I even got another computer and copying files to it. Those are good ways to back up important files.

If you remember to do it.

I probably have maybe two sets of DVD’s. And only one backup to the external hard disk. And the computer thing never really worked out (partly because of my own inertia). So I don’t really a good backup plan in case of disaster.

I figured I needed something that I could set up and forget. The backups needed to be stored off-site. It needed to be automatic. And it needed to happen regularly.

So I decided on using an on-line backup service. I looked at a couple, and settled on Carbonite (www.carbonite.com – which loads a bit slowly because they have this irritating movie that starts up). The cost was reasonable – $49.95/year. Files are backed up automatically over your Internet connection. The backups happen in the background, with a lower priority/load if you are surfing the net. They keep multiple levels of backups of a file – if you make changes to a file, then older backed up versions are still available. And the data is all encrypted.

So I signed up. Quite easy. Name, email, password (and hints), and a credit card number. Download some software, install it (the usual bunch of Next keys), minor configuration (you can specify what folders to back up), done. And the backups start happening.

A little icon in the task bar shows you that things are working. A double-click of that icon and you can see what’s happening.

I don’t have an exact figure of the amount of disk space it backed up. It did take about two weeks to do it on my cable modem connection. But you didn’t notice any slowdown when the files were being copied.

Once the first backup happens, the program just watches for new stuff. Since my wife is constantly scanning pictures (she’s really into scrapbooking) with one or both of our two scanners, those new files are automatically backed up to the Carbonite servers.

It all Just Works. The Carbonite web site (www.carbonite.com ) has all the details (although I wish they would get rid of the video that automatically loads when you go to the site). They do have a 15-day free trial. But I recommend that you just go for it.

The files on my computer are worth it.

Updates as Usual

Make sure that your MS updates have been installed. I’ve put them on several computers, no problems. They do require a restart.

But there are some active exploits out there for the problems fixed by these updates.

And remember to update your other programs (Adobe, Quicktime, etc). Some active exploits for those also.

Safe computing works.

Safari Bad Ju-Ju

Apple’s Safari browser has a serious vulnerability that lets an attacker silently download items to your desktop. This happens in Windows and Mac versions. The result is a desktop full of malware program icons (on Windows) and a pile of malware programs in the Mac Downloads folder.

Apple’s response? They have “decided to treat this as a normal product enhancement request and not a security problem”.

Safari – not recommended here.

Security Dawg Reading

Found this on the State of California web site: “Maximum Search Relevancy : Webmaster Best Practices”. Good information, especially if you run a web site or two (even just a blog).

Link is here (pdf) http://www.webtools.ca.gov/Search_Service/pdf/BestPractices.pdf .

The state’s The Government Online for Responsible Information Management site has some other good info about Information Security here: http://www.oispp.ca.gov/government/go_rim/default.asp

Interesting reading for a Security Dawg.

Protecting Your Laptop Data From US Customs

Do any international travel? Bring along your laptop or cell phone? Got any trade secrets or private information on there? Trying to get back into the US?

Did you know that the US Customs and Border Protection guys can clone your hard disk or phone data, and you can’t stop them?

Here’s the first sentence from the Electronic Frontier Foundation: “The Ninth Circuit’s recent ruling (pdf) in United States v. Arnold allows border patrol agents to search your laptop or other digital device without limitation when you are entering the country.” Full story here: http://www.eff.org/deeplinks/2008/05/protecting-yourself-suspicionless-searches-while-t .

Another example of the erosion of our privacy here in the US.

Storming the Storm-Bot

Some German ‘researchers’ have published information about how they have infiltrated the “Storm-bot” bot network and disrupted it via poisoning their traffic (although at first glance it seems more like a denial-of-service).

The story is here: http://www.infoworld.com/article/08/04/25/Researchers-poison-Storm-botnet_1.html?source=NLC-SEC&cgd=2008-04-28

I’d think they’d have to be a bit careful. Monitoring is OK, but actively interfering could be a bit dangerous.

SQL Injection Attack with Drive-By Infections

A big SQL injection attack against hundreds of thousands of web sites. Many government and commercial sites have been infected with code that will try to install a password stealing program just by visiting a web page.

It’s not clear if anti-virus programs will catch this one yet.

You can see the extent by doing a web search for “nihaorr1”. DO NOT VISIT ANY OF THOSE LINKS! Google search may be filtering the bad sites; they returned only about 48K. Yahoo search returned over 251K entries. Some are discussions about this vuln, but many are sites that have been infected with the malicious javascript.

This one is widespread. Internet Storm Center has info here: http://isc.sans.org/diary.html?storyid=4331 . “They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or “safe sites”‘

Corporate types should be watching for traffic to that site. I found a few users at the office that may have been affected (and possibly infected).

Be careful out there!

CNN T-Shirts and Oklahoma Criminals

CNN has a new revenue source: t-shirts with CNN headlines. And the State of Oklahoma was letting you get a pile of personal information due to bad programming.

For the t-shirt, create your own URL that looks like this:

http://www.cnn.com/tshirt/?headline=Information%20Security%20knows%20where%20you%20go!&date=1208742566000&hash=e6019d52c9d91cc8eb4e077d85751edc&return_uri=http://www.cnn.com/video/%23/video/world/2008/04/20/thatcher.prince.william.chopper.itn

Just replace the text between the “headline=” and “&date”. Space characters are the “%20” values. There seems to be a limit to the number of characters. And it doesn’t work without the return_uri value. Paste that new URL into your browser, and you’ll get your own T-shirt.

When you change the URL values, you are doing a cross-site-scripting attack. I never have liked creating links with parameter values in them. Too easy to hack the values.

Like in this story, where the Oklahoma state database of criminals can be easily hacked to add the name of your choosing to their database. I believe it’s been fixed, but one of the stories is here from the guy that found it http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx .

As for the CNN T-Shirt page, I don’t think it would be too difficult for someone to create their own form page that would have an input field for the T-shirt text, then creates the URL for the CNN t-shirt.

Wall Street Journal Provides Link to Malware Drive By Site

We’ve talked before about ‘safe computing’. One of the rule is that you stay away from the darker side of the net, and you keep your software current.

Apparently, the folks at the Wall Street Journal’s Business Technology blog don’t exactly follow those recommendations.

An entry last week had a link to a dark place – a web site where cyber-criminals sell credit card numbers. And they put the entire link there.

Today, they tell us that the site had a ‘drive-by’ , which is malicious code that tries to get installed on your computer by just visiting (browsing) to the page. No pop-ups, no ‘install’ prompts. Just get to the page, and get your malware infection.

Symantec (which told the WSJ about the malware’d page that was in their link) says that current updates will protect you from the drive-by. Which is a good plug for ‘safe computing’ practices.

Although the free plug for Symantec’s trial sofware wasn’t appropriate, IMHO.

You’ll find the whole story here .

But I suspect that there will be more to this story.