SANS has just released their updated list of the Top 20 vulnerabilities.
It’s always an interesting read.
http://www.sans.org/top20/2005/spring_2006_detail.php
Yesterday afternoon Microsoft released 5 security bulletins. The first 4 of these bulletins are primarily workstation risks. I recommend deploying MS06-013 and MS06-015 as soon as possible.
MS06-013 is especially urgent since the details of this exploit and attackers are already using it. You may consider the published workaround MS06-014 and a workaround I developed for MS06-016 rather than deploying the updates for these 2 bulletins.
The final bulletin, MS06-017, impacts IIS servers running FrontPage Server Extensions or Sharepoint Team Services.
Although Microsoft rates the severity of this bulletin as only moderate, I recommend loading this update on all affected servers as soon as possible.
MS06-013 – Cumulative Security Update for Internet Explorer (912812)This update contains fixes for a slew of newly discovered critical IEvulnerabilities affecting all supported
versions of Windows. These vulnerabilities eight remote code exploits some of which are public andalready being exploited. Most organizations will want to deploy this updateto all workstations as soon as possible. Be aware that this update includesthe change to ActiveX handling in IE released last month (MSKB 917425). Ifyou need more time to prepare for the ActiveX change you can install the”compatibility patch” which delays activation of the ActiveX change untilnext month. Be sure to read MSKB 917425 before
deciding what to do about this update and test this update in a limited rollout.
MS06-014 – Vulnerability in the Microsoft Data Access Components (MDAC)Function Could Allow Code Execution (911562)This update fixes a critical remote code vulnerability in Remote Data Services that can be exploited by malicious html content in a web page
ore-mail and most organizations will want to deploy this update to allworkstations and end-user accessible Terminal Services servers as soon as possible or use the workaround provided in the bulletin which disables use of the RDS.Dataspace ActiveX control by Internet Explorer. This workaround will disable web based applications that directly access ODBC databases fromthe client web browser. Most web based applications perform all databaseaccess from the server in ASP but some intranet applications such as
data access pages created through Access use client side scripts to accessdatabases. If you choose to use the workaround you should test it againstall web based applications that are important to your users.
MS06-015 – Vulnerability in Windows Explorer Could Allow Remote CodeExecution (908531) This critical update addresses a remote code vulnerability in WindowsExplorer in which an attacker, who successfully directs Windows Explorer toaccess a rogue or compromised file server, succeeds in getting WindowsExplorer to execute arbitrary code under the authority of the current user.The file server could be on the local network
or on the Internet. Theattacker would probably attempt this attack through a link to the rogue fileserver embedded in an email or web page. The workarounds and mitigating factors on this bulletin are confusing and/or incomplete but I believe you could prevent this vulnerability from being exploited by remote file serverson the Internet by disabling the Web Client service on desktop workstationsand blocking outgoing connections to TCP ports 139 and 445 at the firewall.Disabling the Web Client disables WebDAV functionality which is used by some Sharepoint sites. Blocking outgoing connections to TCP ports 139 and 445 will only protect computers when they are behind your firewall. Most home,hot spot or other Internet accessible networks where your laptop users mayconnect will not be blocking any type of outgoing connections.
Most organizations will want to take steps to protect against this exploit as soon as possible.
MS06-016 – Cumulative Security Update for Outlook Express (911567)This important update fixes a remote code vulnerability in Outlook Express and should be deployed to all systems using Outlook Express. It would bepreferable to simply disable Outlook Express for the typical environment that uses Outlook instead. However Outlook 2000 and Outlook 2002 both require Outlook Express. Outlook 2003 does not appear to share this requirement and I have verified basic Outlook 2003 functionality afteradding a Deny
Everyone Full Control permission entry to c:programfilesoutlook express. Most organizations will want to deploy this update ortest my workaround as soon as possible for workstations and user accessible Terminal Services computers.
MS06-017 – Vulnerability in Microsoft FrontPage Server Extensions CouldAllow Cross-Site Scripting (917627) This is a weird vulnerability. I expect to receive clarifying informationon this which I will pass on to you in a special update. For now myunderstanding is this: This vulnerability allows an attacker to executearbitrary client-side script against an IIS server with FrontPage Server Extensions or Sharepoint Team Services. Microsoft rates this as a moderaterisk but for vulnerable servers I rate it critical. If you have run serverswith FPSE or SPTS, load this patch.
May 192005
Keeping kids from succumbing to ‘the dark side’
By Anne Saita, News Director
19 May 2005 | SearchSecurity.com
Edward Ajaeb got his first taste of steganography in sixth grade, when
he set up a Web site for his teacher’s husband to showcase his master’s
thesis on the subject. By then the Utica, N.Y., youth had designed Web
sites for a couple of years, a side business he’d developed in the
fourth grade.
This spring, the 16-year-old sophomore got even more involved in sending
hidden, encrypted messages by using a tool he downloaded off the
Internet. He also tried to break into a wireless network and learned
what computer cops look for during a forensics investigation. All under
the watchful eye of the U.S. Air Force, which helped host what some say
is the nation’s first residential cybersecurity camp for high school
students.
“I wanted to learn different kinds of career options, and it turns out I
did learn there are a whole lot of choices,” Ajaeb said of the first
Cyber Security Program for High School Students held this spring at
Mohawk Valley Community College.
That’s just what organizers wanted to hear following the weeklong,
federally funded camp that exposed 28 talented teens from central New
York to a field with unique staffing challenges.
“To one degree, this whole program is about antihacking,” explained
Ronald Cantor, dean of the community college, which is a satellite
campus of the State University of New York and is located next to a
technology business park and Griffis Air Force Base’s cybersecurity
research laboratory. “During part of the course, we talk about legal and
societal structures and the ethics of computer hacking.”
Students said the dean did indeed stress using what they learned to
benefit “the good side” and not the bad. “In reality, after talking to
some of the students, they were more interested in the ‘bad’ things that
they could do,” admitted one student, “but [they] understood that they’d
be arrested if they ever got caught, so I believe that they decided
against it.”
Another student backed up that statement, saying some students told of
being able to manipulate servers but quickly learned the consequences if
they carried out that activity. “I don’t see any of the kids ending up
on the news for being a hacker or anything like that,” he said.
The program, which also plans summer sessions, arose from an open
challenge made by a local congressman, Rep. Sherwood Boehlert [R-New
Hartford]. “We are not producing fast enough the intellectual capital
needed to maintain our preeminent position in worldwide markets,” said
the chairman of the House science committee. “This is the Information
Age and just about everything depends on our ability to address the
challenges of cybersecurity.”
The camp was designed by Dr. Kamal Jabbour, a civilian who created the
curriculum for the Air Force’s Advanced Course in Engineering, a
cybersecurity boot camp for cadets. Students, who were recommended by
their guidance counselors and teachers based on academics and interest,
lived in an ACE student dormitory and spent four hours daily in lectures
and labs on a variety of subjects: legal and ethical issues; policy
making; computer forensics; wireless security; steganography; and
next-generation network security.
Campers admit the legal lectures were a snooze and the wireless attacks
and steganography exercises were a highlight. “The whole week was
phenomenal,” said Justin Monroe, a junior from Rome, N.Y. “It really
gave me an idea of what the computer science and engineering fields are
really like.”
This was, of course, camp and so students also devoted time to
team-building, swimming, volleyball and field trips. Chess was huge,
with some students calling home to request extra chess sets for ad hoc
tournaments. And some needed to be coaxed outdoors to play Frisbee.
But there also were signs this was no ordinary camp. The military
presence was inescapable. Students watched patriotic movies, such as
“Patton” and “Apollo 13″ and ate breakfast between 6 and 6:30 a.m.
daily.
“For a lot of us, waking up that early in the morning was a physical
challenge,” Ajaeb said.
But everyone involved in the program say it was a big success and should
spawn similar camps nationwide. That, Boehlert said, is good for the
country. And just in time, given the pervasiveness of data crimes and
identity theft. “We’re maturing in this whole industry. You had
reluctance from people to acknowledge there was a problem. They didn’t
want to admit it publicly, for obvious reasons,” he said.
“At this time, one of the most promising career fields for any young
person to consider is in cybersecurity, the politician added. “It’s
exciting to see the enthusiasm these students had… it’s almost a
little frightening to see how bright these kids are.”
You can see these PS3 specifications here:
http://www.1up.com/do/newsStory?cId=3140590
And the ones for Xbox360 here:
http://www.planetxbox360.com/xbox_360_specifications.php
|
PS3 CPU: Cell Processor -PowerPC-base Core @3.2GHz 1 VMX vector unit per core 512KB L2 cache 7 x SPE @3.2GHz 7 x 128b 128 SIMD GPRs 7 x 256KB SRAM for SPE * 1 of 8 SPEs reserved – redundancy Total FP performance: 218 GFLOPS GPU: Sound: Memory: System Bandwidth: System Floating Point Performance: Storage: I/O: Communication: Controller: AV Output: Disc media (read only): |
XBOX360: 360 HW: 1. Support for: DVD-video DVD-Rom DVD-R/RW CD-DA CD-Rom CD-R CD-RW WMA CD MP3 cd JPEG photo CD 2. All games supported at 16:9, 720p and 1080i, anti-aliasing 3. Customizable face plates to change appearance 4. 3 USB 2.0 ports 5. Support for 4 wireless controllers 6. Detachable 20GB drive 7. Wi-Fi ready Custom IBM PowerPC-based CPU CPU Game Math Performance Custom ATI Graphics Processor Memory Memory Bandwidth Audio |
PC Mag just wrote up a review of the technology at the new Wynn hotel
you’ve been hearing so much about. Long but slightly interesting. http://www.pcmag.com/article2/0,1759,1813217,00.asp
May 102005
The next Sea-Tug meeting will be held Wednesday, May 11th.
–> PLEASE NOTE MEETING LOCATION < --
Time: 6:15 – 8:30+/- pm
Where: Redhook Brewery Tasting Gallery (1st Floor) – Pease Tradeport,
Portsmouth, NH
Who: Thirsty System Engineers, Hungry Network Engineers, Network
Administrators, Help Desk Professionals, etc
Meeting Agenda:
6:15 – Introduction & User Group Business & Ordering Food
6:30 – Presentation
8:00 – Questions and Answers
8:15 – Post meeting socializing
This month’s topic:
————————————
Remote Desktop Control
————————————
How do you support your end users? If you’re like most people you find that
being on someone’s desktop is easier than walking a user through the myriad of
screens and control panels that they need to navigate to resolve an issue.
If you’re inside a corporate network the solution is simple: add remote
desktop protocol or something like VNC, pcAnywhere, etc. to the desktops and
manage any machine when you want to.
But what do you do for users across the Internet? Webex? I recently looked
in to using Webex for remote support and the cheapest option was $300/month
per named technician.
Then I found Venti Solutions. These guys have a product very similar to
Webex, but at a fraction of the cost. I’ll do a demo of the product and hold
a discussion on remote access issues.
If you have a new tool or software package that you’ve been using over the
last month, join in the discussion and share with the group.
About SEA-TUG:
SEA-TUG is a technical user group (ie: for System Admins, not home users)
meeting once a month on topics relating to IT Infrastructure, Hardware,
Networks, Software, Security, Infrastructure, Deployment, etc. Visit http://www.sea-tug.com for more information.
Apr 182005
I am currently reviewing the Toshiba M200 and the R15. These boxes are night and day, one is small, one is big, one is lightweight (4.4 lbs) and one is heavy (6.1 lbs). One has a big screen resolution (SXGA 1400×1050) with a tiny screen (12.1″), one has big screen (14.1″ with tiny resolution (1024×800). One has all the extras (CD, CDRW, DVD, etc) as add-ons and the other has them built in. So I sit here perplexed wondering which direction go into and voila!!!
Its as if Toshiba has heard the voices of the huddles masses and a lightbulb has gone on in their collected product development departments.
Several sources – TechSage and TabletPCCorner.net (its a link in English) are showing that the new Toshiba (which could be named Tecra M4) will merge the best of the M2xx and the R15 into a single wonderful device. Rumored features are a 14.1″ SXGA screen, 533 FSB, Optical Drives built in, NVIDIA 6600 graphics and dual WiFi – due out in Mid-May so if you can hold on, then hold on tight because ladies and gentleman this is the box that could bring tablet PC computing the masses!! Can I get an amen!
Apr 152005
Fortune as reporting on Sharp’s new AL 3D hardware which features:
Light from the images on the screen is divided so that different patterns reach your right and left eyes; each eye sees a different image. The brain processes each image so that they appear to leap out from the flat screen, with no need for those geeky 3-D glasses.
Apr 122005
The next Sea-Tug meeting will be held Wednesday, April 13th.
–> PLEASE NOTE NEW MEETING LOCATION <–
Time: 6:15 – 8:30+/- pm
Where: Redhook Brewery Tasting Gallery (1st Floor) – Pease Tradeport,
Portsmouth, NH
Who: Thirsty System Engineers, Hungry Network Engineers, Network
Administrators, Help Desk Professionals, etc
Meeting Agenda:
6:15 – Introduction & User Group Business & Ordering Food (Redhook Menu)
6:30 – Presentation
8:00 – Questions and Answers
8:15 – Post meeting socializing
This month’s topic:
————————————–
Agentless Server Monitoring
————————————–
We’ve had several discussions regarding how to best monitor your server
environment; we’ve talked about MOM, Openview, Big Brother, and others.
This month we take a look at Heroix Longitude, and their “Agentless” solution
to monitor and report on OS Metrics such as Network, Disk, Ram, and CPU as
well as database, web, and messaging applications. The product provides both
alerting and reporting (including trending) for your core OS and several
applications.
The Heroix solution requires no client footprint, is cross-platform
(Windows, AIX, Linux, HP-UX, Solaris), and is web-enabled.
In addition to the traditional Powerpoint and Demo, we’ll also discuss
best- practices and real-world monitoring strategies. This month’s
guest-speaker is Ken Leoni, Regional Manager from Heroix out of Newton, Mass.
About SEA-TUG:
SEA-TUG is a technical user group (ie: for System Admins, not home users)
meeting once a month on topics relating to IT Infrastructure, Hardware,
Networks, Software, Security, Infrastructure, Deployment, etc. Visit
http://www.sea-tug.com for more information.