Today I received a phishing email with a ZIP file attached (called 'updated-password.zip') Our Exchange sever is protected by Ninja and it will normally block these from the end user if they have a virus payload. So I was a bit stunned to see it. Here is the original email. You can easily tell that this is not a valid email.
From: service@psu.edu [mailto:service@psu.edu]
Sent: Monday, April 06, 2009 9:56 PM
To: Vince Verbeke
Subject: You have successfully updated your password
Dear user vcv1,
You have successfully updated the password of your Psu account.
If you did not authorize this change or if you need assistance with your account, please contact Psu customer service at: service@psu.edu
Thank you for using Psu!
The Psu Support Team
+++ Attachment: No Virus (Clean)
+++ Psu Antivirus - www.psu.edu
Being the curious type I wanted to see (safely) the contents of the ZIP file. I have a program called Sandboxie that allows you to run programs in a Sandbox. I then downloaded and ran the 'updated-password.zip' file to see what immerged.
All I received was a text file that said the following:
The file "updated-password.htm .exe" was found to be infected with W32/Mytob.PR@mm (exact) by Authentium and has been quarantined.
Another email engine, protected by Authentium, had already cleaned the virus before our Ninja software was able to see it.
What is COOL though is the file name. Note how it would have just looked like 'updated-password.htm' to a cursory glance.
But there are 70 SPACES in the file name to mask the .EXE at the end. So they intended for me to double click on a 'safe' file that ended in .HTM when instead I would have been launching a malware EXE installer.
Cool mashup for Benny Hill fans.
http://james.nerdiphythesoul.com/bennyhillifier/
You can paste in the YouTube Video Id (ex: AtJDcYtb8co) from this one.
http://www.youtube.com/watch?v=AtJDcYtb8co
and then send that link out
http://james.nerdiphythesoul.com/bennyhillifier/?id=AtJDcYtb8co
Today was finally able to take the time to look at the Tech Ed 2008 (Tech·Ed North America 2008 IT Pros) sessions from back in June. Lots of good stuff here on security. There are 3 links below. The first requires that you have a Windows Live ID login. The second should just open in your video player.
You can browse or download more of the sessions from here:
http://technet.microsoft.com/en-us/events/teched/cc561184.aspx
Windows Security Boundaries
In this session, learn what constitutes a security boundary; get a tour through core Windows technologies, including user sessions, Code Integrity, PatchGuard, Service Security Hardening, and User Account Control, to learn where Windows currently defines such boundaries; and gain insight into why application compatibility and user experience make defining boundaries much more difficult than it might seem. Speaker: Mark Russinovich (session SEC372).
At 55:25, he starts discussing Vista's UAC.
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993
A Hackers Diary: How I Can Hack Your Vulnerable Services and How You Can Stop Me
This live session demonstrates how a hacker will try to exploit vulnerable applications in order to compromise remote systems and how you can defend yourself from such attacks. Marcus Murray of the TrueSec Security Team exposes the latest and greatest in exploitation frameworks using live demonstrations and at the same time demonstrates and talks about countermeasures that are effective in the real world. The countermeasures discussion includes a step-by-step-approach using the latest technology from Microsoft, as well as the processes needed for a successful security implementation. Speaker: Marcus Murray (session SEC354).
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=989
His notes from the session are on his blog. From 42:00 to 45:00 you get a chilling warning of why hacker's hack and why we should be upgrading to up-to-date software. It is inherently more secure than old software.
.
Windows Logins Revealed
Every day we log into our Windows systems. But what really happens when we do? How DO our workstations and our domain controllers exchange logon information without revealing our passwords? Security hardening guides talk about how scary old-style LM, NTLM and NTLMv2 logons are, but why EXACTLY do they say that--particularly when it's practically impossible to keep all of the old-style logins from happening even in the most modern network? How DOES AD's favorite logon protocol, Kerberos, work? Join expert Windows explainer and security geek Mark Minasi in an in-depth look at how Windows logins work, how they can not work (and how you can fix them) as well as how to better secure them. After seeing this talk, you will have NO excuses for not tweaking those group policy security settings! Speaker: Mark Minasi (session SEC450).
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=995
Back on July 1, John Dorner tagged me. Here are my lists of 5 in response.
Five snacks I enjoy:
1. Bread and (anything to put inside) to make a sandwich.
2. Dove dark chocolate
3. Chips
4. Apples
5. Gum
Five Things on My To-Do list today:
1. Enter my "I'm tagged" blog entry
2. Attend meetings
3. Play v-ball at lunch
4. Call Carla at the York office
5. Kiss my wife when I see her tonight
Five Things I would do if I were a billionaire:
1. Start a fund for my nieces and nephews for College (to attend PSU)
2. Give money to Penn State DuBois
3. Give money to the Alpha Zeta Fraternity
4. Give the rest of the money to Laurie so she can do whatever she wants
5. Go back to work on Monday
Five jobs I have had:
1. Dairy farmer
2. Produce clerk at grocery store
3. Vo Ag teacher
4. Taught electricity at Voc Ed retraining center
5. Database Specialist
Five of my bad habits:
1. Procrastination (thus this post after being tagged on July 1)
2. The "Vince Look" when I get frustrated by myself
3. Talk too loud
4. Bull forward without considering others (I am a Taurus)
5. Smile mysteriously at meetings causing people to question what I'm thinking
Five places I have lived:
1. Hormtown PA
2. State College PA
3. Ephrata PA
4. DuBois PA
5. Clearfield PA
Five people that I've tagged: I tried to check your blogs to see if you've been tagged already.
2. Peter Fleck
3. Mitch Owen
4. Kevin Gamble
5. Rich Phelps
Five Random Things:
1. One of my favorite games as a small boy was to build a dam across a drainage ditch in our cow pasture after a heavy rain. Looking back, that may not have been a great idea. Of course, we didn't know about anti-bacterial hand sanitizers back in the 1960's. We just went out, in essence "ate dirt" and became desensitized to all the "bad" things in the environment.
2. My step-daughters Lana and Lynn are 32 and 27 years old.
3. I was on the task force that started Penn State's student alumni corps, the Lion Ambassadors, in 1981. The Task Force meetings were held at 8am, Very early for students, then as now I bet. But this was never an issue for me. 8am after all is halfway through the morning. And the fact that they provided coffee and donuts for us was a double plus.
4. I've played soccer for 29 years now. My position of choice for past 15 is goalkeeper. This works since I don't need to run around very much. I'm also dumb enough to not worry about getting slammed into by the other players or the ball.
5. I've lost 2 college friends to cancer. They were taken way too early. The world's light is dimmer because Peggy Frost Barrett and Donald Gephart Jr. are no longer with us.
There are many parts of my youth that I'm not proud of... there were loose threads . . . untidy parts of me that I would like to remove. But when I pulled on one of those threads . . . it had unraveled the tapestry of my life.
- Jean-Luc Picard, Tapestry
"Invictus is a short poem by the British poet William Ernest Henley. The title is Latin for "Unconquered". It was first published in 1875."
INVICTUS
Out of the night that covers me
black as the pit from pole to pole,
I thank whatever gods may be
for my unconquerable soul.
In the fell clutch of circumstance,
I have not winced nor cried aloud.
Under the bludgeonings of chance
my head is bloody, but unbowed.
Beyond this place of wrath and tears
looms but the horror of the shade,
and yet the menace of the years
finds-and shall find me-unafraid.
It matters not how strait the gate,
how charged with punishment the scroll,
I am the master of my fate,
I am the captain of my soul.
---William Ernest Henley
The free Sysinternals tools, http://technet.microsoft.com/en-us/sysinternals/default.aspx, are great diagnostic and troubleshooting utilities. You had to download and unzip them them before.
No more. Here's their 5/28 announcement.
What's New (May 28th, 2008)
- Sysinternals Live
We’re excited to announce the beta of Sysinternals Live, a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as \\live.sysinternals.com\tools\<toolname> or view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.
A basic doctrine of information security is to use a strong password. Your password should be at least 8 characters in length and contain a mix of letters, numbers and other special characters. See Password Best Practices from PSU ITS.
One way to determine if your password is strong is to type it into a password checker.
Microsoft’s online Password Checker reviews your password for sufficient length and complexity. As you enter your password the strength bar will move from Weak to Medium to Strong to Best.
http://www.microsoft.com/protect/yourself/password/checker.mspx
The Tuesday, May 20, 2008 Kim Komando Show Daily Tip newsletter states that "XP SP3 includes a whopping 1,174 updates."
Ummm, that's a lot. MS Technet has a list of the fixes.
