Archive

Archive for October, 2011

Update on the Zbot spot!

October 31st, 2011 No comments

Hello Internet!

I’m back to update you on our changes to Zbot in the Malicious Software Removal Tool (MSRT). We reviewed the data coming back from MSRT in September and incorporated the findings into October’s MSRT (and beyond), which means we are now in a position to provide additional information.

As I mentioned in the previous blog post, the purpose of our special Zbot September update was to glean an insight into the effectiveness of MSRT against this prolific threat. Couple that with a focus on the Zbot family and, suffice it to say, we’re pretty happy with our findings and results!

And now, onto the numbers!

Historically, and prior to the September 2011 release, MSRT consistently detected about 90% of PWS:Win32/Zbot variants in the wild. For the month of September 2011, we detected and removed PWS:Win32/Zbot from around 185,000 distinct Windows computers, a stark increase to the months beforehand, which we can attribute the increase to additional technology added to MSRT for just such an occasion.

For October so far, we’ve removed Zbot from over 88,000 computers and we expect that number to grow to around 100,000 – again, a very good result from MSRT, illustrated in the chart below that lists October 2011 MSRT data:

 

MSRT Family
Threat Reports
Machines Detected
Zbot
101385
88765

  

These increased numbers are also likely a result of new functionality we’ve seen in Zbot recently. It seems that some variants now automatically spread via the Windows autorun functionality; something that is very common with other prolific malware families, so it’s not very surprising we’re seeing it now – but is surprising we hadn’t seen it before now. Regarding autorun, Microsoft released a security update in February of 2011 that changed its default behavior – the result was an overall decline in threats utilizing autorun as a spreading mechanism. There is a Microsoft Knowledge Base article that discusses how to disable autorun in Windows, here.

October 25th marked the tenth anniversary of the release of Windows XP.  And what a difference a decade makes! Consumers should upgrade to the newest operating system version in order to take advantage of enhanced security features of Windows 7 including AppLocker, User Account Control (UAC), Data Execution Prevention (DEP) and Structured Exception Handling Overwrite Protection (SEHOP). The recently released Microsoft Security Intelligence Report volume 11 shows that the latest Windows 7, 32-bit OS is six times less likely to become infected than the comparable Windows XP SP3.

And finally a reminder, MSRT isn’t a replacement for a full antivirus solution. You’re already infected when MSRT detects malware – using a security application with real-time protection can help prevent you from becoming infected in the first place.

  

Matt McCormack
MMPC Melbourne

Lessons from the Field and Best Practices for Active Directory Authorization on Unified Access Gateway 2010(UAG)

October 31st, 2011 No comments

An issue that has been experienced by many UAG customers is a situation where the UAG portal becomes unresponsive while users try to access it externally. This can also manifest itself as a slow login.

When the user clicks on the ‘Log-on’ button on the Portal Page, to check whether the user is an Authenticated user or not UAG checks all its ‘Authentication Repository’ settings to get the Domain Controllers information and the other settings associated with them. One of those settings is the ‘Level Of Nested Group’. This setting, if not set correctly, can cause a lot of slow Log-On Issues and the UAG Portal becoming unresponsive as well.

Let me share a scenario with you, in which a customer reported a similar issue and how we fixed it.

Scenario:

We had an issue where the UAG Portal Page was becoming unresponsive while trying to access it externally. Restarting the UAG services would temporarily resolve it, but it would recur on subsequent logins.

Troubleshooting:

The issue manifested itself as the UserMgrCom.exe process causing a CPU Spike of around 100% CPU utilization. When we checked the Authentication Repository settings in the UAG console we noticed the following setting:

image

As you can see in the above screenshot the value of Level of nested groups was defined as 1000. However, Ideally, this value should not be configured above 2 or 3. Group nesting relates to group authorization configured on applications on the portal.  If the applications are configured to allow all users to be authorized there is no need for any nesting.  On the other hand if groups are used for granular application authorization then group nesting would only be required if the group(s) selected for authorization are groups that are nested (members of) another group in Active Directory.  If the groups are direct user containers and not group members, nesting is also not required.  Setting the level of nesting to anything other than its default tells UAG to preform recursive queries on every group a user is a member of until the level of nesting is reached.  This set of recursive query is incredibly resource and time intensive both to UAG and to the Domain controllers that are being accessed.

In this case, because it was set to such a high value of 1000, it was causing UAG to perform unnecessary checks for Group Memberships for users and this was causing the UserMgrCom.exe to Spike, and the Portal to become unresponsive.

Author:

Nitin Singh
Security Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team

Technical Reviewers:

Dan Herzog
Security Sr. Support Escalation Engineer
Microsoft CSS Forefront Security Edge Team

Ben Ben Ari
Security Sr. Support Engineer
Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

Key Recovery vs Data Recovery Differences

October 28th, 2011 No comments

I am often asked when talking to my customers about the differences between Key Recovery and Data Recovery for encrypted files, in addition to which method to use. As a result, This Blog will focus on both areas, explaining the differences and best practices.

Both methods can easily be understood, after understanding the Encrypting File System (EFS) process in a domain environment including certificate enrollment and file encryption 

EFS Certificate Enrollment:

 When a user attempts to encrypt a file without having an EFS certificate the following process takes place: 

  1. The user’s registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash) is queried for an Encryption Certificate
  2. If there isn’t a default certificate, then the user store is queried for any viable certificate with the Encrypting File System Object Identifier  OID (1.3.6.1.4.1.311.10.3.4.)
  3. If there isn’t a viable encryption certificate, then the user will request an Encrypting File System certificate based on the BasicEFS template from an Enterprise CA, or any other template superseding it.
  4. If the BasicEFS template is not available at any Enterprise CA, and any other template for EFS is not available then the computer will generate a self-signed EFS certificate. 

Note: I am not a big fan of self-signed certificates especially when there are Enterprise Issuing CAs in a given Active Directory Forest. As a result, I recommend disabling the machine’s ability to generate an EFS Self-Signed certificate using the hotfix for Windows XP or Windows Server 2003

Windows Server 2008 and Windows 7 have a group policy setting which can disable the generation of an EFS Self-Signed certificate simply by unchecking the option to “Allow EFS to generate self-signed certificates when a certification authority is not available.

 

 

File Encryption Process:

 Once the user has a valid Encrypting File System (EFS) certificate, then they can encrypt their files and folders following this process:

  1. The user’s computer generates a random symmetric encryption key called File Encryption Key (FEK)
  2. The computer retrieves the user’s Encrypting File System (EFS) certificate in the user store and obtains the user’s Public Key
  3. The FEK created in step one is encrypted by the user’s Public Key in step 2 

For more information about EFS Encryption, refer to How EFS Works on TechNet

Why Should I Implement Any Recovery Method?

An organization’s security policy typically lists the following reasons for allowing data or key recovery: 

  1. A user profile is deleted. When an encryption private key is stored in a user’s profile folder, the private key is lost if a anyone deletes that specific profile. Many organizations use profile deletion to fix problems with user logon. For example, if the desktop fails or takes a long time to appear, many organizations prescribe deleting the user’s profile and generating a new profile. This results in deletion of the user’s private key material.
  2. A hard disk is corrupted. The corruption of a hard disk can cause users to lose access to their profiles. This can mean a total loss of access or loss of access to the private key material within the user profile.
  3. The operating system is reinstalled. When the operating system is reinstalled, access to the previous user profiles is lost, including any private keys stored in the user’s profile.
  4. A computer is stolen or lost. When a computer is stolen or lost, access to the private key material in the user profile is lost or compromised.

Note: A difference among the reasons listed, however, is that a computer theft or loss can mean the user’s private key is compromised and, therefore, the certificate associated with the private key should be revoked. There is no reason to revoke the certificate for the other reasons in this list because the user’s private key is not compromised.

Where is the File Recovery Agent role in the File Encryption Process?

If your domain has a designated File Recovery Agent certificate enrolled, also known as the Data Recovery Agent, then the computer will retrieve its information from the local computer configuration – deployed through Group Policy – extract the Public Key from the recovery agent’s certificate, and encrypts the File Encryption Key (FEK) with it. This process will apply to all the Data Recovery Agents in the domain. 

Where is the Key Recovery Agent Role in the File Encryption Process?

This is not a trick question; the Key Recovery Agent (KRA) certificate doesn’t come to play at all when encrypting a file a folder. Key Recovery Agent (KRA) is enrolled using the Key Recovery Agent Certificate Template, and then added to the CA configuration. The Key Recovery Agent (KRA) can extract the end user’s Encrypting File System (EFS) Private Key and Certificate from the CA’s database, which in turn can be used by the end user to decrypt their files.

When a certificate template specifies Key Archival, the private key with a certificate request must be securely transmitted from the requesting client computer to the Certification Authority for archival in the CA database. When a client requests a certificate that has Key Archival enabled, the following process takes place:

  1. The client queries the Enrollment Services container in the configuration partition of Active Directory to find an Enterprise CA
  2. The client requests the CA’s CA Exchange Certificate
  3. The client examines the received CA Exchange certificate to ensure it was signed by the CA’s signing certificate, and performs a certificate validation and revocation status check on the CA Exchange certificate
  4. The client encrypts the private key corresponding to the request using the CA Exchange certificate’s public key and send the request to the Certification Authority
  5. The Certification Authority verifies that the encrypted private key is the matched key to the public key, validates the signature on the request with the Public key in request to ensure the contents were not tampered with.
  6. The Certification Authority encrypts the user’s request with a random symmetric key and then encrypts the symmetric key with one or more Key Recovery Agent (KRA) public keys defined in the Certification Authority’s properties
  7. The Certification Authority saves the encrypted key  BLOB which contains the encrypted private key and the symmetric key encrypted with one or more Key Recovery Agent (KRA) public keys
  8. Lastly, the Certification Authority processes the request and issues a certificate to the requestor.  

Which Method Should I Use?

There isn’t a correct answer for this question. It all depends on your company’s policies and procedures. It is also important to note that the person or group performing Key Recovery or File Recovery should be trustworthy and held to the highest levels of scrutiny. Understanding the difference between Key Recovery and File Recovery Procedures can help you determine the correct answer to your infrastructure’s requirements.

With Key recovery. The user’s original certificate and private key are recovered from the CA database and restored to the user’s profile. Recovery of the user’s certificate and private key allows the user to access the FEK stored in the EFS-encrypted file, returning access to the file to the user.

The major advantages for Key Recovery are: 

  1. Quick EFS decryption resolution by restoring the user’s Private Key and Certificate
  2. The data doesn’t leave the end user’s computer

The major disadvantages of Key Recovery are: 

  1. The CA has to be prepared for Key Archival and requires the enrollment of Key Recovery Agents before rolling out EFS
  2. The restore of the Private Keys might be a little complicated if the user has multiple Encrypting File System (EFS) certificates.
  3. The Certification Authority must be installed on the Enterprise or Data Center SKU of the Operating System

Data recovery on the other hand, allows a designated EFS Recovery Agent to decrypt all EFS-encrypted files on a computer. By default, where the private key associated with the EFS Recovery Agent certificate exists – which can be a designated recovery computer, or the end user’s computer.

The major advantages of Data Recovery are: 

  1. Data Recovery Agents can be added to the File Encryption Key (FEK) after a user had already encrypted their files. This means a new Data Recovery Agent can be enrolled and added to the domain group policy, which allows the new Data Recovery Agent to recovery encrypted files
  2. The Data Recovery Agent can decrypt the files for the end user
  3. Data Recovery Agents can decrypt files and folders encrypted using self-signed encryption certificates or an encryption certificate issued by an enterprise issuing CA.
  4. It doesn’t have any Certification Authority operating system pre-requisites 

The major disadvantage of Data Recovery is the recovery method itself, because the Data Recovery Agent has to decrypt the end user’s files either on premise or remotely. This can have a significant impact on data transfers from remote sites to hub sites, or vice versa because the encrypted/decrypted data has to be copied twice.

Common Misconception:

A common misconception is that the Administrator account is the Data Recovery Agent (DRA) or the Key Recovery Agent (KRA). Both recovery methods rely on the certificates (Private and Public Key Pairs) of the KRA and DRA, which means anyone who has possession of them can recover keys.  If an end user manages to possess the Data Recovery keys as an example, then they can decrypt any encrypted file in the organization. As a result, you should protect these keys, and establish a chain of custody anytime the key is used. 

Conclusion:

Encrypting File System (EFS) shouldn’t be implemented without proper planning because of complexities in Data and Key Recovery. Make sure to understand both recovery methods before enrolling the first EFS certificate, and test recovery multiple times in a lab environment. Lastly, consider implementing both methods for extra recovery protection

Amer F Kamal

Senior Premier Field Engineer

 

 

Share the responsibility: Microsoft on National Cyber Security Awareness Month

October 27th, 2011 No comments

Microsoft supports the efforts of the National Cyber Security Alliance (NCSA) with free resources and research about how each of us—individuals, families, schools, organizations, industry, and government—can do our part to help create a safer digital world.

Some of the resources:

Get more information about National Cyber Security Awareness Month, plus six foundational steps that you can take to help protect your information, family, devices, and online safety.

Summary for September 2010 – Version: 6.1

Revision Note: V6.1 (October 26, 2011): For MS10-070, corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This bulletin summary lists security bulletins released for September 2010.

Categories: Uncategorized Tags:

MS10-070 – Important : Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) – Version: 4.2

Severity Rating: Important
Revision Note: V4.2 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

Categories: Uncategorized Tags:

Summary for October 2010 – Version: 4.1

Revision Note: V4.1 (October 26, 2011): For MS10-077, corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This bulletin summary lists security bulletins released for October 2010.

Categories: Uncategorized Tags:

MS10-077 – Critical : Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841) – Version: 3.1

Severity Rating: Critical
Revision Note: V3.1 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario.

Categories: Uncategorized Tags:

Summary for October 2011 – Version: 1.1

Revision Note: V1.1 (October 26, 2011): For MS11-078, corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This bulletin summary lists security bulletins released for October 2011.

Categories: Uncategorized Tags:

MS11-039 – Critical : Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2514842) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Categories: Uncategorized Tags:

MS11-066 – Important : Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This security update resolves a privately reported vulnerability in ASP.NET Chart controls. The vulnerability could allow information disclosure if an attacker sent a specially crafted GET request to an affected server hosting the Chart controls. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to retrieve information that could be used to further compromise the affected system. Only web applications using Microsoft Chart Control are affected by this issue. Default installations of the .NET Framework are not affected. This security update is rated Important for Microsoft .NET Framework 4 on all supported releases of Microsoft Windows and for Chart Control for Microsoft .NET Framework 3.5 Service Pack 1. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Categories: Uncategorized Tags:

Summary for April 2011 – Version: 6.1

Revision Note: V6.1 (October 26, 2011): For MS11-028, corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This bulletin summary lists security bulletins released for April 2011.

Categories: Uncategorized Tags:

Summary for August 2011 – Version: 1.2

Revision Note: V1.2 (October 26, 2011): For MS11-066 and MS11-069, corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This bulletin summary lists security bulletins released for August 2011.

Categories: Uncategorized Tags:

MS11-069 – Moderate : Vulnerability in .NET Framework Could Allow Information Disclosure (2567951) – Version: 1.2

Severity Rating: Moderate
Revision Note: V1.2 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.
Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Categories: Uncategorized Tags:

Get gamed and rue the day…

October 26th, 2011 No comments

As we discussed last week, socially engineered threats are specially crafted threats designed to lure the eye and trick the mind – they look legitimate or benign, and in worst case, may take advantage of a trusted relationship, by utilizing a compromised account or familiar website. Social engineering techniques may be used in isolation, but are often used by attackers in tandem with other types of exploit in order to perform the attacker’s real purpose – delivering the payload. What follows is a typical example that illustrates how attackers attempt to exploit both people and systems in order to achieve their goals. 

Last month, Worm:Win32/Gamarue, a bot-controlled worm, was discovered as the payload of a series of browser-hijacks and traffic redirects to malicious servers hosting and performing multiple browser-based exploit attacks.
The initial trigger event was identified as shared content, commented on a social networking site.

 

When users clicked on a link in a comment from a contact in order to see more information, they were first directed to another profile and then encouraged to click on another link. 

 

However, this second link directed affected users to malicious content that loaded a hidden iframe (detected as Exploit:JS/BlacoleRef.D SHA1 8da25114758b2e3f454af0346ce7e716ac91c829). This iframe referenced an exploit server hosting a version of the ‘BlackHole’ exploit kit (detected as Exploit:JS/Mult.DJ SHA1 4cba7b2385b7ee7a84992ddaf77aa6d85b72b5ce).  The exploit server attempted to exploit multiple known vulnerabilities in the affected user’s browser, until a successful compromise could be achieved. In our example, a malicious Java applet stored within a Java Archive (.JAR) (detected as Exploit:Java/CVE-2010-0840.FK SHA1 87800737BF703002263E3DBA680E4EE9FE9CA5B0) was observed being loaded on browsers with enabled vulnerable versions of the Java plugin. This Java vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its “sandbox” environment.  The final result? The installation of Worm:Win32/Gamarue.A (SHA1 427fa7d7aa1e4ee8a57516979711e11e59e51559). When it first appeared this threat did not appear to be detected by any known scanners.

  

Figure 1 – Method of delivery for Worm:Win32/Gamarue.A

A code fragment of this threat suggests that it may be a new bot called “Andromeda”.  Similar to known bots such as Zeus and Spyeye, Andromeda is also a modularized program which  can be functionally developed and supported using plug-ins.  It is also sold via an underground forum, where pricing varies depending on the version of the bot, the number of domains utilized, and the purchaser’s plugin development requirement.

The elaborate methods used to distribute this threat suggest that along with being mindful of illegitimate attempts to convince you to perform particular actions, and keeping your software updated, your choice of browser really matters.  Microsoft recently launched a new website YourBrowserMatters.org, which ranks your browser security from 0-4 and provides information on the risks involved in continuing to use older versions. 

As always, we encourage you to stay safe online.

Methusela Cebrian Ferrer

MMPC

Free answers to your security questions

October 25th, 2011 No comments

We get lots of questions about hacked email accounts, telephone scams, spyware, and viruses.

The community at Microsoft Answers might have already asked and answered your questions.

Microsoft Answers is a free forum where Microsoft engineers and security experts from all over the world answer technical and not-so-technical questions from people like you.

If you have a security or privacy question:

  1. Go to Microsoft Answers.
  2.  Select Find answers in the search area and type your question, or a keyword (like an error number) in the text box.
  3. Click Search and then look through the results for your answer.

Categories: Microsoft, tech support Tags:

MS11-075 – Important : Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699) – Version: 1.2

Severity Rating: Important
Revision Note: V1.2 (October 25, 2011): Revised the update file names for 32-bit and x64-based editions of Windows XP and Windows Server 2003, in accordance with the schema documented in Microsoft Knowledgebase Article KB816915. This is a change to file names only. There were no changes to the detection logic or update content. Customers who have already successfully installed this update do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in the Microsoft Active Accessibility component. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, the Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

Categories: Uncategorized Tags:

MS11-058 – Critical : Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) – Version: 1.2

Severity Rating: Critical
Revision Note: V1.2 (October 25, 2011): Announced a change to detection logic and corrected bulletin replacement information for some affected configurations. There were no changes to the security update files. See the Update FAQ for details.
Summary: This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker registers a domain, creates an NAPTR DNS resource record, and then sends a specially crafted NAPTR query to the target DNS server. Servers that do not have the DNS role enabled are not at risk.

Categories: Uncategorized Tags:

There’s more than one way to skin an orange…

October 21st, 2011 No comments

​When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers to a characteristic of a system that renders it susceptible to some form of attack. Kind of like a weakness, but a weakness that does not necessarily indicate a problem with the system’s design.

Vulnerabilities may be present in any component of the targeted system. You can have vulnerabilities in the hardware that supports the system, or vulnerabilities in the software that runs on the system, but you can also have vulnerabilities that occur as people use the system, or in the people themselves.  People, both literally and figuratively, can be soft targets and attackers often try to compromise systems by attempting to exploit how people behave.

This type of attack is known as social engineering. Essentially, in social engineering, attackers attempt to exploit vulnerabilities in human behavior in order to make the victim being targeted act in a manner of the attacker’s choosing, even though that is unlikely to be in the victim’s best interest. So rather than exploiting vulnerabilities in hardware or software, social engineering attempts to exploit vulnerabilities in the ‘wetware’ (i.e. the people).

Examples of social engineering techniques used by malware for distribution or other purposes can range from the simple yet effective ("Install this codec in order to watch this amusing video"), to the elaborate and complex (most Rogue security software), to the targeted (by taking advantage of existing trust relationships using specially compromised accounts or services).

So, you can upgrade your hardware and update your software (and we absolutely recommend that you do), but how do you upgrade/update people to make them less vulnerable to attack? It’s a classic question in computer security but there are measures you can take that will make the people in your organization less likely to be compromised in this manner.

The latest issue of the Microsoft Security Intelligence Report (SIRv11) contains detailed advice for IT professionals and organizations on how to limit exposure to social engineering attacks. The section Advice to IT Professionals on Social Engineering‘ (p42) provides a number of tangible steps that can be taken to protect an organization from this most nefarious of attacks.

Highly recommended reading for any organizations that contain people…

Heather Goudey
MMPC Melbourne

Find your lost or stolen Windows Phone

October 20th, 2011 No comments

You probably already know how to help keep your personal information safe on the Internet.  But what about everything that’s stored on your smart phone?

If your Windows Phone is stolen or if you lose it, you can make your phone ring, you can lock it, erase the contents, or show your phone on a map from any Internet-connected computer. This feature can help you recover the phone or at least prevent someone from accessing the personal information on it.

More information about the Windows Phone Find My Phone feature.

Learn other ways to secure your smart phone.