Big Time Security for an Apple a Day

For as little as an apple a day, you can take a huge slice out of your internet security exposure. We have launched a very short promotional sale (ends August 31) for you to capture huge savings (beginning at 30%) when you migrate to Easier, More Effective Security (as noted by Microsoft Pinpoint).

If your small business, nonprofit or other organization has ever questioned the value proposition of upgrading your security - now is the time to talk it through. The package includes everything - Instant Cash Savings, Integration Support, Ongoing Live Service, robust hardware and automatically updated and maintained software.

Incredible security has never been so easy, effective or affordable. Check it out for a limited time only.

Microsoft Highlights Easier, More Effective Security

Small business owners and IT professional searching for affordable, manageable and comprehensive security should investigate Microsoft Pinpoint's recent suggestions: Three Steps to Easier, More Effective Security.

Microsoft has highlighted selected technology and service partners that will help you keeping your data and IT infrastructure secure. By following these steps, you can overhaul your existing security system into a simpler, more reliable network of defenses that will cost less and protect your company more. And Microsoft has identified key Microsoft-technology experts under each step can help you.

Assess risk and develop a comprehensive plan. Start by conducting a thorough risk assessment, then draft a comprehensive security plan. Take the time to identify your unique security needs and to research which technologies can best address them.

Eliminate redundancy and share data. Once you know your needs, you can reduce complexity by eliminating redundant systems, or replacing them with newer versions that perform multiple functions. If getting rid of systems is impractical, consider integrating them. Whenever possible, configure your platforms and applications to share data, thereby reducing the risk created by multiple information stores. Calyptix's AccessEnforcer integrate seamlessly with Active Directory to share valuable information and implement user level policies.

Outsource for improved efficiency. Especially if you have a small IT staff, outsourcing to a reputable third party can reduce the burden on your company while improving security. Consider outsourcing select functions that a specialist can do faster, better, or cheaper, such as threat detection and vulnerability management.

Microsoft publishes "Fix Its" for Windows XP, Server 2003 zero-day vulnerability

Last week, a security researcher from Google publicized a vulnerability in the Help and Support Center application that is part of Windows XP and Windows Server 2003. An attacker can exploit this vulnerability by enticing users to click on a malicious hcp:// link, which will cause it to run an arbitrary executable on the machine.

Unfortunately, a fix from Microsoft is not available at this time. Windows XP and Windows Server 2003 users are at risk. Users of Windows 7, Windows Server 2008, Windows Vista, and Windows 2000 are not affected.

On June 12, Microsoft has published "Fix Its" for this vulnerability, which will enable users to fix this vulnerability by clicking the "Enable this fix" button on this page. The "Enable this fix" button will allow you to download and run an executable that fixes the issue. We highly recommend that all Windows XP and Windows Server 2003 users do this while waiting for a permanent fix to be available.

This fix can be undone by clicking the "Disable this fix" button on the same page.

FIFA World Cup Ripe for Malware Attacks

World events are perfect phishing and malware opprotunities for organized crime to launch attacks. The FIFA World Cup, known throughout the world as " the World's Game" is no exception. This morning we were greeted by the an onslaught of malicious email seeking to capitalize on this event. Email with the subject "FIFA World Cup...Bad News" and a small Word file attached started appearing late last night EST. Obviously do not open these malicious email, click on their links, open their attachements or other variants certain to follow. This has not been the first such attack and we are certain to see more. For more examples of recent malware attacks on the FIFA World Cup see this ZDNet Article.

Adobe Flash Player 10.1 released; fixes 32 vulnerabilities

Adobe has released Flash Player 10.1, which fixes the Adobe Flash zero-day vulnerability we blogged about. This release fixes 32 critical vulnerabilities in total, almost all of which could result in code execution.

Get the new Adobe Flash Player 10.1 here

Check your Flash version here

Flash is actively used by malware authors to infect computers, due to its prevalence on all web browsers. Calyptix encourages everyone to upgrade!

In related news, Adobe Reader and Acrobat are still vulnerable. Adobe is planning to release new versions of these products on June 29, 2010. Mitigation techniques are detailed in their advisory (now includes mitigation techniques for Mac and UNIX).

Adobe Zero-Day Exploit on Flash Player, Adobe Reader, and Acrobat

Adobe has announced a critical vulnerability in Flash Player, Adobe Reader, and Acrobat where there is currently no fix. This vulnerability is reported to be actively exploited in the wild. This exploit affects those Adobe products on Windows, Macintosh, Linux, and Solaris.

Adobe's security advisory states that this threat can be mitigated for Adobe Reader and Acrobat on Windows by moving the authplay.dll file out of the way. The authplay.dll file is located at:

Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll
Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll

This will cause those programs to crash if they happen to open a PDF file with SWF content, which should be rare. Please note that this technique works on Adobe Reader and Acrobat on Windows only; there is no word from Adobe on how to mitigate this threat on those products on the affected non-Windows platforms.

The threat to Flash Player can be mitigated by upgrading to Flash Player 10.1 Release Candidate (available on all platforms).

While a fix is being developed by Adobe, we would recommend everyone to apply those mitigation techniques. Even if those techniques are applied, we would still recommend exercising extreme vigilance when browsing websites with Flash content and when opening PDF attachments.

We recommend using Firefox with the NoScript extension, which prevents Flash content from being loaded unless explicitly allowed. NoScript also protects you from a wide variety of other web threats.

Twitter shows that in-band data still considered dangerous

Around 20 years ago, I was using a bulletin board system running the Major BBS software.

One of the primary features was group chat, which was still very novel back in the day. Whatever you typed appeared on the screen to everyone else, modulo some swearing filters, which just seem quaint today. There were no control keys; you skipped from forum to forum by typing certain commands, like "join <topic>", or "x" to exit the chat and go to some other function of the BBS. It was considered a fine jape to ask the crowd, "hey, what is the roman numeral for 10?" and watch people who typed in their answer disappear.

One command in particular was "POST <username>". This would change the status of the given username from whatever it currently was ("paid", "expired", or "guest") to a special user status that could log in only for a limited amount of time but had unlimited posting privileges in that period of time.

The existance of this command was kept secret among the admin and a few trusted wizards. Until one evening someone typo'd the command. Another user tried it and found what happened, and spread the word.

For a few hours complete chaos reigned. People would log in, and within a minute find that someone had POSTed them into the new status. For most users it was a downgrade, but for new users and guests it was an upgrade. New accounts were made on the spot because anyone could instantly upgrade them.

The admins had to restore from a back up a few days ago, which was one of the first lessons I ever received on the importance of backing up your data.

This all happened because, among other problems, the code was using in-band data to determine special actions. The users didn't need to pull up a special menu to do these commands.

There was similar things with "+++" and "CONNECTION LOST" in the days of modems.

Proving that there is nothing new under the sun, Twitter apparently uses some in-band forms of control. Typing "accept joeuser" makes joeuser follow you. Hopefully Twitter has backups they can restore from to undo all of this.

There are probably other control words you can use in your twitter feed. Right now I expect someone is sending a dictionary through a Twitter feed and watching to see what magic happens. The next few days should be interesting, unless Twitter is shutting all those commands down now.

I understand the deep-placed desire for an elegant control mechanism, and just being able to type commands right into Twitter must have seemed really cool. But the vulnerabilities of in-band data have been around for a long time (including touch-tone phones), and will continue until we all finally learn the lesson.