Saturday, June 09, 2007

Short Security Bits

Here are some security related links that might interest you.

Nothing earth-shattering, but good to file away for reference.

Analyzing Flash files for Malicious Behavior.

There are lots of relatively simple ways to get the average Windows pc whacked in a browser drive-by. That happens when you land on a website and because of your browser and/or it's settings, a file or code is allowed to execute and (unknown to you) an executable file gets put on your system and then the bad games begin.

However, in a recent post over at the SANS-ISC Handler's Diary: Analyzing (malicious) SWF file actions the offending vector was a SWF (Macromedia Adobe Flash) file.

Interesting. These can be a bit of a challenge to examine. However, being the clever guys they are, the handler points out two tools that can be used to take a closer peek inside a SWF file: one is a set of Linux command-line tools called SWFTools which might be only for the pros. The other, however, might just be approachable enough for those of use who are more comfortable in Windows: Command Line JSwiff.

Download that version and unpack. Then run the investigator.bat file to launch the GUI viewer tool.

JSwiff actually is a Java tool for SWF file creation and manipulation. Since it is Java-based, it can run on any platform! It displays the SWF headers and tags in a easy to read GUI interface.

Worth keeping this one handy.

Also linked to in the post is a SWF tool called Flare. It comes in various versions, including a Windows Explorer extension which will decompile SWF files into a simple text file. Also nice to keep in mind.

So, while flash files are cool and add some zip and zing to web-pages, there might be some nasties lurking in some of them. Be careful and if in doubt, dive in and take a look at what they are really doing!

The Mysterious Autostart file

Mark Russinovich found a strange entry in his autostart group back in May.

Mark's Blog : The Case of the Unknown Autostart

He provides a great tutorial overview on how to pick a unknown file apart using the Sysinternals tools.

Worth reading to polish up your malware hunting techniques.

Two New and Interesting XP Vulnerabilities

heise Security posted notice on their blog of Two vulnerabilities in Windows XP

The first takes advantage of a malformed ico (icon) file that is related to the GDI+ component. If called, it can cause a crash of an application that uses the graphics library. Probably not common, but the second one is fascinating.

Seems that someone figured out if two shortcut files (*.lnk) that reference each other are placed in the same folder, then opened with Windows Explorer, Windows Explorer will crash. AND if they are keep on the desktop (which is actually just a fancy folder), the crash will occur soon after bootup. I don't know how common a vector of attack this would be, but I can see a user somehow doing this accidentally. I guess you could set the files up, pack-em together, and then send a user the file in a zip file. If the files were later unpacked and the user browsed into the unpacked folder that contained them, maybe they would be hit.

The fix is easy enough...just boot in safe-mode and use the command prompt to delete or rename the file extensions.

Probably worth remembering...

WiFi and Home Networking

The Daily Cup of Tech site always has some great posts.

One this week provides some instructions for users on how to create A More Secure Home WiFi Design

On of the reasons why I haven't bothered to set up a wireless network in our home for both our laptops (which have built-in wireless) is I haven't wanted to take the time to set up a really secure wireless network to use. I'm just more comfortable (and it is much easier) to just stick with the CAT-V cables.

This DCOT post covers why the common configurations of WiFi most users set up is not too secure, and then proceeds to cover, step by step, on how to reconfigure a WiFi network for better security.

I'm sure that by the end of the year I will cave and go Wireless.

Articles like this are helping me grow comfortable with the idea (with home WiFi at least...public WiFi is a whole different subject...)

New Malware Software Versions Released

This should be my last reminder that Ad-Aware 2007 Free - Lavasoft has been released.

Ad-Aware SE, the previous version still works and downloads still most cases: Ad-Aware SE Update Problem - Simply Fixed x2

My only gripe with the new version is that they are now running a required service for it to worky. So it looks like the days of running Ad-Aware in a "standalone" mode are gone with the 2007 version.

EMSI Software has released version 3.0 of it's a-squared line. This includes the freeware version of their malware system scanner, a-squared Free as well as their multi-purpose utility a-squared HiJackFree which helps with autoruns, browser plugins, processes, services, ports, LSP's and quick on-line analysis of elements. It's a handy tool.

Foundstone (a McAfee Division) Security Tools Page URL Updated

I've been a longtime user of the free and fantastic Foundstone tools for some system forensics as well as network scanning tools. They don't usually have "sexy" GUI interfaces, but they still work damn well. Good enough for me!

However, I noticed that some of the links to them in my older blog posts were giving "page not found" errors now.

Tracked it down to some site updates they made.

Foundstone - A division of McAfee

Foundstone Network Security | Risk Management :: Free Tools

There you go.

So, what's the protocol for bloggers? Am I now obligated to go back and correct all those bad URL's now in my older posts? I really wouldn't mind doing that but the (new) Blogger will toss all those updated posts to the top of my RSS feed list and I really don't want to have to clean that mess up as well.

What do you think? Worth worrying about or not?

Stay secure!


1 comment:

Michael said...

I wouldn't go back and correct all the links that have changed in old posts. Most people realize we are in a dynamic environment on the web and lucky if yesterday's links are still good! Besides, I prefer you use your time to continue to wow us with fantastic new posts and links. Thanks for all you do!

Harmon's $.02