• Recent Posts

  • Tire Pressure Monitoring System (TPMS) lacks security, can be hacked
  • Tracking The Companies That Track You Online
  • Members save 25% on TechNet Subscription Professional
  • It’s vulnerability Wednesday – 8 Critical patches to apply
  • Windows Security Vulnerability you should know about

• Archives

  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • November 2009
  • October 2009
  • September 2009
  • March 2009
  • January 2009
  • December 2008
  • August 2008
  • July 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008

Pac IT Pro Members: I’m sure you will find this interesting.

Security researchers found they could remotely gain access a vehicle’s computer using Tire Pressure Monitoring System (TPMS).  (This is the system that monitors tire pressure in all the tires in your car.  TPMS was optional on vehicles prior to 2008 and mandatory on vehicles from 2008 and newer.)

It turns out the TPMS data is sent to the vehicle’s computer unencrypted and the car’s computer will accept a connection from any device including ones reporting to be the TPMS pressure sensors.  If the researches rapidly sent a large number for readings or sent crazy values they found they could crash vehicle’s computers requiring a reboot or in some cases hard crash the computer requiring replacement.

The researchers found they could pick-up TPMS transmissions from moving vehicles from 40 meters.  Thus it would be possible to track the movement or location of a specific vehicle over a short range.  It’s theoretically possible for a cyber-attacker to transmit a false low tire pressure value resulting in the driver pulling over thinking there’s a flat.  Or send values crashing the car’s computer.  Taking this to extremes, a cyber-attacker could drive around the parking lot at football/baseball game and disable thousands of car’s computers in a matter of minutes.

The summary for this paper can be found at
http://www.usenix.org/events  /sec10/tech/techAbstracts.h tml#Rouf
and the full paper describing how they did it can be found at
http://www.usenix.org/events  /sec10/tech/full_papers/Rou f.pdf

Picture is of speedometer/odometer hacked using the vehicle’s OBD or On-Board Diagnostic System port. 

Doug

Pac IT Pros members:

Members a fellow member sent me info about an NPR story called “Tracking The Companies That Track You Online”. You can either read about it or download the MP3 and listen to it. Remember these are legitimate companies who are bidding for information about you. As you listen/read the story remember there are other “companies” out there collecting personal information about you and auctioning it off your personal information the same way the advisors do.

http://www.npr.org/templates  /story/story.php?storyId=12 9298003

What I never really thought about was how polluted our machines become with the software advertiser install on our machines to track us. AND I’m sure the cyber criminals are figuring out ways to exploit the advertisers tracking software to “own” your machines.

If you use IE 8, I believe (not sure) that InPrivate Browsing will prevent the advertisers from installing their tracking software on your computer. (Browsing with a VM machine would do the same if you don’t save the settings.)

If any of you are privacy advocates, you’re going to have a heart attack hearing this story. (But wait! Don’t have your heart attack until you read about Apple’s patent for spyware being called “traitorware" they want to install on iDevices to record you picture, voice, and “heartbeat.”.) As an American we value our freedoms, including the freedom to visit Yahoo, Google, eBay and porn sites now and then without being tracked. The laws on about these freedoms seem to come out after our freedom has been lost or doesn’t apply as many of these companies are outside the US and do not have to abide by American laws.

I have no answers other then to make you aware of what’s happening.  The only know of one organization that’s working on “our” behalf is the Electronic Frontier Foundation, http://www.eff.org/ I know they are working Apple’s “traitorware" patent and hopefully they are working on others.

http://www.eff.org/deeplinks  /2010/08/steve-jobs-watchin g-you-apple-seeking-patent-0

Even if you are not concerned about our browsing freedoms, just remember there are people outside the US who are using this same technology to steal identities, confidential documents and financial information from us and the companies we do business with.

Stay informed and protect yourself and the company you work for.

Doug

Pac IT Pros members: Microsoft is offering Pac IT Pros members a 25% discount on new one year TechNet Professional subscriptions. Use promo code TNITQ413 Offer code expires October 31, 2010.

Members with a Technet annual subscription have access and can evaluate more than 70 full-version of Microsoft software including all versions of Windows 7 and Office 2010 without time or feature limits.

If you are an IT Pro you should have a TechNet annual subscription.

http://technet.microsoft.com  /en-us/subscriptions/buy.as px?pm=Lv:103%7Cnp:TNITQ413

Pac IT Pros members: It’s vulnerability Wednesday. Last night Microsoft released 14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block. Make sure you update your servers/workstations. You also might want to take a look at a security advisory to warn of a new elevation of privilege issue in the Windows Service Isolation feature.

iPad/iPhone owners you have a vulnerability too. At this time Apple has not released a patch. Right now the only way to patch you iDevice is to jail it. To jail break your iDevice the jail breaking code makes uses the vulnerability to jail break the phone. Once jail broken you can apply the non-Apple released patch to secure your device. Warning once you secure your device with the non-Apple patch you won’t be able to use the same vulnerability to jail break your iDevice again.

Pac IT Pros members:
Black Hat and Defcon are a few weeks away, but there’s a Windows vulnerability that I’m just getting news of Windows 0-day vulnerability that should be of interest to all of you. This 0-day exploit has been out there for at least 10 years and may go all the way back to NT. It turns out there is a subtle error in the way Windows shell (which displays icons, Start Bars, menus, shortcuts, etc.) parses the icons of ,LNK files or shortcuts. A researcher in Belarus found in the wild code that makes use of this exploit and is targeting Siemens SCADA (supervisory control and data acquisition) systems. While most of you do not have SCADA systems, you are indirectly affected as these systems are used to control the power grids, oil production, nuclear power plants, wastewater treatment, fabrication and many other industrial processes.

Siemens programmers made it very easy for the malware creators to install a root kit take control of the SCADA systems as, (you ready for this) they only used one hard coded password for all customers. In Vista Microsoft did something that was supposed to make it more difficult for malware creators to install altered drivers, they required driver signing. (Remember all those Apple ads making fun of Windows for requiring approval before continuing?) Along those same lines Microsoft required driver signing, something I’m sure you’ve no doubt complained about with Vista and Windows 7. Well that was a good thing as it prevents non-signed drivers (sys) files from being installed.

This would have prevented this root kit from being installed had it not been for the fact the drivers were signed. (This is the James Bond part.) Turns out these malware writers are not dumb. They used signed drivers using a stolen PRIVATE key from RealTek. (Ooops) Once this was discovered Microsoft and RealTek contacted Verisign (signer of RealTek’s certificates) and revoked them immediately. Microsoft has added one or more certifications to Microsoft’s Certificate Revocation List, (CRL). If you’ve done Windows Update in the past week or so you should find a new CRL file has been installed.

THIS IS WHY YOU WANT KEEP ALL OF YOU MACHINES PATCHED AND UPTO DATE. YOU ALWAYS WANT LATEST UP-TO-DATE CRL FILE.

But wait there’s more – Someone recently found almost the same exploit using a cert from JMicron Technology Group. But a ESET researcher realized that JMicron and RealTek are both is the same building complex in Hsinchu, Taiwan. It was now been found that both companies private keys have been used to sign malware carrying an exploit. Coincidence?

This is a true zero-day exploit. (For more info Metasploit.) The cyber-criminals know how to use this exploit and are. (Microsoft’s security report is acknowledging this exploit.)

But wait I have ever more for you.

This exploit is being propagated by USB thumb drives, in a way reminiscent to the early Mac floppy disk viruses which spread the virus just by inserting the floppy disk. Well these guys have found they can do the same with the USB thumb drives even if autorun is disabled. You can’t see the files because the files are masked and will not be presented to Windows Shell. (You would be able to see the code with a disk sector editor as Sam and I showed you last meeting.) Just the act of displaying the icon of the USB key executes the malicious code and spreads the malware. This malware (worm) is spreading on the order of 9,000 machines per day or over a quarter of a million machines per month.

Microsoft has also acknowledges the spread/infection of the malware can happen by displaying .LNK files, but also in Office documents. That’s ANY Office document including Outlook. So receiving infected email containing one of these can compromise your system. And they also acknowledge websites can do it too. You can now have a malicious website that will display and

leverage the vulnerability in the shell. It might be ALL browsers, (don’t’ know yet) but IE has been confirmed by Microsoft. We will know more in the weeks to come.

For now there is NOT a fix. Microsoft has posted a Fix it which makes some changes to the registry and shows some manual changes that can be made. The problem is the “FIX” will no longer display you icons and instead will display a generic white rectangles leaving you iconless. There are some registry changes and other “fixes” that can be applied, but nothing that’s a real fix.

What OSs are affected, looks like every version of Windows going back to NT, but Microsoft is not saying they are only commenting on supported versions, XP-SP3 and newer. (Remember Windows XP-SP2 is no longer a supported product same with Windows 2000 and older.)

I’ll try to keep you posted as I get more information

To wipe a disk all you need to do is use Microsoft’s Diskpart.  (Included with XP and later.)

Select the disk , and use the command clean all.   Works on all HD and USB sticks.  This is all that is needed to wipe the disk.

http://support.microsoft.com  /kb/300415

RAM – It appears MS loads the contents of the swap file into RAM and the RAM which litters the RAM with previous used data.  We’ve confirmed it can contain data from 45 days ago.  So a login ID used 45 days previous was found in RAM even though the computer had been in regular use.   We were able to do the same with a Ghosted machine from 2 years previous.  We are still investigating the details.

Doug Spindler

Pac IT Pros members:

Support (including new security updates) July 13, 2010 for Windows XP Service Pack 2 (SP2), Windows 2000 Server and Professional. Support ended April 13, 2010 for Windows Vista Release to Manufacturing (RTM).
I would suggest migrating to Windows 7 or the XP-SP3. Just trying to keep you employed.

Pac IT Pros members: You should be aware of a zero day exploit that affects Server 2003 and XP.  (Server 2008 and Vista/Win 7 are not affected.)  The fix is to disable the HCP protocol used in Help and Support Center.

The exploit allows for remote code execution.  The attack make use of links on web pages or email messages that use the hcp:// prefix rather than the normal http://.  Web links are normally HTTP, but HCP links are used by the Help and Support Center (helpctr.exe) and are not as well known.

This vulnerability could allow hackers to take remote control of affected systems.

Microsoft labels this one as CRITICAL – So run Mr. Fix it today.

http://www.microsoft.com/tec hnet/security/advisory/22194 75.mspx
http://support.microsoft.com  /kb/2219475

Doug

Pac IT Pros members: You should be aware of an Adobe Flash flaw zero day exploit.  This vulnerability was discovered in the wild and includes a keystroke logger.  What this means is if one of your users plays an infected Flash video/PDF the cyber-criminal can (and has) record keystrokes for bank account logins and more.  This is a huge vulnerability.  It affects ALL versions of Adobe’s Flash player on ALL operating systems.

 Link to Adobe’s advisory on this issue.

http://www.adobe.com/support  /security/advisories/apsa10 -01.html

 Adobe has NOT released a fix.  The best you can do is install the beta for the next version of Flash http://labs.adobe.com/techno logies/flashplayer10/

or on Windows disable the Flash player DLL by renaming it.

Just rename authplay.dll to authplay.xxx  The DLL is typically found at:

C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

When Adobe releases the fix, just install and the new authplay.dll will be installed.

 Other items of interest.

I picked up an Evo phone from Sprint on Friday, it you are looking at smart phones, take a look.  Unlike AT&T which is implementing a cap on data, Sprint when on 4g removed the cap.  The phone (in my opinion) is great and I found all the apps I has on my iPhone.  If you defect you can use DoubleTwist which is free as a replacement to iTunes.

 Apple making an announcement today at 10.  It’s either going to be the new iPhone (with minor enhancements or that iPhones will be available on Verizon.  (Before buying you next iPhone, I encourage you to take a look at the Evo or other smart phones running Android operating system.

 I’m at Microsoft’s TechEd this week, I’ll keep you posted with news from Microsoft.

 Doug

Pac IT Pros members: Have you heard of the KHOBE – 8.0 earthquake for Windows? This is a update to an attack Windows security products from several years ago. The new attack can bypass every Windows security product tested and allow malicious code to make its way to your system. The KHOBE attack, (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software. This attack does NOT need admin privileges. If you are running as a standard user you are susceptible.

Below is a list of software known (at this time) to be susceptible to a KHOBE attack.

• 3D EQSecure Professional Edition 4.2
• avast! Internet Security 5.0.462
• AVG Internet Security 9.0.791
• Avira Premium Security Suite 10.0.0.536
• BitDefender Total Security 2010 13.0.20.347
• Blink Professional 4.6.1
• CA Internet Security Suite Plus 2010 6.0.0.272
• Comodo Internet Security Free 4.0.138377.779
• DefenseWall Personal Firewall 3.00
• Dr.Web Security Space Pro 6.0.0.03100
• ESET Smart Security 4.2.35.3
• F-Secure Internet Security 2010 10.00 build 246
• G DATA TotalCare 2010
• Kaspersky Internet Security 2010 9.0.0.736
• KingSoft Personal Firewall 9 Plus 2009.05.07.70
• Malware Defender 2.6.0
• McAfee Total Protection 2010 10.0.580
• Norman Security Suite PRO 8.0
• Norton Internet Security 2010 17.5.0.127
• Online Armor Premium 4.0.0.35
• Online Solutions Security Suite 1.5.14905.0
• Outpost Security Suite Pro 6.7.3.3063.452.0726
• Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
• Panda Internet Security 2010 15.01.00
• PC Tools Firewall Plus 6.0.0.88
• PrivateFirewall 7.0.20.37
• Security Shield 2010 13.0.16.313
• Sophos Endpoint Security and Control 9.0.5
• ThreatFire 4.7.0.17
• Trend Micro Internet Security Pro 2010 17.50.1647.0000
• Vba32 Personal 3.12.12.4
• VIPRE Antivirus Premium 4.0.3272
• VirusBuster Internet Security Suite 3.2
• Webroot Internet Security Essentials 6.1.0.145

Doug Spindler

• Search PacITNews

  Search for:

• Follow Us on LinkedIn

  

• Join Us on Facebook

  

• Follow Us on Twitter

  • Remember - next Tues Sept 7 is monthly mtg - please rsvp - www.pacitpros.org/meeting-rsvp" class="twitter-link">http://www.pacitpros.org/meeting-rsvp/ - enjoy the holiday wknd 9 hours ago
  • RT @ipdguides: New IPD guide for Windows User State Virtualization (USV) http://bit.ly/IPDUSV 2010/09/01
  • We have made some changes to our mailing list - please check your spam folder just to make sure our email isn't getting tagged this week :) 2010/08/30
  • RT @joeysnow: Want a free pass to TechEd Europe? Tell us why and you could be attending on us! More info here: http://ch9.ms/C73O #Fre ... 2010/08/25

• Links

  • Pac IT Pros Home Page

• Meta

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org