Author (#12)March 2007 Archives

Thanks to Greg D. Feezel, CISSP, Founder and Steering Committee Member of the Northeast Ohio Information Security Forum for sending this in.

A new vulnerability affecting animated cursor and icons in Windows that has been announced. No patch
exists for the vulnerability
and exploit code has been released and there are reports of some malware exploiting this problem. Furthermore, Microsoft has acknowledged the issue raising the potential for an increase in exploitation.

According to McAfee, IE version 6 and version 7 running on fully patched versions of Windows XP SP2 are vulnerable. Windows version 2000 SP4 and Server 2003 (non & SP1) are also reportedly vulnerable. Vista is also
reported to be vulnerable but only witnessed as a denial-of-service at this point.

Computers can be infected by simply visiting a website containing a malicious .ANI file or HTML email message with one placed on it. In the past, malicious websites have used this type of vulnerability to silently install malware onto an unsuspecting visitor. These are also known as "drive-by" installs.

Suggested Actions:

Enable a firewall
Keep receiving software updates from Microsoft
Install anti-virus and anti-spyware software- ensure they are updated.
Use extreme caution when you accept file transfers from both known and unknown sources.

For More Reading:

See Microsoft Advisory

Avert Labs Blog
Avert Labs Blog

The 59 Top Influencers in IT Security

We had the great fortune of having two members of Facetime's research team named on ITSecurity.com's Top Influencers in IT Security list. It is truly a highpoint to be recognized on the same page as security influentials like Amrit Williams, Alan Shimel, Richard Stiennon, Dr. Anton Chuvakin, and Bruce Schneier to name only a few.


The 59 Top Influencers in IT Security
Our list of the most influential security experts of 2007 - from corporate tech officers and government security types, to white hat hackers and bloggers.


You can see the full list here.

The Legendary Paperghost

Our own Chris Boyd, director of malware research, who also pens the "kung-fu style"- VitalSecurity.org is certainly deserving of this honor. Chris contributes not only here, but indy style at VitalSecurity.org- putting in countless hours to track down the story, frame it so that others can understand the nature of the threat and to make security interesting for everyone in a flair that is completely unique. That was one of the goals we set when we started blogging many, many months ago. To help communicate the story about online security and greynets in a human fashion- in a "real" fashion that we hoped would resonate, educate and interest people from all walks of life.

Team Honor

I was placed on the list for this blog by name, and being a blog veteran of several years, I help lead up the efforts. However, it must be clarified this is a team blog- an ongoing work of collaboration. You may often see my name heading entries or included in research and more frequently see Mr. Boyd's moniker (Paperghost), but there are many others that contribute in many different ways- often quietly and behind the scenes.

We try to recognize individuals in entries when they wish to be recognized (some actually do not) because it takes the hard work of a concerted team, working in unison, to go traveling to some of the places we must go and to face off with some of the situations we encounter. Often these people behind the scenes don't receive the public accolades they deserve or broad recognition. These are people who often pursue a lead on their own, run an ethereal trace, help gather the pieces of a complex puzzle, run extra forensics, or simply ask the right questions.

Sometimes just asking the right questions can lead to big breakthroughs.

With that in mind I am happy The Greynets Blog is recognized as an influential force in IT Security. I am happy we have had the support of our executive staff who believed the effort was worthwhile, and granted us the freedom and trust to message in our own voice and style and from where we chose. It has been exciting, tiring and much like a rollercoaster at times. However, one could not ask for a more dedicated team of individuals and diverse voices. Most importantly thanks to the readers, volunteers and colleagues who work with us day-in-day-out, to put the heat on the streets and get the message out...

Be vigilant, be smart, and travel with care.

This coverage from colleague, Anne. P. Mitchess, Esq., President of the Institute for Spam and Internet Public Policy (ISIPP) on the Melanie McGuire and Google search case caught my eye. It was a matter of time before search histories come back to haunt...and this leaves me further worried about the insecure state of PCs and malware's ability to upload "at-will" into infected PCs. Think "extortionware"- we covered the concept at RSA Conference 2007.

Anne writes...


Melanie McGuire is currently on trial for the murder of her husband, William McGuire. And while many people now know that your Google and other search engine searches can be discovered, apparently back in 2004, Melanie McGuire did not. For among the searches that the prosecution has found on her computers - searches which she conducted on the days leading up to the murder - were searches for "instant poisons", "undetectable poisons", and "fatal digoxin doses." And while those alone don't necessarily prove intent, another search, "how to commit murder" is pretty unambiguous.

But the crown search in the state?s case against Melanie McGuire may be that Melanie also performed searches about gun laws in New Jersey and Pennsylvania. William McGuire was indeed murdered with a gun which, the state claims, Melanie purchased in Pennsylvania.

O.K. so far it doesn't look good for Melanie McGuire. We talk about "greynets" and how different tools, even a simple web browser, carry different degrees of risk based on their use, the user's purpose and intent, and the environment in which the software is deployed and even the security of the hardware and facility too. This case involves Google search queries to help build a case.

It gets more interesting...


Also relevant is the fact that the day before the murder, the state says, Melanie?s computer shows that she searched for a Walgreens pharmacy near to her. A pharmacist at that Walgreens has testified that on the day before the murder she filled a prescription for an as yet unidentified woman with a prescription written for ?Tiffany Bain?, for a rarely ordered but known narcotic. The prescription, for chloral hydrate, was written by Doctor Bradley Miller - a doctor at the office where Melanie McGuire worked at the time. Dr. Bradley Miller, the doctor with whom Melanie was having an affair at the time that William McGuire was murdered

That is true, chloral hydrate (a Class IV hypnotic) is rarely used these days, but still not unheard of during my days in medicine a few years ago. At any rate the circumstantial evidence is starting to pile up. You can read more at The Internet Patrol... but of particular interest was a comment by a reader- Jack Stock who pens:

As a writer, I can see myself asking these same questions of Google?how to commit a murder, the most efficient poisons, etc. And that doesn?t mean that I was planning a murder?except in a fictional story. Murder, he wrote.

There a number of factors to consider here- let's us start with just four questions for starters:

- Who physically had access to the computer?

- What other data was found on the PC?

- Was the PC compromised in any way?

- Is there any other evidence beyond stored search queries?

No matter how obvious or open-shut a case it seems, faulty computer forensic assumptions are dangerous. We certainly don't want to see something like the Julie Amero case happen. You can read a summary and full transcripts here and decide for yourself.

We are in a new era, where your digital footprints, whether you made them out of innocent research, or even if someone else made them for you- can and probably will be used against you.

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

About this Archive

This page is a archive of recent entries written by (Display Name not set) in March 2007.

Author (#12)February 2007 is the previous archive.

Author (#12)April 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.