Jan-42009

Russian Roulette with your Network

First of all, before I really start, I hope that you all had a great start in 2009. Mine was actually pretty mixed. The good side was, how my year really started and what I saw when I looked out the window at January 1st (yes, I was on vacation skiing and this was how the view was almost each and every morning):

But honestly, this is not the only reason, why I wrote this post. There is another one which is much, much more serious:

Unfortunately there are still plenty of customers playing Russian Roulette with their network. This term was actually used by one of our security engineers – who was kind of upset to say the least – who had to work December 31st and January 1st because of customers still not having rolled out MS08-067 – and not just one! We ran to our limits with regards to support capacity in EMEA.

Just to remind you: This is the Out of Band security update we released back on October 23rd and which then was pretty soon attacked by Conficker.A. But it seems that a lot of customer did not care back then – they were not attacked, so why bother? In the last days of 2008 Conficker.B broke out and even though it was not spread too widely, the customers who were hit (or still are hit) are hit very, very badly. Account Lockouts all over the place, admin passwords that were grabbed (often the Domain Admins) etc – and we had some really upset engineers as they had to work instead of having off because some customers were not up to their duty (and this is what it is for me!).

And this is not the end of the story:

  • For quite a while, our Anti-Malware solution was the only one, which was able to remove the thing. And without an Anti-Malware solution it is close to impossible to actually get rid of it. As always, all the information about the malware was shared amongst VIA (Virus Information Alliance) to all the partners.
  • NT got infected as well and the calls came: What shall we do now? Well, there is not too much you can do. As you might know, Windows NT is out of support for a long time (since December 31st, 2004 - see our Lifecycle Page if you need more information). Isolate your Windows NT boxes (as you should have done a long time ago) and migrate away from it. I know that there are still a lot of machines with NT embedded – isolate them and work with the vendors to get to an up to date version of the OS.

Let me add a final comment: The story above is not a Microsoft-only story. The same processes and technologies around patch management have to be applied to each and every component of your environment. Back after the Blaster times, we start to tell the consumer to apply three things to their PC to protect it:

  1. Switch on your Firewall
  2. Keep your Software Updated
  3. Run an Anti-Malware software and keep it updated

Guess what: If you would have applied 2 and 3 to your network, you would not have been hit by this problem.

Roger


Published: Jan-04-09 | 0 Comments | 0 Links to this post
Tagged as: Cybercrime, Incidents, Patch Management, Processes

Dec-222008

SQL Injection – again?

This week I had – again – a longer mail thread on SQL Injection attacks. Probably it caught me at the wrong moment, as it was a very long week preparing for the IE Out of Band making sure everybody knows what they have to do. And then…

I was actually pinged by our office in Ireland as a blogger who is working heavily with our technology and seems to be a pretty experienced developer – this to set the stage.

So, the title of the post was (freely summarized): I was attacked by a SQL Injection, what is Microsoft doing against that? I then commented on his blog but unfortunately he decided not to publish my comment but get in touch with me directly. The interesting thing was (and this is the reason why I decided to blog myself about it) that I was asking him, what he was expecting from us as we published quite a bunch of guidance on how to protect against SQL Injection back in May and there is not much more we can do as SQL Injection is not a DB but an application problem as the app does not properly verify the input. I have seen some cases recently (and form the mail exchange we had over the weekend I guess that he is one of them) where a cookie was used to do the SQL Injection. So the application is saving some data in a cookie and loads the content from there directly generating the SQL Query. So if an attacker changes the content of the cookie he/she could run a different way of SQL Injections and inject a script into the DB. This blogger was actually hit pretty hard by a script called jpdog.3322. If you search for it in a search engine (you would never use Google, would you?) you find a hell lot of sites being infected. Scary!

Now, back to our blogger. I asked several times (and this goes to you as well): What else can we do to help to protect the ecosystem besides publishing the advise we already gave? I summarized the different sites back in May in posts called The latest SQL Injection Attacks and New Guidance on the SQL Injection Attacks.

Additionally we made a new version of the Security Development Lifecycle available to help you to write more secure code. See my post about that: Videos about the Security Development Lifecycle

So, his ask finally was: a patch. He is expecting us to issue a patch to solve this problem. To me, this is on the same level as you would ask us to issue a patch for the buffer overflows. Let me be clear once again: SQL Injection is about the app, not the DB!

I think at the end, he felt stupid (he got some pretty direct comments on his blog as well), which would be bad. We have been defaced based on a SQL Injection as well and I am convinced that it could happen to anybody. The key is, to make sure that you look for a solution at the root of the problem, which is the app.

Roger


Published: Dec-22-08 | 0 Comments | 0 Links to this post
Tagged as: Incidents, Processes, Security

Dec-182008

Stealing the Empire State Building in 90 Minutes

You do not trust e-Business? Why do you trust “normal” business then? Read this: Newspaper 'Steals' Empire State Building in Just 90 Minutes

Roger


Published: Dec-18-08 | 0 Comments | 0 Links to this post
Tagged as: Behavior, Incidents, Processes, Security, Terrorism

Dec-72008

Is there a Botnet building on MS08-067 exploits?

There are a lot of reports on a Botnet building on the back of exploits targeting MS08-067:

I would be very interested to see, what your experience is with this exploit. What do you see? I just created a very short survey (three yes/no questions). If I get enough feedback, I will publish these (statistically not relevant) data in here. The survey can be found here – takes you 20 seconds

Roger


Published: Dec-07-08 | 0 Comments | 0 Links to this post
Tagged as: Cybercrime, Incidents, Patch Management, Security

 Next >>