I will share with you some experiences from implementing a good SMTP engine to avoid being spammed, being categorized as spam etc. This article is product independent therefore if you run Exchange, Windows SMTP, ScanMail, Notes or whatever, this is something good to consider.
This guide specifically focuses on larger organizations, but of course, large/small is just a definition based on the number of users but you may apply them if you so wish.
1. Always put a dedicated SMTP box in a DMZ or internal network. SMTP is relatively a simple and fast protocol so it doesn't really require a super end machine. Have redundancy if needed by simply doing an internal DNS MX with weights without the need of expensive load balancing hardware. Or, if you run Windows, use NLB.
2. Put Anti-malware and Antispam scanning on both the SMTP gateway and your internal email server. Disable NDRs if possible. Do not cross scan between your host based antimalware engine and your protocol based antimalware engine. This can slow down it's performance tremendeously.
3. Register all your email servers that eventually send emails out with a reverse lookup DNS. Do not send emails out directly from internal email servers unless they are equally protected like your SMTP engine or using these tips.
4. All SMTP talkers (this could be your email server or even your client if they send emails out directly using the SMTP protocol) should use RFC1918 addresses not Live IPs for all internal hosts. This because all SMTP chatter will stamp addresses in their headers and if you use a non RFC1918 number, there's a chance the emails will get checked by your recipient's host email server and perform a reverse lookup and of course, you won't be the owner of that Live IP and you can be categorized as spam.
5. Place email send and receive limits. The last thing you need is an email server retrieving 100MB of attachments. There's always secure file shares for that.
6. Verify internal users sending email using your SMTP with your LDAP or similar. Some form of authentication is a good start. As for external users sending you emails, you cant authenticate ..too bad. If possible disable NDR for non-existent recipients. The NDR should be generated by the sender's email server, not yours!
7. Do not run SMTP engines/filtering on your firewall!. Firewalls do not need this unnecessary burden because your SMTP engine is suppose to clean up messages.
8. Do not use your internal mail server as your secondary MX, you are better of not having a secondary MX. Internal mail servers are where all the "juices" are, so if you get whacked, your data is at risk. Spammers have known this trick and sometimes send emails to secondary MX servers in hopes that there's no antispam/antimalware engine installed on them.
9. Create a SPF record on your DNS. Sender Privacy Framework is very easy to setup and can be implemented in mere minutes.
10. Disable relay on all email servers, both internal, external etc.
11. Test all your SMTP server's implementation by running auditing tools such as Nessus - SMTP/product TCP/IP based auditing, www.dnsreport.com - DNS configuration test, abuse.net/relay.html- relay test,
Any of those terms you don't know or want more info, you can write me or simply Google it up.
Happy hosting!
Friday, March 30, 2007
Thursday, March 29, 2007
How to automatically disable/enable your proxy settings
Tired of turning off your proxy settings when outside the office? Well, yea, me too. For a long time now there's a simple and effective way to do this by using a PAC file or Proxy Automatic Configuration file. This PAC file is a simple text document stored inside your computer and is referred by your browser before connecting to the internet.
The PAC uses javascript language to simply do a IF and THEN and ELSE condition. Here's the script of my file i am using, its named proxy.pac
---code start:don't copy this line---
function FindProxyForURL(url, host)
{ if (isInNet(myIpAddress(), "10.10.0.0", "255.255.0.0"))
return "PROXY proxy.mcsb.com:8080";
else
return "DIRECT";
}
---code end:don't copy this line---
Now, create a file, say, proxy.pac using notepad.exe, copy the above code into the file you just created, then save it.
Next, you will have to "tell" your browser to use this auto configuraiton file. Here's how.
For Internet Explorer Only (will update how-to in Firefox soon, doesn't seem to work with it)
Go to Tools >> Interent Options >> Connections Click on LAN Connections, check the box, "Use automatic configuration script", then place this line into the empty box therein.
file://c:/proxy.pac
The above is true provided you are accessing this file from a local PC, you could also place this file into a server etc (web server).
Say OK several times to close the configuration screen. Now reload your Internet Explorer. So, if you are in your corporate network (mine is 10.10.0.0/255.255.0.0) it will use your corporate proxy (mine is proxy.mcsb.com).
So, here are the variables you MUST change to correspond to your own network:
Network: 10.10.0.0 (change to your network)
Subnet Mask: 255.255.o.0 (change to your subnet)
Proxy: proxy.mcsb.com:8080 (change to your proxy IP or name like the example here, after the colon is the port of your proxy server, if it is port 80, you do not need to specify the colon or the port number)
The proxy.pac file can be a real huge monster to do things like high availability for proxy server, support multiple Networks (my example only support 1 network).
More information can be found at: http://en.wikipedia.org/wiki/Proxy_auto-config
The PAC uses javascript language to simply do a IF and THEN and ELSE condition. Here's the script of my file i am using, its named proxy.pac
---code start:don't copy this line---
function FindProxyForURL(url, host)
{ if (isInNet(myIpAddress(), "10.10.0.0", "255.255.0.0"))
return "PROXY proxy.mcsb.com:8080";
else
return "DIRECT";
}
---code end:don't copy this line---
Now, create a file, say, proxy.pac using notepad.exe, copy the above code into the file you just created, then save it.
Next, you will have to "tell" your browser to use this auto configuraiton file. Here's how.
For Internet Explorer Only (will update how-to in Firefox soon, doesn't seem to work with it)
Go to Tools >> Interent Options >> Connections Click on LAN Connections, check the box, "Use automatic configuration script", then place this line into the empty box therein.
file://c:/proxy.pac
The above is true provided you are accessing this file from a local PC, you could also place this file into a server etc (web server).
Say OK several times to close the configuration screen. Now reload your Internet Explorer. So, if you are in your corporate network (mine is 10.10.0.0/255.255.0.0) it will use your corporate proxy (mine is proxy.mcsb.com).
So, here are the variables you MUST change to correspond to your own network:
Network: 10.10.0.0 (change to your network)
Subnet Mask: 255.255.o.0 (change to your subnet)
Proxy: proxy.mcsb.com:8080 (change to your proxy IP or name like the example here, after the colon is the port of your proxy server, if it is port 80, you do not need to specify the colon or the port number)
The proxy.pac file can be a real huge monster to do things like high availability for proxy server, support multiple Networks (my example only support 1 network).
More information can be found at: http://en.wikipedia.org/wiki/Proxy_auto-config
Tuesday, March 27, 2007
Manage your AD - ADManagerPlus
ManageEngine has a product called ADManager plus. ADManager plus runs a self website and can run on your Windows based OS like XP, 2000(3). The free edition is limited to manage a single AD domain in a forest.
Here's the list of features
- Delegate-able administration - You can give rights to your Help desk and Administrators separately
- It has a dashboard view of users reports, system reports and other customized reports.
- You can quickly search objects and edit them right from your browser.
- Bulk user and group management and operations (e.g. create/edit bulk users etc)
- Can manage certain Exchange related tasks and terminal services attributes.
- Reporting - A list of predefined reports and customizable reports
This tool simplifies management of AD without the need to program scripts. It is secure and runs on any browser and it does not need to reside on your Domain Controller, just configure the connection and have rights to connect.
You can view the demo here: http://demo.admanagerplus.com or download free or trials at http://www.admanagerplus.com
Happy administrating :)
Sunday, March 25, 2007
SHA-1 Is Now Crack-able
Cracking MD5 (Message Digest 5) and now, SHA-1 (Secure Hashing Algorithm), she and her team are a bunch of geniuses. They managed to crack the widely used SHA1 hashing algorithm which supposedly, succeeded MD5 after being scrambled by the same Chinese Associate Prof. Wang Xiaoyun of Tshinghua University and Shangdong University of Technology.
This lines up a series of questions i guess about your current implementation, and of course, what's next. Big software companies should take this seriously. It will be in no time that the reverse engineering techniques are available publicly, till then, scramble for another scrambler.
Source article: http://en.epochtimes.com/tools/printer.asp?id=50336
This lines up a series of questions i guess about your current implementation, and of course, what's next. Big software companies should take this seriously. It will be in no time that the reverse engineering techniques are available publicly, till then, scramble for another scrambler.
Source article: http://en.epochtimes.com/tools/printer.asp?id=50336
Saturday, March 24, 2007
If you use Windows 2000 DNS (for Active Directory ..etc) use only Secure Updates
Windows 2000 and later gives you the option to configure your DNS as Active Directory Integrated Zone (ADIZ). This mode is required for name and service automatic update and its super crucial to a successful Active Directory (and some of other MS products like Exchange) implementation.
When enabled in this mode, clients or servers can send an update request DNS packet to the DNS service in Windows and this will be updated inside the DNS service or name records.
However, administrators and implementors, do remember that you should enable secure updates only in the automatic update configuration. Why? Cause otherwise, it's very easy to send a change DNS record update packet and change, for instance, the web address of an internal or external (if you configure split headed dns) host and redirect requests to a malicious site.
An example would be to change proxy.company.com to your PC IP!!!. Users are challenged and they provide user name and password pair. Unknowingly, they have successfully submitted these credentials to your internal password repository. There's only the mind that can limit what other crazy stuff you can do with these type of attack.
So, please enable secure updates only in your DNS automatic update settings.
DNSFUN source: http://securitydot.net/xpl/exploits/vulnerabilities/articles/1578/exploit.html
When enabled in this mode, clients or servers can send an update request DNS packet to the DNS service in Windows and this will be updated inside the DNS service or name records.
However, administrators and implementors, do remember that you should enable secure updates only in the automatic update configuration. Why? Cause otherwise, it's very easy to send a change DNS record update packet and change, for instance, the web address of an internal or external (if you configure split headed dns) host and redirect requests to a malicious site.
An example would be to change proxy.company.com to your PC IP!!!. Users are challenged and they provide user name and password pair. Unknowingly, they have successfully submitted these credentials to your internal password repository. There's only the mind that can limit what other crazy stuff you can do with these type of attack.
So, please enable secure updates only in your DNS automatic update settings.
DNSFUN source: http://securitydot.net/xpl/exploits/vulnerabilities/articles/1578/exploit.html
Friday, March 23, 2007
Google Analytics
Google Analytics is a cool free Site Tracking tool from, oh, you guessed it, Google. I use it for my blog sites (this) and other sites that i help manage. The best thing of it is that its free. You would need of course a Google account (e.g. Gmail) to start with.
Try it out: www.google.com/analytics
It works by embedding a tag inside your website pages. Just add these few lines of codes and start to gather interesting information about your visitors. It can produce custom or built-in reports in charts and exportable in XML, Excel etc. Select a range of dates in which you would like to generate these reports and its immediately updated in your browser.
You could also add profiles to administer and generate reports, setup goals to your website.
Large organizations to small people like me, use this tool for fun or to generate useful information about trends and make informed decisions about your website and future developments.
Malaysian DVD Pirates Out To Kill Sniffer Dogs?
Funny article. Apparently, some bad-ass Malaysian DVD pirate ring wants to hunt down and kill 2 dogs, Lucky and Flo, apparently, sniffed out their stash of DVDs and caused those pirates RM3mil in losses. As its media worth, Malaysian govt will now beef up security around the two hounds.
My 2cents worth about piracy: Well, for movies, its good to have pirates, cause you get to "preview" entire movies. But, folks, come on, if you like it, buy original la...
Also, i think pirated DVD makers will face another, and even more furious problems, and that's Bitorrent. With the release of Wimax licenses and growing internet facilities, people are gonna' download movies and stuff right out of their Bitorrent client, for free!!
I hope those DVD pirates don't go after Bram Cohen now..
Source: CNET , Malaysian Wimax License
My 2cents worth about piracy: Well, for movies, its good to have pirates, cause you get to "preview" entire movies. But, folks, come on, if you like it, buy original la...
Also, i think pirated DVD makers will face another, and even more furious problems, and that's Bitorrent. With the release of Wimax licenses and growing internet facilities, people are gonna' download movies and stuff right out of their Bitorrent client, for free!!
I hope those DVD pirates don't go after Bram Cohen now..
Source: CNET , Malaysian Wimax License
Monday, March 19, 2007
RSA into AntiTrojan
RSA, famous for its authentication and encryption techniques recently announced a service to protect users from trojans. Called RSAFraudaction, is a service, an end-to-end solution that covers the identification, analysis, blocking, and shutdown of attacks.
RSA will get my vote in their offerings. They have far been quite an authority when it comes to certain aspects in security but only time and trojans will tell...
Would like to check it out more and if there's anything worth the effort, it will be posted :)
Convert stuff for free at Zamzar
Was given this site http://www.zamzar.com. It has the facility to convert stuff like movies, document, images and audio straight from your browser to your email. For free, for real!.
Did try to convert a MOV (Apple Quicktime) and it did quite a wonderful job.
What's even more cool, it can skin Youtube out of its shell and have the video posted into your email. More online video sites supported too.
Check it out and give us a review here.
PS> Erm, one note of caution, i am not too sure of any possible privacy concerns, therefore, i would not use the facilities for confidential and private materials. Perhaps you should read their privacy statement here.
Thursday, March 15, 2007
Windows 2003 Service Pack 2 (and XP Pro 64bit) Released
Without much notice, publicity, hue and cry, Microsoft released Service Pack 2 for Windows 2003. This release introduces significant collection of patches and a couple of new features to the operating system.
From experience, upgrading SP1 of Windows 2003 a while back broke a lot of things including 3rd part applications, so, make you do your homeworks and test in non-production environments before deploying SP2. Please also disable Automatic Updates for SP2 if you wish to do testing first and if Automatic Updates are turned on in your production machines. There's a toolkit available to do this here.
W2K3 SP2: http://www.microsoft.com/technet/windowsserver/sp2.mspx.
From experience, upgrading SP1 of Windows 2003 a while back broke a lot of things including 3rd part applications, so, make you do your homeworks and test in non-production environments before deploying SP2. Please also disable Automatic Updates for SP2 if you wish to do testing first and if Automatic Updates are turned on in your production machines. There's a toolkit available to do this here.
W2K3 SP2: http://www.microsoft.com/technet/windowsserver/sp2.mspx.
Firekeeper - An IPS for Firefox
I came across and installed this tool from mozdev.com that protects Firefox (1.5 or higher) against common browser based attacks on malicious sites. You can create your own rules and block off anomalies if you know how to script the rules out.
The product is currently in Alpha (pre-beta, pre-release), so take all necessary precautions when using in production environments. The rules are taken off and simplified from Snort (http://www.snort.org), the open source Intrusion Detection System.
Check it out: http://firekeeper.mozdev.org
Debug Internet Explorer
When browsing the internet, your browser does a lot to make websites and pages look pretty to you. There's frames, pictures, html, java etc. loaded everywhere in these seemingly simple pages. But, there's more *interesting* information and source codes being loaded in the process of it to while and after your pages appear.
Sometimes, it would be useful to see what component (and their breakdowns) are loading for many reasons including troubleshooting, code debugging & reverse engineering and security snooping!
Download and check out DebugBar (http://www.debugbar.com) for Internet Explorer. Once you've loaded the software, click on View (Tools), Toolbars, click on Debugbar and you'll see a left side frame showing the technical breakdown of the website you loaded in your browser.
NOTE: Although the website doesn't explicitly mention support for Vista and IE7, i've tried and works well.
Sometimes, it would be useful to see what component (and their breakdowns) are loading for many reasons including troubleshooting, code debugging & reverse engineering and security snooping!
Download and check out DebugBar (http://www.debugbar.com) for Internet Explorer. Once you've loaded the software, click on View (Tools), Toolbars, click on Debugbar and you'll see a left side frame showing the technical breakdown of the website you loaded in your browser.
NOTE: Although the website doesn't explicitly mention support for Vista and IE7, i've tried and works well.
Wednesday, March 14, 2007
Microsoft OneCare destroys Outlook PST
If you run OneCare 1.5 and have a malware email sent to your Outlook email client, there's a large potential that the OneCare scheduled scanner will place your entire PST file under quarantine or other actions depending on what the administrator has set (which could include even deleting).
What's really disturbing is that this problem existed in version 1.0 and was fixed and now in version 1.5, the issue crops up again, and with its exposure of its products, it smaked off lots of innocent user's PST file.
There's a patch expected to be released Tuesday (today 13th).
The issue could also affect other email clients including Outlook Express, so do exclude email extension for scheduled scans for now till M$ fixes their boo boo (Again!!!)
What's really disturbing is that this problem existed in version 1.0 and was fixed and now in version 1.5, the issue crops up again, and with its exposure of its products, it smaked off lots of innocent user's PST file.
There's a patch expected to be released Tuesday (today 13th).
The issue could also affect other email clients including Outlook Express, so do exclude email extension for scheduled scans for now till M$ fixes their boo boo (Again!!!)
Tellme Networks - Phone based google?
Imagine, just pickup the phone, dial a few numbers, then simple speak your search criteria and you get information just like how you would get by doing a search on Google, MSN or Yahoo.
Tellme Networks - The phone based google to search for information, people and businesses. Living here in KL, i wouldn't wanna try it but if you want, give it a shot. 1-800-555-TELL (8355).
Also, rumors have it that Microsoft is planning to buy these guys over. I guess the software giants see a potential in a solution of such, perhaps its time to pay a lil' attention,
Tellme....what the future (may) hold.
Link: www.tellme.com
Tellme Networks - The phone based google to search for information, people and businesses. Living here in KL, i wouldn't wanna try it but if you want, give it a shot. 1-800-555-TELL (8355).
Also, rumors have it that Microsoft is planning to buy these guys over. I guess the software giants see a potential in a solution of such, perhaps its time to pay a lil' attention,
Tellme....what the future (may) hold.
Link: www.tellme.com
Google Calendar vs. OpenXchange Calendar
Our CEO recently request me to do a write up, a comparison between the above products. So after about 2 hours of playing around with both calendaring solutions my conclusion in shortest form possible, Google is fancy and OpenXchange is sufficient.
Links:
OX: www.open-xchange.org
Google: www.google.com/calendar
Links:
OX: www.open-xchange.org
Google: www.google.com/calendar
Both Google Calendar (GC) and OpenXchange’s Calendar (OX) has pretty much the same features from a shared calendaring point of view. Both products require an account with the basic email, where other users can share some or parts of the entire calendar. Both products are easy to use from their web consoles but OX offers a connector to use in your native Outlook.
From a business processes and functional point of view, both products can achieve almost similar functionalities but OX is an internal product thus the creation and maintenance of accounts can be managed by our local support and helpdesk
Google Calendaring features that got my eye.
- Calendar sharing – Everyone with a Gmail account is entitled to use this feature through web or GoogleDesktop
- You can create events inside your calendar and then share them by means of invitation, even if they don’t use Google (as Google implements iCal, a standards compliant calendaring which can integrate with popular email clients such as Outlook, Outlook Express and Mozilla Thunderbird.) However, the information in those email clients are static thus changes to the calendar would need another invite.
- Natural language recognition – If you type “Meeting with BNM at 12.30” it will automatically create a related event with the related time/date in that natural sentence (using quick add function)
- Ability to create events and invite guests with reminders, guest comments, RSVPs
- Ability to publish calendars privately (so you can privately view your calendar without logging in) or publicly (so you could share with the world and have people either edit/manage events/entries)
- Ability to create multiple calendars per user
- Ability to search by time, location and natural search
- Calendars are accessible through mobile phones
- Ability to get invitations through SMS and emails.
- Ability to integrate with Google Desktop which means we do not need to login to gmail
- Ability to “take the calendar” to our own domain e.g. mcsb.com
- Import and export existing calendars to Google
OpenXchange Calendaring
- Calendar sharing – Everyone with our email system can use this feature through either web or Outlook (it’s a piece of software has a price to it)
- You can create events inside your calendar and then share them by means of invitation, even if they don’t use Google (as Google implements iCal, a standards compliant calendaring which can integrate with popular email clients such as Outlook, Outlook Express and Mozilla Thunderbird.) However, the information in those email clients are static thus changes to the calendar would need another invite.
- Ability to create events and invite guests with reminders and RSVPs
- Ability to search calendars using natural search
- Import and export existing calendars to OX
- It’s our own email server which means we can do pretty much everything we want
- New version includes RSS feeds
- Ability to integrate with Project Management modules in their Groupware
Tuesday, March 13, 2007
Creative People Are "Crazy" ?
According to a study by Vilayanur Ramachandran, creative people technically have a defect in their brains making them able to cross wire different senses to create and innovate different responses.
So, if someone cuts of his own ear, he's not nuts, he was just creative!!! (but if someone does these days, its called plagiarism)
Checkout this interesting article: http://news.com.com/This+is+your+brain+on+TED/2100-11393_3-6166247.html?tag=st_lh
So, if someone cuts of his own ear, he's not nuts, he was just creative!!! (but if someone does these days, its called plagiarism)
Checkout this interesting article: http://news.com.com/This+is+your+brain+on+TED/2100-11393_3-6166247.html?tag=st_lh
Monday, March 12, 2007
Blackberry 8100 DoS
Blackberry is a hugely implemented secure handheld based email client inside the RIM network. It can retrieve emails for you and notify you when you have new emails straight from your email server.
There's a Denial of Service potential in one of their devices, the 8100 Pearl (v4.2.0.51) which can be easily exploited. A fix is available, so if your organization uses BlackBerry and this particular device/model, please update to a patch.
More info: www.blackberry.com/security/news.jsp
There's a Denial of Service potential in one of their devices, the 8100 Pearl (v4.2.0.51) which can be easily exploited. A fix is available, so if your organization uses BlackBerry and this particular device/model, please update to a patch.
More info: www.blackberry.com/security/news.jsp
Saturday, March 10, 2007
Friday, March 9, 2007
Windows Genuine Advantage (WGA) Contacts Home (even if you click cancel)
Microsoft officially admits that the WGA program will "contact home" even if the user clicks on cancel. Nonetheless, the software giants claim, no private information is transmitted through this, further claiming, this is kind of a survey done for WGA user experience. There's been WGAs and WGA crackers, its a cute lil' battle that promotes newer grounds of security and newer grounds for anarchy :D
Anyway, be genuine..
Read more here: http://www.theregister.co.uk/2007/03/09/ms_wga_phones_home/
Anyway, be genuine..
Read more here: http://www.theregister.co.uk/2007/03/09/ms_wga_phones_home/
Want Faster Streamyx? (Choose a faster streamyx connection)
If you're a Streamyx user like me (Streamyx is the xDSL service by TMNet) and face inconsistent performance with your link then you may want to try this little trick i discovered. This "trick" works with dynamic IP users only like myself. So, whenever you dial, you should get a live IP address from Streamyx. Normally, you would get the IP 60.x.x.x which is part of the IP chunk that TMnet bought. After several tests, i found that the IP 60.x is actually really much slower than the IP 218.x.x.x, also, IP range given to TMNet. You may get the IP 219.x.x.x which is also as slow as the 60.x.x.x IP set, in fact, 219, seem slower than all three!!!.
So, redial until you get 218.x.x.x. and see your streamyx fly :)
NOTE: My tests didn't see improvement in Torrent networks though, it made a huge difference with WWW from America (particularly) and its because the routing path is much lesser than that of the 60.x and 219.x....
So seize the opportunity before even this IP gets "clogged" too.
Happy surfin'
So, redial until you get 218.x.x.x. and see your streamyx fly :)
NOTE: My tests didn't see improvement in Torrent networks though, it made a huge difference with WWW from America (particularly) and its because the routing path is much lesser than that of the 60.x and 219.x....
So seize the opportunity before even this IP gets "clogged" too.
Happy surfin'
Wednesday, March 7, 2007
Default Router Passwords
Most edge devices (like routers) come with a default passwords which normally is found at the quick setup guide or their manual. But if you are like me, people who don't read manuals, a quick place to find your edge devices passwords would be http://www.routerpasswords.com. Check it out for yourself.
Oh, and once you've accessed the device, CHANGE THE PASSWORD to something complex and document it somewhere safe.
Oh, and once you've accessed the device, CHANGE THE PASSWORD to something complex and document it somewhere safe.
Apple QuickTime Player Remote Heap Overflow
Apple QuickTime Player is reported prone to remote heap overflow vulnerability (exploitable via remotely originated content). Only Windows users are currently affected. Please update to latest at http://www.apple.com/quicktime/win.html
Full advisory can be found at:
Full advisory can be found at:
http://www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt
Kaspersky UPX vulnerability revealed
Problem processing packed files led to infinite loop.
Details of a flaw in UPX processing in the Kaspersky anti-virus engine have been made available, a month after the release of a patch to fix the problem.
The vulnerability, which was reported by iDefense, could be exploited by a maliciously created file to cause the software to go into an infinite loop, leading to denial of service on email servers running Kaspersky scanning in their filters, to degradation of performance on other servers and possible total loss of processing on desktop machines.
Kaspersky is the second vendor to be hit by a UPX-related vulnerability this year, after a similar issue hit Trend Micro in early February.
The flaw was patched by Kaspersky within a few weeks of the initial report, and all users should be automatically protected via automatic updates. The iDefense alert on the problem is here, and details from Secunia are here.
PC Hardware Can Be A Malicious Rootkit
I guess, in time, you would need to run your Antivirus on hardware too to check for malicious code. I guess it would be an expensive exploit, nonetheless it could be exploiting hardware and storing itself in your hardware's firmware.
A good practice from now is to buy reliable manufacturer's hardware and update your firmware when they become available.
News excerpt from http://news.com.com/PC+hardware+can+pose+rootkit+threat/2100-7349_3-6162924.html
A good practice from now is to buy reliable manufacturer's hardware and update your firmware when they become available.
News excerpt from http://news.com.com/PC+hardware+can+pose+rootkit+threat/2100-7349_3-6162924.html
ARLINGTON, Va.--PC hardware components can provide a way for hackers to sneak malicious code onto a computer, a security researcher warned Wednesday.
Every component in a PC, such as graphics cards, DVD drives and batteries, has some memory space for the software that runs it, called firmware. Miscreants could use this space to hide malicious code that would load the next time the PC boots, John Heasman, research director at NGS Software, said in a presentation at this week's Black Hat DC event here.
Nessus: Be an instant security auditor
I really like those some proclaimed security auditors who come to you and say they can "detect" security flaws in your products and charge you a butt load of money for it. I must say, they did some good work in convincing you.
But seriously speaking, many so called "sec auditors" out there are just a load of scripting kiddies that run tools then Google the findings and look for resolutions, last but not least, they send you their bill. Well, i am not sure if there's a magician's-code like for security auditors not to "reveal" their tricks to the public, i don't really care actually.
So here's a quick trick to become a sufficient auditor (note, by saying sufficient, i mean, basic or enough-for-now level). Try Nessus 3.0, its a vulnerability scanner for almost anything that have an IP (almost).
Its an awesome tool, that i personally use too when performing auditing but, i would provide this type of auditing for free!.
I would suggest to organizations, large or small, to run a basic security audit on all implemented servers, devices, routers or like i said, anything with an IP to see if its secured at least to known security vulnerabilities out there.
Nessus is fast and agentless that runs on many *nix flavors, Windows, Solaris and Macs and even checks for patch levels if configured to do so. Now, try it out for yourself, but first read the how-to-guide then start. Some scans can crash servers so be extremely careful when running on live environment.
And..drum rolls, best part is, its FREE!!! Enjoy!
Brought to you by the good folks at Tenable (http://www.tenablesecurity.com)
Nessus 3.0 download link. http://www.nessus.org/download/
Nessus 3.0 Faq: http://www.nessus.org/plugins/index.php?view=faq
About
The Nessus vulnerability scanner, is the world-leader in active scanners, featuring high speed discovery, asset profiling, and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks.
They can also be made available for ad-hoc scanning, daily scans, and quick-response audits. When managed with the Security Center, vulnerability recommendations can be sent to the responsible parties, remediation can be tracked, and security patches can be audited.
But seriously speaking, many so called "sec auditors" out there are just a load of scripting kiddies that run tools then Google the findings and look for resolutions, last but not least, they send you their bill. Well, i am not sure if there's a magician's-code like for security auditors not to "reveal" their tricks to the public, i don't really care actually.
So here's a quick trick to become a sufficient auditor (note, by saying sufficient, i mean, basic or enough-for-now level). Try Nessus 3.0, its a vulnerability scanner for almost anything that have an IP (almost).
Its an awesome tool, that i personally use too when performing auditing but, i would provide this type of auditing for free!.
I would suggest to organizations, large or small, to run a basic security audit on all implemented servers, devices, routers or like i said, anything with an IP to see if its secured at least to known security vulnerabilities out there.
Nessus is fast and agentless that runs on many *nix flavors, Windows, Solaris and Macs and even checks for patch levels if configured to do so. Now, try it out for yourself, but first read the how-to-guide then start. Some scans can crash servers so be extremely careful when running on live environment.
And..drum rolls, best part is, its FREE!!! Enjoy!
Brought to you by the good folks at Tenable (http://www.tenablesecurity.com)
Nessus 3.0 download link. http://www.nessus.org/download/
Nessus 3.0 Faq: http://www.nessus.org/plugins/index.php?view=faq
About
The Nessus vulnerability scanner, is the world-leader in active scanners, featuring high speed discovery, asset profiling, and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks.
They can also be made available for ad-hoc scanning, daily scans, and quick-response audits. When managed with the Security Center, vulnerability recommendations can be sent to the responsible parties, remediation can be tracked, and security patches can be audited.
Nessus is supported by a world renowned research team and has the largest vulnerability knowledge base, making it suitable for even the most complex environments.
Sunday, March 4, 2007
Best Antivirus & Ratings for 2007
I've summarized some tests performed by Av-comparatives.org, an independent AV research company. The ratings are Advanced+, Advanced, Standard and failed (as of Feb 2007)
Results thanks to: http://www.av-comparatives.org/
Advanced+
========
1. Avira
2. eScan
3. F-Secure (yeah!)
4. Gdata
5. Kaspersky (I use this, proud to have blown 300++ on this baby)
6. TrustPort
Advanced
========
1. Avast
2. AVG
3. Bitdefender
4. Fprot
5. Fortinet
6. NORD32
7. Symantec
8. Norman
Standard
========
1. Dr.Web
2. McAfee (hmm..surprisingly)
Failed
=====
1. Microsoft (not surprising here..)
Results thanks to: http://www.av-comparatives.org/
Advanced+
========
1. Avira
2. eScan
3. F-Secure (yeah!)
4. Gdata
5. Kaspersky (I use this, proud to have blown 300++ on this baby)
6. TrustPort
Advanced
========
1. Avast
2. AVG
3. Bitdefender
4. Fprot
5. Fortinet
6. NORD32
7. Symantec
8. Norman
Standard
========
1. Dr.Web
2. McAfee (hmm..surprisingly)
Failed
=====
1. Microsoft (not surprising here..)
Another reason to not use Microsoft OneCare *YET* (OneCare may fail to "qualify" further evaluations)
Microsoft product found not up to scratch in AV-Comparatives review.
Respected testing organisation AV-Comparatives has released the results of its latest in-depth test of anti-virus products, with a large batch of products tried out over a wide range of malware. Only one product, Microsoft's Windows Live OneCare, failed to detect enough of the test set to qualify for any level of certification.
As part of a thorough regime of testing, AV-Comparatives runs tests of on-demand detection ability twice a year, pitting products in their most in-depth scanning modes against a vast collection of samples. Top of the test tables this time were GData's AntiVirusKit and AEC's TrustPort (reviewed in the latest issue of Virus Bulletin, available to subscribers here), both multi-engine products which spotted over 99% of the samples. Products from Avira, F-Secure, Kaspersky and MicroWorld also made the top 'Advanced+' grade.
The detection level required for certification at the lowest level, 'Standard', was recently raised from 80% to 85%, and the Microsoft product missed this, scoring just 82.4% overall. As this minimum level of detection is a requirement for inclusion in the review, OneCare risks being excluded from further testing.
'It's very disappointing to see a major product not reaching a good enough level of detection,' said Andreas Clementi, who runs the AV-Comparatives testing. 'For the sake of their customers, I hope Microsoft will be working hard to improve things and ensure OneCare offers full protection to its users.'
OneCare came last in the detection tables for both viruses and trojans. In a further test of polymorphic virus samples, OneCare was placed 15th out of the 17 entries, with fully reliable detection of only four of the 12 viruses used. Microsoft's product also failed to achieve VB100 certification in our recent test of products available for the Windows Vista platform.
McAfee and Doctor Web products achieved the AV-Comparatives 'Standard' grading, with several others including Symantec, BitDefender, Alwil, Grisoft, Eset, Norman, Frisk and Fortinet attaining the 'Advanced' level. Full details of the test results and methodologies can be found at the AV-Comparatives.org website, here.
Skype Users Take Note! (Stration & Storm's gonna get ya..)
Source: http://www.virusbtn.com/news/virus_news/2007/03_01.xml?rss
Skype messages, blogs, forum entries and webmails lead to more malware variants.
Two major gangs of malware distributors have turned to new vectors for spreading their wares this week. While the makers of W32/Stration (aka Warezov) have been spamming Skype messages leading to copies of their latest variant, the 'Storm' series of trojan attacks has evolved a method of inserting links to its malware into forum and blog postings and webmails sent from infected machines.
The Skype attack involves a simple text message sent via Skype, urging recipients to check out a URL link. The messages come from known addresses, thanks to machines infected with the worm sending out the links to their address books. The link carries yet another variant of W32/Stration, but few infections are so far reported, perhaps due in part to the suspicious nature of the message, which aside from posting an unusual-looking URL, also closes the connection as soon as the message is left.
A screenshot of a sample message posting can be seen on the F-Secure blog, here.
The 'Storm worm' gang has also branched out into new territory, with a sophisticated piece of code which recognises when an online form is being sent. Text uploads including blog entries, forum messages and emails sent from web-based services such as MSN Hotmail, Yahoo! mail and Google's Gmail are intercepted as they are sent, and a message with a link posing as an interesting video file are appended. The links, of course, lead to copies the of malware hoping for a new victim.
Responsible for the additions to mail and postings is a trojan downloaded as part of an infection by the 'Storm' series of trojans (aka Peacomm, BAI, Dorf, Small etc.). More detailed information can by found in a blog entry from Symantec's Eric Chien, here.
'Security firms regularly warn users about attachments and links sent by unknown sources,' said John Hawes, Technical Consultant at Virus Bulletin. 'Malware writers love finding ways around this, so users should be wary of executable content whatever the source, and should ensure they are running good quality, up-to-date security software to keep themselves safe from these nasties.'
Month of PHP bugs (PHP language security issues)
Researches have found multiple bugs (which are already discovered) and lots more unknown bugs on the famous scripting language, PHP which stands for Personal Home Page. This famous scripting language is used widely in systems from security companies to large corporations, to embedded devices (for management) and more.
People who use and manage websites on PHP should seriously consider reading about the bugs and vulnerabilities.
Here's a link from the source where i got this from http://www.securityfocus.com/news/11436
People who use and manage websites on PHP should seriously consider reading about the bugs and vulnerabilities.
Here's a link from the source where i got this from http://www.securityfocus.com/news/11436
Thursday, March 1, 2007
Star Trek Returns in 2008?
Star Trek fans, check this out, paramount Pictures today officially announced a new motion picture tentatively entitled Star Trek XI on Christmas Day 2008. Alas, their website didn't have much info about the new releases.
Anyway, those into ST (not me!, am a starwars fan), gear up those torrents or watch em' on TV.
Link: www.startrek.com | or choose the better of the two, www.starwars.com
Enjoy.
Anyway, those into ST (not me!, am a starwars fan), gear up those torrents or watch em' on TV.
Link: www.startrek.com | or choose the better of the two, www.starwars.com
Enjoy.
Subscribe to:
Posts (Atom)