Microsoft have released an additional Patch to plug some vulnerabilities in Internet Explorer 7.0

I am not sure if this is a slow news day in the Internet Security world but lets assume this is serious and go grab the patch.

Tip: It requires a reboot.

If your Windows PC isn’t set for automatic updates then browse to www.windowsupdate.com to get it.

I am noticing a trend that Spyware/Malware attacks are making a comeback and are getting more sophisticated.

In the good old days Spam e-mail used to be just advertising but increasingly that innocuous looking spam e-mail has other ideas.

It can be one or more of the following:-

Malware: Malicious software designed to get on your PC without your knowledge.

Spyware: They steal your passwords via keystrokes that are sent back to the spyware author.

Virus: Designed to cause harm to your computer.

Phishing: Designed to get you to impart privileged information.

Problem Area’s

Internet Surfing: The number of malicious or infected web sites is in the millions. You can no longer just click, click on every link you see.

Tip: Make sure you have your Phishing Filter on and have up to date Anti-Virus Software running.

Inbox: Even with good Anti-Spam defences Spam e-mail gets through about one third will have a link to something bad.

Tip: Don’t even get curious with suspect e-mails and click links just to see. Delete, Delete and Delete.

Stay Safe online Link: http://news.bbc.co.uk/1/hi/technology/5414992.stm

This is extends to tech reporting.

Check these 597 news articles about UK ISP’s sending out warning letters to music file sharers.

Link: all 579 news articles »

Check out these 299 news articles about a DNS flaw that puts every Internet user at risk.

Link: all 299 news articles »

One of these stories is important…

What is DNS? Link: http://en.wikipedia.org/wiki/Domain_Name_System

It turns names like  www.mysitewhatever.com into an ip address example 111.222.121.12

The DNS exploit allows hackers to divert your web traffic to another site without you knowing.

So you may think your on www.mybank.co.uk but you could be invisibly re-directed to a site the hackers set up to capture your data.

Typically your ISP needs to patch/update their own DNS servers as you use these to route your web traffic around the Internet.

So how do you know if you are vulnerable?

Tech Tip:

There is a DNS checker on this site (http://www.doxpara.com/)

Look for this in the right hand side of the page.

or

On this really useful site  (http://www.dnsstuff.com/)

Look for this at the bottom left:

If you find your are vulnerable send an e-mail to you ISP asking when they will patch their DNS servers to protect you.

In the mean time be extra careful. Oh and stop downloading music.

The mobile phone company O2 had to shut down their web based MMS viewing web site.

If an o2 customer received an MMS (picture or video) and did not have a MMS capable phone O2 would host the content (picture or video) on their web site.

However it would appear for some of this content Google was able to search and index the supposedly private content and it was publicly viewable by doing a Google search.

The viewing  Web site has now been taken offline to protect customers privacy.

To make matters worse the contact details of the sender and recipient were also exposed.

Link: http://news.google.co.uk/nwshp?tab=wn&ned=uk&ncl=1228737394&hl=en&topic=t

Update 24/07/2008 – Nod32 Now Identifies this – See bottom of post.

—

Several clients were targeted with e-mails that contained .zip files.

The contents of which were crafted to look like legitimate e-mails from UPS with invoices attached (see above).

Inside the .zip file was an executable file disguised as a Microsoft Word document (see above). That is a fake icon. The file is really called ups_invoice.exe

You can even scan the .exe file with Anti-Virus software in my case the latest Business Edition of Nod32 and it will not be detected.

I even submitted the .exe file to eset and they said:-

“The file is corrupt and thus non-functional. As such, it should not be detected as it does not pose any risk” [TRACK#4884AA4D0007]

That is a complete load of rubbish, I took the same file and managed to infect my test bed XP machine running the latest version of Nod32.

So you really are at the mercy of the end user doing the right thing and not opening unsolicited attachments.

It would appear to be able to defeat the End Users Anti-Virus by connecting to the Internet to download the payload and sneaking itself onto your computer. The end user is complicit in this, they have to run the infected file. As you can see from the shots above this has been cleverly engineered to be difficult to spot.

With up to date Anti-Virus software not being able to detect the original .exe file it really is open season.

Tech Tip: If you are worried users might get caught out then ban .zip files if you can.

More details here: http://pandalabs.pandasecurity.com/archive/Fake-UPS-Invoice-Email.aspx

Updated 24/07/2008

I just get the impression the AV companies were caught napping on this one.

But the good news is those pesky attachments are now being identified.

Yesterday afternoon about 3pm a number of clients all had Anti-Virus threat detected messages (pictured above).

Some rogue definition updates falsely identified some word documents as being infected with the msword.smtag trojan.

As the first call came in I took it on face value and remotely took over the users PC.

I couldn’t find anything obvious so I quickly installed the SysInternals Process Monitor (Link) to have a good rummage around. Still nothing.

I quarantined the files and submitted them for further investigation with Eset.

Then about 10 minutes later another call comes in from another site with the same problem.

My first thought is false positive, so I quickly call Eset technical support in the UK on 0845 838 0832 and quickly get confirmation of the false positive.

Updated anti-virus definitions would be available shortly so we just had to wait it out.

Link: www.eset.co.uk

Omar Shahine is a Tech Blogger and a Microsoft Employee. I love his blog.

Unfortunately Omar’s is in a bit of a sticky situation at the moment his online identity has been compromised.

Essentially someone has broken into his Hotmail account and he goes into some depth about what he is doing about it.

Now Omar is in a unique position he works for Microsoft. If he cant get to the bottom of this issue then I haven’t clue who could.

So if you keep lots of your life online in the likes of hotmail/google then I suggest you read all about his experience on the link below, just for preparedness if nothing else. Also check the comments for additional info and tips.

Link: http://www.shahine.com/omar/WhatWillYouDoWhenItHappensToYou.aspx

My tips are for your online silos

1) Keep very little online

Example: if you order goods online why not print the receipt to PDF and store the PDF on your local computer and delete the one in your online mailbox.

2) Change your password often.

Example: Use a combination of letters and numbers

3) Check your account frequently for signs of tampering

Example: an email request to reset passwords etc.

4) Be very wary of public access computers like in Internet Cafe’s for example.

If you have other helpful tips please use the comments.

I have seen the above dialogue box twice in the last week and it just creeps me out.

I cant think of any good legitimate reason a Website should have access to my local clipboard.

After doing some reading on this apparently IE7 can sometimes set this off in error and you can turn it off, however I would rather be bothered with false positives than not know what a particular Website is doing to my computer.

There are a number of Websites on the web designed specifically to try install Malware/Spyware on your computer or worse steal confidential information like usernames and passwords.

The number of these sites is growing.

In the bad old days Viruses\Malware\Spyware travelled by e-mail but in 2008 you are more likely to get hit by visiting a Website.

Tip: If you have any doubts about a particular Website, exercise caution move on and try another one.

Things to Avoid: Sites that try and install software.

The above prompt is trying to install an ActiveX Control. An ActiveX Control is like software that installs in your web browser.

Tip: In some cases you may need to install an ActiveX control to access some feature of the site but only accept those you *REALLY* need. Clicking yes  blindly to everything is asking for trouble.

On the link below is a well written but slightly old article on Malware.

Link: http://arstechnica.com/articles/paedia/malware.ars/1

One of the December 2007 security updates from Microsoft can cause IE6 to crash if you are running on Windows XP SP2.

**Update 21/12/2007: A Fix has been issued (<<Click)

From the source:-

After downloading the Internet Explorer Cumulative Security Update for December 2007, some customers using IE6 on Windows XP Service Pack 2 have experienced an unexpected crash or hang upon launching Internet Explorer.

This might occur while navigating to a website hosting considerable media content (for example: http://msn.com) resulting in Internet Explorer displaying a dialogue that states “Internet Explorer has experienced a problem and needs to close”. If you experience this issue, implement the applicable workaround provided in the following knowledge base article:

• Microsoft Knowledge Base article 946627

For your security, we strongly recommend that you deploy the Internet Explorer Cumulative Security Update for December 2007.

Terry McCoy
Program Manager
Internet Explorer Security

Link: post-install-issues-with-ms07-069-ie6-on-xpsp2.aspx

Registry Fix: http://support.microsoft.com/kb/946627

____________________

Dear Microsoft

A few things

1) If one of your updates causes problems, would it not be prudent to remove it, fix it and replace it.

2) Expecting end users to carry out a complex registry modification to fix a problem you created is beyond a joke.

3) I am confused about Terry’s Post. He says “We have known problems with MS07-069, but we recommend you install it”.

Social Comment: The blogs are wild today with how IE8 has passed the acid test

Link: Internet Explorer 8 and Acid2- A Milestone

IE8 has an installed base of zero, IE6 is still used by tens of millions. Go back to the well and fix the plumbing.

Your friend in Tech

Colin

Yesterday Alistair Darling announced that two CD’s containing the details of 25m people on the child benefit database had gone missing in October 2007.

The reason this is headline news is that based on the basic information contained on the CD’s:-

Name, Address, Date of Birth, National Insurance Number, Children’s names, their Date of Birth, Bank details like sort code and account number etc.

A semi-skilled social engineer could probably work out about 25% of the passwords used for things like banking.

Currently no one knows the location of the missing CD’s

So what should you do

1) Review any “passwords” you use based on your child’s name or date of birth.

2) Check your bank account statements regularly.

3) Beware of any communication asking for additional information about any “accounts” you may have.

Tip: There will be a wave of email and web scams on the back of this, example: “After the recent data loss we now need you to confirm x and y with us.

DO NOT GIVE OUT ANY INFORMATION TO ANYONE, PARTICULARLY ONLINE or BY EMAIL.

4) Watch your junk mail for signs on new activity like a flood of offers etc.

Here is a better fleshed out Q and A on this topic.

Link: http://news.bbc.co.uk/1/hi/uk_politics/7103828.stm

Here are some links about this story:-

http://news.google.co.uk/nwshp?oe=UTF-8&hl=en&tab=wn&ncl=1123877007

If you are confused about what identity theft is go here:-

http://www.identitytheft.org.uk/protect-yourself.htm

Stay Safe.