Microsoft Releases Out of Band Update for Internet Explorer

If you haven’t heard this already, there was an incident where Google and about 20 other companies were hacked last month.  It allegedly is tied into the Chinese Government.  Because of this, a few things have taken place.

Google is threatening to pull their Search engine out of China (at the very least they are threatening to stop censoring search results at the request of the Government) and they threatened to delay the release of their new phone in China.

People were throwing blame around at different companies and different applications for this hack.  It turned out that the hack was done on Internet Explorer 6.x—due to an unannounced vulnerability.

Microsoft is reported to be releasing an out-of-band update today for this vulnerability.  They also recommend the following steps to mitigate it:

  • If you are running Internet Explorer 6, it’s time to upgrade. 
  • Regardless of whether you are planning on upgrading, you should set your Internet Zone to “High”
  • Internet Explorer 7 and 8 users (on Vista or Windows 7) should enable “Protected Mode”.
  • All users should enable Data Execution Prevention (DEP) on their computers.  DEP prevents the computer from executing code which is stored in memory that is supposed to only contain non-executable code.
  • You should be running in non-Administrative accounts (or have UAC enabled) to restrict the rights of an infected user.  This is something that everyone has been preaching since the dawn of Windows XP.

There are people who are trying to tweak this vulnerability to work in Internet Explorer 7 and 8 on Vista and Windows 7.  One of the people claims that DEP won’t mitigate this, if the application doesn’t “opt-in” to it.  I’m not sure if he is referring to Internet Explorer (which you will opt-in by enabling DEP) or the malicious code.  Also I’ve read that some systems (namely netbooks and older CPU’s) do not have “Hardware DEP”, so enabling it doesn’t actually work. ***I can’t verify this***

So, what should you do???

First and foremost you need to get updates.  This is regardless of whether you use Internet Explorer or not.  It’s better safe than sorry—especially since some programs do not follow the rules about default browsers.

This is a good time to try out Firefox with the No-Script addon and also Google Chrome.  I would even suggest Apple Safari, but I haven’t used it very much to know what it’s limitations are.

Some people would say this is the time to remove Windows, and switch to another Operating System (namely Linux) or buy a Macintosh.  While I love Linux, I don’t think that is the best solution in this case (although I would encourage people to try a Live CD out).  And I definitely cannot recommend spending $1,000+ on a new computer—just to get a Macintosh.

The short end of the stick is this.  Update your computer after 10:00 am PST today.  I would recommend an alternative browser.  However, since this potentially affects Outlook, Outlook Express, Windows Mail, Windows Live Mail, and anything else that uses Internet Explorer, you NEED to update the computer.

On a side note, Microsoft is also releasing an advisory about a Kernel vulnerability.  This requires the attacker to be able to log into your computer from your computer (meaning not from the Internet).  It remains to be seen if they will have a patch for this today or not.

Have a great day:)
Patrick.

How to protect yourself against the Chinese Google hack – Computerworld Blogs

How to protect yourself against the Chinese Google hack – Computerworld Blogs

By now you probably have heard about the “Google Hack”.  If not, here’s a recap.  Earlier in the week, Google announced on their blog that they were hacked in November (along with other companies in the Financial, Technology, and utility sectors).  They posted that the hacking came from China, and in their case was limited to the Gmail accounts of Chinese bloggers and Chinese activists.

Google also announced that due to this attack, along with their feelings on censorship and freedom, they are no longer going to censor results in China—in other words, no more Google in China. 

A lot of speculations where floating around about how the hackers were able to get the information.  People were blaming Adobe (because of the flaws in their products).  Well, it turns out that it’s Internet Explorer that’s being exploited.

This article goes into detail about how to limit your chances of being hacked through this vulnerability, and is especially important because the exploit is being “sold” in Hacking tookits.

One idea that wasn’t mentioned is using Firefox or Chrome to surf the web.  Also, if you’re running Vista or Windows 7, you need to have UAC enabled (as much as it sucks in Vista).  If you’re running XP or 2000 then you need to have a Non-Administrator account, and be using that for your daily actions.  Only use your “Computer Administrator” or “Administrator” accounts when YOU are intentionally installing something.

You NEED to read the linked blog post, as the author goes into great detail about how to check to see if you’re protected, and enable it if not.

Have a great day:)
Patrick.

An inside look at how Spyware works

This embedded video gives you a little behind-the-scenes look at how the cyber criminals steal your information.  The gentleman being interviewed is an ex-hacker who works with the Government now.  The video was originally part of the History Channel’s “Modern Marvels” series, and all Copyrights belong to them.

As always, this is not meant to scare people away from the Internet or computers.  It’s simply meant to show you how important it is to protect yourself with updates, antivirus, antispyware, firewalls, and good practices while on the computer.  And it’s meant to emphasize one important fact:

YOUR INFORMATION IS IMPORTANT TO A CRIMINAL—REGARDLESS OF HOW IMPORTANT YOU THINK IT IS.

Have a great day:)
Patrick.

What is Hacking: an Overview

What is Hacking: an Overview

“Hacking”—It’s the catch phrase of the media and the Information Security field now days.  But is all hacking bad? And was hacking originally a criminal activity?  This article looks at both of these questions and more.

There’s a lot more to hacking than what the media makes it out to be. I have a feeling that you may be surprised by some of what you read.

Have a great day:)
Patrick.

Virginia Won’t Pay Hacker’s Ransom Demand – InsideTech.com

Virginia Won’t Pay Hacker’s Ransom Demand – InsideTech.com

Recently a “cyber-criminal” (please note that I’m not using the overhyped and irresponsibly used term “hacker”) broke into the Virginia Department of Health’s database and stole a bunch of records.  The criminal claimed that they also deleted the backups of the records (which was false) and demanded a ransom of $10 million.

Instead of paying, Virginia is working with the FBI to apprehend the criminals.  Are they doing the right thing here?  I would say “yes” and “no”.  Understand that I am basing this upon the same information that you have—I don’t have any secret information about the case.

Yes they are doing the right thing by refusing to pay the ransom, and by working with the appropriate law enforcement agencies to track down the criminal(s) responsible.  It would be foolish and useless to give into the demands, as the criminal will either a) not give you the records or b) give you something more like a virus with them.

Based on the articles that I’ve read, there is a possibility that the information that was stolen includes identifiable information such as your Social Security number (this is only in the case of Virginia residents who have had prescriptions filled).  The articles do not specify if the state is working with Credit reporting agencies to prevent Identity theft.

This would be where I have to say “No.”  If your bank is breached, or a store that you’ve used  a credit card at is breached (or the credit card processing agency), they typically offer those infected with a years’ worth of credit monitoring.  And they typically bear the burden of the cost of the monitoring.  It’s a small price for them to pay, in order to regain your trust.

The articles don’t specify if Virginia is doing any of this.  If they are then I say they’re doing everything right (as far as things I’ve looked at). But if they aren’t doing anything to prevent the Identity theft, then they are putting their residences at an unnecessary risk.

These articles also emphasize the need for stronger security and the need to maintain backups off-site.  The criminal claims that the backups were still attached to the system, and that he/she deleted them.  If that’s the case, then the state failed right there.

This is an issue that everyone can monitor and take some learning examples from. Especially when it comes to maintaining backups and protecting your information.  You may not be able to control it once you put it on someone’s server, but you definitely can control it on your computer.

If you’re a resident of Virginia and were affected by this (or know someone who is), please drop me a note and let me know if the state is doing anything to help you safeguard your personal information in this matter.

Have a great day:)

Patrick.