Tuesday Fun With Microsoft

Windows, the software of perpetual patching. This installment is fairly large.

Microsoft Fixes Internet Explorer, Windows Flaws in October Patch Tuesday

Microsoft fixed 23 vulnerabilities across eight security bulletins as part of its October Patch Tuesday release.

October’s Patch Tuesday release resolved issues in Internet Explorer versions 6 through 9, all versions of Microsoft Windows from XP through 7, .NET and Silverlight, Microsoft Forefront Unified Access Gateway and Host Integration Server, Microsoft said Oct. 11. Two of the patches are rated “critical,” and six are rated “important,” Microsoft said.

See also:
Microsoft Security Bulletin MS11-082 – Important
Microsoft Security Bulletin MS11-081 – Critical
Microsoft Security Bulletin MS11-080 – Important
Microsoft Security Bulletin MS11-079 – Important
Microsoft Security Bulletin MS11-078 – Critical
Microsoft Security Bulletin MS11-077 – Important
Microsoft Security Bulletin MS11-076 – Important
Microsoft Security Bulletin MS11-075 – Important
Microsoft’s October 2011 Patch Tuesday fixes 23 flaws, releases SIRv11
MS wipes out 23 flaws in October’s Patch Tuesday
Patch Internet Explorer Now
23 vulnerabilities squashed by Microsoft’s Patch Tuesday effort
Microsoft Update

So, get busy and happy patching!

/until the next time Microsoft releases patches to make its software suck less . . .

Super Bot

This sure looks like a nasty piece of work.

Massive botnet ‘indestructible,’ say researchers

A new and improved botnet that has infected more than four million PCs is “practically indestructible,” security researchers say.

“TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

“[TDL-4] is practically indestructible,” Golovanov said.

. . .

TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

But that’s not TDL-4’s secret weapon.

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

See also:
TDL4 – Top Bot
Sophisticated TDL-4 Botnet Has 4.5 Million Infected Zombies
‘Indestructible’ rootkit enslaves 4.5m PCs in 3 months
TDL-4 creates 4.5 million PC ‘indestructible’ botnet
Security Researchers Discover the Mother of All Botnets
TDL-4: The ‘indestructible’ botnet?
There’s a Botnet Called TDL-4 That’s Virtually Indestructable
‘Indestructible’ Botnet Enslaves 4.5 Million PCs
‘Indestructible’ Zombie PC Botnet Borrows Exploit From Israeli, U.S. Cyberweapon
Have cybercriminals created the perfect botnet — undetectable and indestructible?

If you ever needed a reason and reminder to keep your operating system, anti-virus, and anti-spywware software patched and up to date, this would be a good one.

/remember, if you’re not part of the solution, you’re potentially part of the problem

Aid And Comfort To The Enemy

Let’s see, China launches cyberattacks and conducts internet espionage against the United States 24/7/365 and our U.S. Department of Homeland Security is warning China about their vulnerabilities? WTF?

China’s Infrastructure Vulnerable to Cyber Attack

Software widely used in China to help run weapons systems, utilities and chemical plants has bugs that hackers could exploit to damage public infrastructure, according to the Department of Homeland Security.

The department issued an advisory on Thursday warning of vulnerabilities in software applications from Beijing-based Sunway ForceControl Technology Co that hackers could exploit to launch attacks on critical infrastructure.

See also:
SCADA Vulnerabilities Patched in Two Industrial Control Software from China
Chinese Weapon Systems Vulnerable To SCADA Hack
US warns China software risk to public infrastructure
US Warns of Problems in Chinese SCADA Software
Software bugs discovered in Chinese-made applications
China’s weapons systems have exploitable software bugs
Department Of Homeland Security Cites China Vulnerability
Exclusive: China software bug makes infrastructure vulnerable
US reveals Stuxnet-style vuln in Chinese SCADA ‘ware
Critical vulnerability in industrial control software

China is not our friend, why are we feeding the hand that bites us? Why aren’t we keeping these discovered Chinese vulnerabilities to ourselves in case we might actually need to use them in the event of escalated hostilities with China?

/and just when did the DHS become the CDHS, Chinese Department of Homeland Security, protecting the homeland of a hostile country?

Life, Liberty, And The Pursuit Of Free Internet Porn

Are you kidding me, internet access is a basic human right? Of course, as long as you have a basic human right to internet access, it follows that you also have a basic human right to a computer, modem, internet service, and hey, you’re going to need a place to plug in and the electricity to make it all work. Can’t afford all that? No problem, it’s a basic human right, demand it all free from your government and, if they can’t or won’t provide it, drag them before the U.N. Human Rights Council for human rights violations!

UN report: Internet access is a basic human right

Access to the Internet, especially during times of political unrest, is a basic human right, says a report released by the United Nations today.

“Facilitating access to the Internet for all individuals, with as little restriction to online content as possible, should be a priority for all States,” says the report, published on May 16 by Frank La Rue, a “special rapporteur” for the UN’s Human Rights Council.

. . .

The report urges states to avoid or amend any laws that “permit users to be disconnected from Internet access.”

. . .

The UN report defines Internet access to include both free information flow as well as access to infrastructure, “such as cables, modems, computers and software, to access the Internet in the first place.”

Read the report:

Report of the Special Rapporteur on the
promotion and protection of the right to freedom
of opinion and expression, Frank La Rue

See also:
Internet should remain as open as possible – UN expert on freedom of expression
United Nations report: Internet access is a human right
UN Declares Internet Access As A Human Right
UN Report: Internet access a human right
United Nations Declares Internet Access a Basic Human Right
United Nations Claims Internet Blackouts Violate Human Rights
UN: Disconnecting File-Sharers Breaches Human Rights
Filesharing laws ‘breach human rights’
United Nations High Commissioner for Human Rights (OHCHR)

And make no mistake, when the report mentions “with as little restriction to online content as possible’, that’s a direct shot at copyright holders and any governmental efforts to protect copyright or otherwise filter internet content. You see, no matter how prurient, vile, subversive, inflammatory, inaccurate, untruthful, or proprietary it is, information and intellectual property just want to be free! It’s a basic human right, damn it!

/so remember boys and girls, if you don’t have access to free internet porn, demand it, along with all the equipment and infrastructure needed to enjoy yourself, it’s your basic human right!

The New Laptop Is Here!

The laptop itself is awesome! Wrangling the software into submission is another awful matter entirely, Windows 7 64 bit does not play very nice with my familiar, well broken in, just the way I like it, optimized XP world.

/this is going to be a long, hard slog, loud, intense, and sustained swearing is expected to ensue, hopefully I’ll be able to physically restrain myself from striking or otherwise damaging expensive computer hardware

Do You Know Who Your Facebook Friends Are?

How creepy is this?

Army of fake social media friends to promote propaganda

It’s recently been revealed that the U.S. government contracted HBGary Federal for the development of software which could create multiple fake social media profiles to manipulate and sway public opinion on controversial issues by promoting propaganda. It could also be used as surveillance to find public opinions with points of view the powers-that-be didn’t like. It could then potentially have their “fake” people run smear campaigns against those “real” people. As disturbing as this is, it’s not really new for U.S. intelligence or private intelligence firms to do the dirty work behind closed doors.

See also:
Persona Management Software
Gaming Social Networks for Influence and Propaganda
U.S. Gov‘t Software Creates ’Fake People’ to Spread Message via Social Networking
US Gov. Software Creates ‘Fake People’ on Social Networks to Promote Propaganda
So, Why Does the Air Force Want Hundreds of Fake Online Identities on Social Media? [Update]
Revealed: Air Force ordered software to manage army of fake virtual people
More HBGary Federal Fallout: The Government Wants To Buy Software To Fake Online Grassroots Social Media Campaigns
Why Is the Military Creating an Army of Fake People on the Internet?
HBGary :: Detect. Diagnose. Respond
hbgaryfederal.com is offline

Well, at least now we know where all the “supposed” support for the malignant travesty that is Obamacare is coming from, fake people with fake opinions.

/seriously, do you trust the Obama administration and Democrats in general with software like this?

New Year, More Patches

Same as it ever was, what fun would Tuesdays be without Microsoft issuing software patches?

Microsoft Fixes Windows Security Vulnerabilities in Light Patch Tuesday

Microsoft issued two security bulletins to fix three Windows vulnerabilities, getting Patch Tuesday off to a slow start in 2011.

Only one of the bulletins is rated “critical.” That bulletin, MS11-002, covers two vulnerabilities affecting Microsoft Data Access Components. The first of the bugs exists in the way MDAC (Microsoft Data Access Components) validates third-party API usage. The second is due to the way MDAC validates memory allocation. According to Microsoft, both vulnerabilities could be exploited via a specially crafted Web page to allow an attacker to remotely execute code.

See also:
Microsoft Security Bulletin Summary for January 2011
It’s Microsoft Patch Tuesday: January 2011
Microsoft Patches 3 Windows Vulnerabilities
Microsoft patches critical Windows drive-by bug
Patch Tuesday: Microsoft plugs ‘drive-by download’ security holes
Microsoft’s January Patch Tuesday: 3 fixes but 5 holes unpatched
Two bulletins from Microsoft on its first Patch Tuesday of 2011 but Internet Explorer zero-day remains uncovered
Microsoft ‘Patch Tuesday’ Doesn’t Address Problem
Microsoft Patch Tuesday Update – 11th January 2011
Microsoft Patch Tuesday Hits One Critical Bug
Windows Update

And, once again, Microsoft patches some holes but leaves others uncovered.

/so, I guess we’ll be doing this again in the near future

It Must Be Tuesday Again

Because Microsoft comes bearing gifts.

Patch Tuesday: Critical security holes in Microsoft Office

Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.

The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.

It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.

The update also patches the DLL load hijacking attack vector that haunted multiple Windows applications, including Microsoft’ own Office software.

Microsoft urges Office users to consider this a “top priority bulletin” and warned that reliable exploit code is likely within the next 30 days.

As part of the November Patch Tuesday release, the company also patched a pair of security flaws in Microsoft PowerPoint and four documented flaws in Unified Access Gateway (UAG), which is a component of Microsoft Forefront.

See also:
Microsoft Security Bulletin MS10-087 – Critical
Microsoft Office Takes Center Stage for Patch Tuesday
Small, But Serious Patch Tuesday
Microsoft Patch Tuesday: Updates for Office and Forefront
Microsoft patches critical Outlook drive-by bug
Microsoft plugs hole related to Word-launched e-mails
Microsoft Patch Tuesday Update Will Not Fix IE Flaw
IE zero-day vulnerability not part of light Patch Tuesday
Microsoft tiny Patch Tuesday has no IE fix
Microsoft’s Patch Tuesday for November does not include a fix for a zero-day flaw in Internet Explorer
Windows Update

Well, apparently Microsoft didn’t quite get to fixing everything that’s wrong with their software this time around, but you had better install the patch anyway.

/so, until next time, and you know there will be a next time . . .

Typical Government Efficiency

And remember, this is the FBI, they’re on our first line of defense against terrorism.

Audit Cites FBI Technology Problems

The Federal Bureau of Investigation’s struggles with technology are expected to continue to eat up millions of dollars and still leave agents and analysts wanting for a seamless electronic system to manage investigations, according to a federal audit released Wednesday.

Justice Department Inspector General Glenn Fine said the FBI has already spent $405 million of the $451 million budgeted for its new Sentinel case-management system, but the system, as of September, was two years behind schedule and $100 million over budget.

Thomas Harrington, FBI associate deputy director, said the audit uses an outdated and “inflated cost estimate” that is “based on a worst-case scenario for a plan that we are no longer using.”

The FBI’s technology problems aren’t new, but they have potential consequences for the bureau’s efforts to prevent terrorist attacks, particularly at a time when the domestic terrorist threat is growing.

The Sept. 11, 2001, attacks exposed the FBI’s troubles with information sharing, and the bureau accelerated plans to replace its unwieldy case-management system with new software.

That technology project was called Trilogy and was supposed to deliver software called Virtual Case File that was to help FBI agents share investigative documents electronically. The inspector general called the project a fiasco and said the FBI and its contractors wasted $170 million and three years.

FBI Director Robert Mueller canceled Virtual Case File in 2005 and started a new project called Sentinel to be completed in 2009.

The system is supposed to provide agents and analysts with a secure Web-based system to search and manage evidence and get approvals for documents.

According to Mr. Fine’s audit, the system is still far from completion.

In July 2010, the FBI issued a stop-work order to contractor Lockheed Martin Corp. and decided to take over management of the completion of Sentinel.

FBI officials now say they can complete the system by September 2011, with additional spending of $20 million, according to the audit.

Mr. Fine found cause to doubt those estimates. He cited a review conducted by Mitre, a research group that is funded by the federal government, that estimates it will cost another $351 million to complete the system.

Read the report:

Status of the Federal Bureau of Investigation’s Implementation of the Sentinel Project,
Audit Report 11-01, October 2010

See also:
FBI Sentinel project is over budget and behind schedule, say IG auditors
FBI behind schedule, over budget on computer system
Report sharply critical of delays, costs of FBI case management system
IG report hits FBI Sentinel program
FBI Computer System Behind Schedule, Over Budget After $405 Million Spent
FBI computer system years late and way over budget
More Computer Woes at FBI, New System Late Over Budget
IG: FBI’s Sentinel program still off-track, over budget
FBI’s computer woes continue, auditors say
Report: FBI case management system still falls short
FBI’s Sentinel project $100 million over budget, 2 years behind schedule
Report Finds FBI Computer System Over Budget, Behind Schedule

Are you telling me that it takes more than five years and over a half billion dollars to design a case management system and it’s still not finished? And why is Lockheed Martin designing the software, when did they become known as software designers? Even Microsoft, as crappy as they are, could have probably put out a product that works in less time and for less money.

/if this FBI computer system disaster is an example of how the U.S. government operates in this arena, I can only shudder to think what will happen and how much it’ll cost when they decide to upgrade the homeland security and military computer networks

Let’s Play ATM Or Slot Machine?

Barnaby Jack is at it again.

Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.

The demonstration was greeted with hoots and applause.

In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, though he hasn’t yet examined them.

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

Scrooge lurks on the ATM quietly in the background until someone wakes it up in person. It can be initiated in two ways — either through a touch-sequence entered on the ATM’s keypad or by inserting a special control card. Both methods activate a hidden menu that allows the attacker to spew out money from the machine or print receipts. Scrooge will also capture track data embedded in bank cards inserted into the ATM by other users.

To demonstrate, Jack punched the keys on the typed to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.

To hack the Triton, he used a key to open the machine’s front panel, then connected a USB stick containing his malware. The ATM uses a uniform lock on all of its systems — the kind used on filing cabinets — that can opened with a $10 key available on the web. The same key opens every Triton ATM.

Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys. But they said Triton offers a lock upgrade kit to customers who request it — the upgraded lock is a Medeco pick-resistant, high-security lock.

. . .

Jack said that so far he’s examined ATMs made by four manufacturers and all of them have vulnerabilities. “Every ATM I’ve looked at allows that ‘game over.’ I’m four for four,” he said at the press conference. He wouldn’t discuss the vulnerabilities in the two ATMs not attacked on Wednesday because he said his previous employer, Juniper Networks, owns that research.

Jack said his aim in demonstrating the hacks is to get people to look more closely at the security of systems that are presumed to be locked down and impenetrable.

See also:
Bunker-busting ATM attacks show security holes
Hacker breaks into ATMs, dispenses cash remotely
Security researcher demonstrates ATM hacking
Black Hat: Hacker Tricks ATMs Into Raining Cash
Researcher shows how to hack ATMs with “Dillinger” tool
Armed with exploits, ATM hacker hits the jackpot
Powered By Microsoft Windows
IOActive Labs
Tranax Technologies
Triton Systems

All your ATMs are belong to Barnaby Jack!

/I’ll bet Barnaby is really well paid and gets plenty of job offers from the Black Hats as well as the White Hats