Fatma Bazargan’s blog


عـــاش اتحــــاد امـــاراتنــــا
November 30, 2008, 8:02 pm
Filed under: Blogging

emaraty

نتقدم بأسمى آيات التهاني و التبريكات إلى

مقام صاحب السمو الشيخ
خليفة بن زايد آل نهيان
رئيس دولة الإمارات العربية المتحدة – حفظه الله ورعاه

وإلى صاحب السمو الشيخ
محمد بن راشد آل مكتوم
نائب رئيس الدولة – رئيس مجلس الوزراء – حاكم دبي – حفظه الله ورعاه

وإلى إخوانهما أصحاب السمو الشيوخ
أعضاء المجلس الأعلى للاتحاد حكام الإمارات – حفظهم الله ورعاهم 

وإلى شعب دولة الإمارات العربية المتحدة
بمناسبة العيد الوطني الـــ 37

أعاده الله على دولة الإمارات العربية المتحدة حكومةً وشعباً بالبركة والخير والازدهار دائماً 

وكل عام وأنتم بخيــــــــر..
 
تحيـــاتي
فاطمـــة بازاركـــان


This WKs interesting reads!
November 25, 2008, 8:50 pm
Filed under: Security

blog

This week I enjoyed reading some of infosec articles as they were so thoughtful and thought of sharing them with you.

 Incident Response (IR) Preparedness for Keydet89 24th Nov, the entire article added a great insight but interestingly the way he described due diligence, cost of incident unpreparedness and the overall selling the IR concept to management was thoughtful enough for every organization to act upon Now.. he states..

“Take for example the reason of “due diligence”. It occurs to me that if someone were really interested in performing due diligence, they would’ve called me before the incident occurred, to ensure that they were prepared to handle an incident. Closing the barn door and shutting the stall doors after the horse has left is not “due diligence”.”

“Something very important to remember about regulatory requirements is that in many cases, unless you’re able to definitively identify the data that was exposed, you may have to notify on ALL data that could potentially have been exposed. So, if the database containing 6 million records was compromised, and you were not prepared for an incident, and you think that only 23,000 records were exposed…but you don’t know for sure…guess how many people you’re going to have to notify? You get three guesses, and the first two don’t count.”

“Benefits of Incident Preparedness
Compliance – with legislative and regulatory requirements
Lower overall cost – the upfront cost of doing nothing is…nothing; in the long run, however, costs mount.
Confidence – from your Board of Directors and the consumer (b/c you’re demonstrating “due diligence”)

As long as we use IT assets to conduct business, and as long as people are part of the process, there will always be a need for incident response. Incidents are always going to occur, without question. The difference today (and tomorrow) is if you’re going to be prepared for an incident…or not.”

 

One of my daily blogroll reads is the SANS Forensics, Investigations and Response blog – for those who are interested in Cisco Router Forensics, you can find more insight here.

 

Last one for the day, is a security book review that I read just today on RaDaJo, the book is by Johnny Long it’s called “Google Hacking for Penetration Testers – VOLUME 2”, the review is by Raul Siles – I have went through vol1 of the same and it’s a book to have, but till my vol2 gets shipped; all I have to do is wait.

 

Enjoy the read.

Fatma



Autorun-Based Malware: Detection, Prevention and Cure
November 24, 2008, 10:15 am
Filed under: Security

rdsd

I’m sure most of the InfoSec folks are aware about the autorun.inf malware that was so popular late 2007, when it was noticed that most of the removable data storage devices purchased such as pendrives, CDs, usbs, ipods, etc. were all shipped with the autorun.inf malware.

 

In a recent news article the US Strategic Commander banned the usage of removable data storage devices within the military ranging from USBs to floppy disks, in order to stop the propagation of the autorun.inf malware within the network. Although, I think we would all believe that taking the right steps to prevent such kind of infection is better than banning from using a certain technology!

 

I simply see the autorun.inf malware an interestingly smart piece of malware; as it has some of the most interesting characteristics:

  • First of all the person who crafted it is completely aware that these removable drives are highly used with people so the malware will infect as much of the cyber user community as possible.
  • One of its many characteristics is that the autorun.inf malware spreads by copying itself into the root directory of all the hard drives on your actual local computer and to the removable data storage devices such as thumb drives; cables that connect to your mobile, ipod, etc.  
  • It then creates an autorun.inf file into the root directory of all the hard drives and the removable data storage devices.
  • Interestingly enough, if the infected computer with the autorun.inf malware has a shared network drive “guess what!” the autorun.inf malware infects the shared network drive and propagates from there to the rest of the computers on the network. “I actually love this part! – Try it in the Lab, you’ll see wonders of propagation!” J
  • More to come, it not only have the functionality of spreading but it also helps in propagating malicious payloads such as a backdoor or a password stealer. “Nasty!”

 So.. how can you detect and prevent from the autorun.inf malware:

  • on a technical note; you can prevent this by either, Disabling the AutoRun feature in Windows for your personal workstation through the Registry Editor simply copy paste the below in a notepad, save it as NoAutoRun.reg on the desktop, then right click and select Merge.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@=”@SYS:DoesNotExist” 
  • or disable it through the Domain Policy Editor in the Active Directory for your organization.  
  • alternatively, you can simply create an Autorun.inf file in each of the root directories. How?
    • WinKey + R à CMD à CD\ à MD C:\autorun.inf à do the same to all your drives, don’t forget all the connected media drives such as the USBs, etc. Now, the interesting part, if you fail to create the autorun.inf file on any of the drives, then most probably you are infected already. L  
  • on a more educational and awareness note of prevention; Be an InfoSec Awareness Agent and spread the word to your family, friends, colleagues and work mates about the best way to use removable drives and the safe steps to secure your personal workstation from being infected with an autorun.inf malware. 

So.. how can you clean the infection from the autorun.inf malware (this will not fully work with all the different autorun.inf malware variants but the below is more of a generic one):

  • Restart your computer on the safe mode command prompt (F8) then type
  • CD\ à dir/ah à type autorun.inf (here you will see the .exe carrier of the autorun.inf file – Note it down)
  • TYPE à ATTRIB –H –R –S autorun.inf à DEL autorun.inf (this will unhide the file and then give you the privilege of deleting it)
  • Repeat it for all the other connected drives.  
  • Now to make sure that the carrier of the autorun.inf file will not run when you startup again you need to disable it, go to
  • command prompt type à MSCONFIG à you will see the System Config Utility
  • Once you spot the suspected .exe carrier UNCHECK it à this will disable it and will not run again at startup;  
  • Finally, I usually when recovering from such “devastative-propagative-nasty-malware” reinstall the antivirus program from scratch and update it, you never know the effect of the nasty malware on the poor anti-virus!  

Safe USB’ng;

Fatma Bazargan



Hackers penetrate the IMF Computer Systems
November 16, 2008, 7:14 pm
Filed under: Security

imf

Foxnews reported that a bunch of Hackers in October penetrated the International Monetary Fund (IMF) based in Washington, DC – an institution that offers emergency financial aid to countries faced with balance-of-payments problems. The hackers forced a shutdown of IMF computers that lasted several days!

 

Although an intrusion took place; yet the IMF denies that any critical financial information had been affected or leaked.

 

What the IMF intrusion shows is that the physical wiring of the world’s financial systems is increasingly vulnerable and getting worse and the financial sector as such is heavily targeted by the intruders.

 

IMF officials fixed their computer systems early this month, after they have discovered spyware that was quickly spreading through the institution’s high-security computer system!

 

Despite the Chinese denials, “everyone in the intelligence community knows that China is the biggest player in cyber espionage,” says John TKacik, a former head of China intelligence for the US State Department.

 

As per the British Intelligence; they believe that China uses the information found for geopolitical awareness about the current global financial crisis issue…

 

What the Chinese are particularly interested in at the IMF is what loans the IMF is likely to give to other countries,” says Nick Day, a former British intelligence officer who runs Diligence, a private investigative firm that does extensive work for many international corporations and institutions. “The geopolitics of this is that essentially you’ve got a few countries in the world that are stacked on huge foreign capital reserves — Russia, China, Japan, the Middle East — and the rest of us are pretty much borrowers to those lenders.

Read the complete story

 

 



Rogue Anti-Virus Programs – Win32/FakeSecSen
November 13, 2008, 9:48 am
Filed under: Security

 microavinfo

 

I’m sure lately most of you heard about the Win32/FakeSecSen; it’s a nasty program that claims to scan for malware and display fake warnings of Malicious Programs, Viruses and Trojans. After the so said scan that didn’t actually take place; it uses the concept of FUD (Fear, Uncertainty and Doubt) to victimize the user for paying in order to clean the infection of non-existing threats!

The different forms of Win32/FaceSecSen programs are: Micro AV 2009, MS Antivirus, Spyware Preventer, Vista Antivirus 2008, Advanced Antivirus, System Antivirus 2008, Ultimate Antivirus 2008, Windows Antivirus, XPert Antivirus, Power Antivirus and Ultra Antivirus 2009 among others. (Note: Get familiarized with these names)

Win32/FakeSecSen installs six different files. So for example if you use the ‘Micro AV’ program, the FakeSecSen installs these files:

  1. Microav.exe: the actual executable file, which consists of the interface, an icon in the system tray and the infection pop-up warnings;
  2. Microav.cpl: is the control panel applet; which adds an entry to the control panel and if you run it; it will launch the actual executable file (i.e. microav.exe) (Note: it looks exactly like the Microsoft Security Center Icon)
  3. Microav0.dat and Microav1.dat: are the files that contain the malware information to report to the user, (Note: bare in mind that there is no actual scanning happening, as all the entries that are reported are fetched from these DAT files.)
  4. Microav.ooo: a harmless file; and 
  5. Microantivirus.lnk: is the fancy desktop shortcut pointing to the actual executable file.

Users can notice these files under their programs files directory and there are some registry entries added to start the program at system start.

 

Pass on the word: Always use a real anti-malware program and to check if it’s legitimate visit Virus-Bulletin or AV-Test.

 

Check out the AV-Test release latest results. Interesting stats.

 

 

be safe online..

Fatma



SecureDubai presented by (ISC)2 on 4 Dec 2008
November 13, 2008, 9:41 am
Filed under: Security

secure

 

For the first time ever the (ISC)2 are getting their expertise to Dubai at SecureDubai on the 4 Dec 2008. This one day conference will be themed around Emerging Threats.

 

It will start with a keynote from Lance Spitzner the CEO, HoneyTech and then will handle topics such as SCADA security incidents, available standards and SCADA security best practices. An insight will be given into the risks and vulnerabilities of IP-enabled ATM’s as well as their supportive infrastructure with a focus on security best practices, configuration and operation of ATM architecture. Sessions will engage in emerging threats in the UAE, their impact on businesses and the users, Web 2.0 security, Botnets and their effect on our Web activity and the best ways of protecting ourselves against this phenomenon.

 

Date:      4 December 2008

Venue:   Etisalat Academy, P.O.Box 99100, Dubai, United Arab Emirates

Time:      9:00am – 6:00 pm

 

P.S: This conference is complimentary for all (ISC)2 members. A 10% discount is also offered for ISSA/ISACA/ALIG members and an additional 10% discount is offered to RSA Attendees. For more information, please contact trustem(at)isc2.org.

 

Register now as the seats are limited!

 

See you there.

Fatma Bazargan