UPS_Invoice email trojan variant claims to be from Customs Service

July 24, 2008 — Adam Vero

In the last hour I found in my inbox a variation on the UPS_Invoice trojans of last week. This new email claimed to be from “Customs Service” with the subject “Customs – We have received a parcel for you” and the following text:

Good afternoon,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,

Rolland Hanna

Your Customs Service

This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.

Read the rest of this entry »

Posted in Security and Malware. Tags: , , , , , , , . 18 Comments »

Follow up post about UPS_Invoice trojan

July 15, 2008 — Adam Vero

I’ve now had a chance to take a slightly closer look at the four copies of this Trojan Agent HFU that I received in the last 24 hours, as discussed in my previous post here. I’ve posted some details of file names and sizes along with MD5 hashes for people to be able to compare their versions against.

Read the rest of this entry »

Posted in Security and Malware. Tags: , , , . 13 Comments »

UPS_Invoice.exe trojan received by email

July 14, 2008 — Adam Vero

This lunchtime I received an email as follows:

From: United Parcel Service [someone@not_ups.com]

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_Invoice_317.zip

Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.

Read the rest of this entry »

Posted in Security and Malware. Tags: , , , . 37 Comments »

Why IT design skills are important, and how to measure them

February 29, 2008 — Adam Vero

The comments on my earlier post about the MS Security Design exam 70-298 prompted me to add some more general thoughts.

I agree with the comment made that the design exams do generally seem easier in some respects than the straight technical ones, as you don’t need to know the same level of detail of exactly how to do something in terms of making choices in a dialogue box.

On the other hand, the MS design exams do expect you to be able to take in, digest and interpret a load of business and technical requirements (some of the latter may only be implied from the former, some will be explicitly stated). The breadth of this is where the challenge lies in the real world, although the exam will often lead you in the right direction, rather than a blank sheet of paper on which to write an IT security plan. The nature of a computer-based exam does not lend itself to open questions; it would be very hard to make any kind of meaningful sense out of your answer to “How would you improve the security of the data for this organisation? (answer in no more than 200 words)”.

Read the rest of this entry »

Posted in Security and Malware, Training + certification. Tags: , , , . 3 Comments »

Passed 70-298 "Designing Security for a Windows 2003 Network"

February 22, 2008 — Adam Vero

This morning I took and passed Microsoft exam 70-298 “Designing Security for a Windows 2003 Network”. Having not taken one of these scenario-style design exams before, I was a little cautious even though I was fairly confident of my knowledge of the material.

The first section had 11 questions which was great as I had made loads of notes from the provided fictional case studies, and I sailed through with loads of time to spare. Unfortunately the format of these exams is that the time for each part is independent, so you don’t get to carry any spare time to the next set of questions and use it there. I had a couple of shorter sections where I maybe spent too long reading the materials and answered the last question with seconds to spare.

Overall I found this style of exam to be right up my street; taking in lots of information in a very short time and then applying my technical knowledge to this to come up with solutions to the business issues. Despite the rushed time on a couple of questions I came away with my best score to date on a Microsoft MCP exam, and won’t need to use my second chance to take this.

How do you find these design exams compare to the ‘normal’ technical ones?

Posted in Security and Malware, Training + certification. Tags: , , . 5 Comments »

Windows Server 2008 Security Resource Kit coming very soon

February 15, 2008 — Adam Vero

book cover - Windows Server 2008 Security Resource KitJesper Johansson has put together a great book for Windows Server 2008 focusing on security and providing a load of resources that go beyond the shipped product.

Produced by a group of world-class contributors including several MVPs and members of Microsoft’s server security team, this is likely to be the definitive reference on the subject for some time.

According to Jesper’s blog it has now gone to press.

This official Microsoft Resource Kit delivers the in-depth, technical information and tools you need to help protect your Windows®–based clients, server roles, networks, and Internet services.

Leading security experts explain how to plan and implement comprehensive security with special emphasis on new Windows security tools, security objects, security services, user authentication and access control, network security, application security, Windows Firewall, Active Directory® security, group policy, auditing, and patch management. The kit also provides best practices based on real-world implementations.

You also get must-have tools, scripts, templates, and other key job aids, including an eBook of the entire Resource Kit on CD.

It’s an MS Press title so it should be pretty widely available, I will be pre-ordering my copy from here at The Register book store, as they have really competitive pricing and free delivery for orders over £25 at the moment.

Posted in Reviews, Security and Malware, Windows Server 2008. Tags: . 1 Comment »

Hardening Windows Systems – Roberta Bragg

January 16, 2008 — Adam Vero

Author: Roberta Bragg. CISSP, MCSE: Security, Security+Publisher: McGraw Hill / Osborne

Suggested Publisher Price: $39.99 US / $57.95 CDN / £24.99 UK

ISBN: 0-07-225354-1 Softcover, 504 pages

Hardening Windows Systems book cover

Bulletproof your systems before you are hacked!

Take a proactive approach to network security by hardening your Windows systems against attacks before they occur. Written by security evangelist Roberta Bragg, this hands-on resource provides concrete steps you can take immediately as well as ongoing actions to ensure long-term security. Whether you have one Windows server or one hundred, you’ll get complete details on how to systematically harden your network from the ground up, as well as strategies for getting company-wide support for your security plan. With coverage of Windows 95/98/NT 4.0/2000/XP and Windows Server 2003, this book is an essential security tool for on-the-job IT professionals.

Read the rest of this entry »

Posted in Patching + hotfixes, Reviews, Security and Malware. Tags: , , , . Leave a Comment »

Watch those data entries

October 29, 2007 — Adam Vero

Thought I would share a cartoon I saw:

From http://imgs.xkcd.com/comics/exploits_of_a_mom.png (sorry, I don’t know who the original artist is, if I find out they will of course get credit)

Posted in Security and Malware, Trivia and fun stuff. Tags: , , , . Leave a Comment »

Using anti-virus software to keep the elephants away

October 1, 2007 — Adam Vero

Steve Riley wrote an interesting article recently about why he chooses the trade-off to not run anti-virus (AV) on his own machines, and a follow-up to that after many people asked if this is his general recommendation. His view is very similar to mine, in that if your overall stance is a cautious one and you are taking other suitable precautions against the risk of getting a virus infection (or spyware or some other nasty malware) then you may be just fine running with no AV software. This is how I run my own workstations (both private and business), but in all cases I run as a non-privileged user and will always be aware of the risks anytime I use admin credentials to install something.

As Aaron Margosis points out, running anti-virus software which requires you to be a local administrator to work properly is fairly pointless. You have the rights required to turn off, disable and uninstall your AV, so any malware that gets past your defences can do this too, rendering the AV potentially useless. The same applies of course to running well-written anti-virus which does not require admin rights, but then running as admin anyway.

»Read on to find out why I recommend using anti-virus to keep elephants away»

Posted in IT myths debunked, Security and Malware. Tags: , , , , , , . 1 Comment »

Use Bitlocker drive encryption for all your data volumes on Vista

September 23, 2007 — Adam Vero

Thanks to a comment by Steve Lamb on his blog, I now find out that you can already use Bitlocker to encrypt volumes other than the operating system partition, you just have to do it from the command line.

I was pleasantly surprised to learn this, and it means I don’t have to wait for sp1. »Read the rest of the article to find out how»

Posted in Security and Malware, Windows Vista. Tags: , , , . Leave a Comment »

Industry Insiders article – Don’t Secure Your Documents!

August 16, 2007 — Adam Vero

An article I wrote for Microsoft’s Industry Insiders blog site has just been published.

This week I was asked by the IT support guy who works for one of my clients about how a user could put a password on a document. Since I am both their external consultant and their MS Office trainer, I was the right person to call.

To me this question is always a red flag as it implies that the user does not understand the places which already exist for them to save documents in such a way as to give access to the correct group of colleagues (or just themselves). My answer was therefore “I’ll show you how to do it for the sake of argument, but you should tell the user that they should not do this”.

Read the whole of this article about a proper approach to document security and avoiding mere security theatre.

The Industry Insiders site looks at various topics affecting corporate IT, with a slight lean towards information security, which is unsurprising since it is maintained by IT Pro Evangelist for Security, Steve Lamb (and evangelist manager Eileen Brown)

Posted in Office System, Security and Malware, Work and profile. Leave a Comment »

Whitelisting applications versus Anti-virus

June 28, 2007 — Adam Vero

There was an interesting article in The Register yesterday called “the decline of antivirus and the rise of whitelisting“. It discussed the relative merits of using a whitelist to allow only known good programs to run, versus using traditional anti-virus (AV) to let everything run except things you know are bad. The comments to this article also raised a number of valid points, some academic and some based on real-world experience.

The obvious flaw in the traditional AV approach is the difficulty in keeping up with new malicious software rapidly enough to avoid infection. Whitelisting gives you a little more control but still takes substantial effort in a large environment, and is harder to delegate out to a third party without leaving so many loopholes as to render it pointless.

Read the rest of this entry »

Posted in Patching + hotfixes, Security and Malware. Tags: , , , , , , . 6 Comments »

Users sharing passwords may breach data protection regulations

June 21, 2007 — Adam Vero

The Data Protection Act 1998 (DPA) can be seen as a very straightforward piece of legislation. Properly applied, it protects the rights of individuals to ensure that data about them is processed properly, securely and only for the purposes they originally gave that information.

In a ruling yesterday the Information Commissioner’s Office decided that allowing staff to access data without proper controls (by using each other’s passwords) is not in compliance with the Act. This kind of lax IT management does not ensure that personal information will only be accessed by authorised people who have a good reason to do so. This does not meet the Act’s requirements that a Data Controller should have appropriate “technical and operational measures” to ensure data is processed in line with the Data Protection Principles.

Read the rest of this entry »

Posted in IT legal matters, Security and Malware. Leave a Comment »

Windows Vista more secure after six months than XP

June 21, 2007 — Adam Vero

Some readers may have seen the report which was published by Jeff Jones three months after Vista was finally released in which he showed that the number and severity of flaws in Vista were far less of a risk than XP after an equivalent period.

He has now updated this report to show the vulnerabilities in Vista after 180 days. What is key is not only the distinctly fewer known vulnerabilities overall, but the number of disclosed holes that remain unpatched at the time of writing.

Note that the blog entry is only a summary and the only graph you get to see relates to high severity vulnerabilities. Also, it only looks at those which affect the core systems, not optional components. So, Vista looks like it is doing better than XP at this point with almost no unpatched holes, and many people will go away with that impression because visuals work well in getting messages into the brain.

The full 14 page report (pdf) is also available, in which the discussion is much more detailed (even patch by patch). It is here that it becomes clearer that while it is faring better than XP did, to me it is not doing so much better given how much hype there has been about trustworthy computing and Vista (and Longhorn / 2008) being secure by design, rewritten from the ground up to be more secure, yadayada more secure.

Posted in Patching + hotfixes, Security and Malware, Windows Vista. 1 Comment »

Updated ACL model in Vista improves on XP and 2003

June 5, 2007 — Adam Vero

There are various changes to the ACL model from XP/2003 to Windows Vista. Some are simple changes to defaults such as who has permission to create and modify files in the root of the boot volume, others are more complex regarding implicit permissions granted to the owner of an object and how this can be controlled even further.

Jesper Johansson has written an excellent and detailed Technet magazine article about Vista’s new ACL features  and how these improve security. Some of this is just “useful to know” but effectively just gets on with the job under the hood; other parts are more useful to understand in depth to leverage the new capabilities.

Read the rest of this entry »

Posted in Security and Malware, Windows Vista. Leave a Comment »

Owning Vista from the boot

April 29, 2007 — Adam Vero

An interesting article and interview about a proof-of-concept ‘bootkit’ which provides a means to run arbitrary code with raised privileges in Vista, despite all the protected mode security and inability to change the kernel

Vista Bootkit article on SecurityFocus

Posted in Security and Malware, Windows Vista. Leave a Comment »

Sophos SBE: anti-virus and anti-spam for small businesses

January 14, 2007 — Adam Vero

Sophos Small Business Suite – Engineered for small businesses

  • Includes Sophos Anti-Virus Small Business Edition and Sophos Pure Message Small Business Edition
  • Detects and disinfects viruses at every potential access point, ensuring networks are fully protected
  • Blocks up to 98% of spam, keeping inboxes free of unsolicited bulk emails
  • Updates automatically, providing a complete defence against the latest virus and spam threats

Review

This product is squarely aimed at the small business IT administrator who wants a neat, simple solution to address their concerns about viruses, and the issues caused by the ever-increasing volume of spam email.

Read the rest of this entry »

Posted in Reviews, Security and Malware. Tags: , , , . 1 Comment »

How Opera’s Desktop Team deal with security vulnerabilities

January 11, 2007 — Adam Vero

In an article entitled “Handling Security”, Claudio Santambrogio of the Opera Desktop Team discusses how they handle vulnerability reports, disclosure, patching and upgrades.

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed – and not only at Opera, but in most applications: it might help some people to understand how this works.

Posted in Patching + hotfixes, Security and Malware. Leave a Comment »