The IT Security Attaché

Good day to you,

Over the past year I have been looking for a service that would allow us to create a centralized alerting system for critical security related news, alerts, notices and inter-network happenings (meetings, events, workshops). I have been studying the Twitter network and its growth, usability and service capabilities and I must say that I am very impressed by its sheer simplicity but extensive use and features. As the fastest growing social network today, Twitter allows the ease of signing up, connecting to other Twitter members, activating the SMS device notifications and the use of short text based updates.

This presents a number of possibilities that we can use to build a global alerting system that will aggregate all the various places where threat notification and alerts are being disseminated and channel them into our own system through Twitter. As a network of professionals, business executives and people of influence with high responsibility for critical infrastructures, we need a system that will allow the instant option of opting in and out of alerts and activating the mobile alerting system. It also needs to allow two way communications between the system and those who subscribe to it so in the event of something critical happening, we can have up-to-the-minute updates coming on from anyone anywhere.

For these reasons we have decided to use the Twitter network as our alerting and notification system for IT Security related outbreaks, threats and notices. It will also serve as a notification system for our events, meetings and happenings. Two separate accounts have been created to manage these alerts/notices.

Effective April 1^st 2009, TITSSN’s ITSecureAlerts and TITSSNHappening have been activated as a part of the TITSSN v.2010 network upgrade.

Over the past few days we have experienced a heightened sense of alert and awareness from the Conficker worm and its pending effects on the target date of April 1^st. There was such a need for pertinent development info and updates as the target day drew nearer, and even on the day that people were reaching out for any kind of heads up they could get, they were coming in from all over. Now we’re able to capture these and have them sent out in a prudent managed fashion. All future alerts and updates on such issues will be handled by the IT Security Alerts (ITSecureAlerts) notification system which will monitor the development and progress of these kinds of threats and post pertinent info for its followers.

TITSSNHappening will broadcast our event updates and happenings and will always maintain the current info for whatever is coming next from the network.

Please follow accordingly and help to spread the word to anyone who wants to be kept in the know in the event of such critical IT Security issues. We may not always have the luxury of time on our hands but we can have the luxury of a working system of alerts and collaboration in times of need.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché | http://theitsecurityattache.com  | Blogs http://theitsecurityattache.com/blogs

President/CEO/Chairman/Founder/Security Architect

~TITSSN ~The IT Security Suite Network~ | http://titssn.net | TITSSN’s Blogs http://titssn.net/blogs

Brett.Scudder@titssn.net (877) 539-8614 / (718) 928-6516

We are Security – your Security – our Security – IT Security. Our Security is Safe and Secure.

A Managed Security Services/Value Added Resellers Provider (MSS/VAR-P)

My LinkedIn profile – http://www.linkedin.com/in/titssn | TITSSN’s IT Security Forum Board http://titssn.net/forum

Follow me on Twitter http://twitter.com/TITSSN | Facebook http://www.facebook.com/people/Brett-A-Scudder/1161704997

FYI…

Original URL: http://www.channelregister.co.uk/2009/03/30/conficker_signature_discovery/

Researchers find super worm cure, just in time

By Dan Goodin in San Francisco

Posted in Software & Security, 30th March 2009 11:02 GMT

—————————–

My thoughts, feedback and input.

You have a few hours to work on this and I know you’re going to be vigilant about it. Let’s save what and who we can with our best efforts. Time is of the essence so get to it. I will be a bit busy for the next few hours checking on new vendor signature releases and info about this, dealing with my internal network and doing some last minute checking and changes so please pardon any delays in my responses for a while.

So now that signatures are being released for it is it over?

No it’s not. This is a staged effort. The signatures will be created, disseminated throughout the various security scanners, anti-virus and anti-malware vendor products but then comes the updating and patching of the systems.

If you are running an older version of a vendor product I strongly suggest you upgrade it now.

If you are running any definitions other than March 31^st 2009 for your anti-virus and anti-malware solution then you’re not fully protected yet.

If you are still missing Microsoft Windows patches (any and all of them) then there’s still some level of risk for you.

If you’re running vulnerable applications like Adobe Reader, Acrobat, Firefox, iTunes, QuickTime, web browsers, media players and other applications check to make sure you’re not missing any vendor patches. The developers have released secure versions recently.

I still stick to my original take on this which is, if you are already infected just wipe and start over. There’s no real guarantee that you will fully get rid of the infection and the various pieces it comes with. If not, you have a good set of protective layers to work with.

Keep in mind that a signature based solution works off detecting via signature and not anomaly based threats. As Conficker is a blended threat, I expect to see some aspects of it still evading some security solutions if not configured properly for effective use. Some people have their solutions configured with out of the box settings which may not be optimally configured for a critical threat like this with such a rapid change effect rate.

I know this is short timing but it is good timing to get the word out and get people to act quickly. Be kind and help to spread the word to your family, friends, partners, associates, peers and anyone you converse with. This is critical info that needs to be shared.

Let’s get to it people. I’ve been up since Saturday helping people with their systems and talking about this and I plan to get some sleep over the next day or two.

Good luck and please keep me posted on any new developments and happenings around this once April 1^st kicks in.

~Brett A. Scudder~

The IT Security Attaché

The Conficker Worm – my review

There have been many articles, reviews, information and posting about the Conf*ker as many people have started calling it. Depending on who you talk with you can replace the * with anything that suits your feelings towards it. The most interesting thing about this threat isn’t the fact that it’s neither a new one nor a new attack form, it’s the same old attackers doing the nefarious things they do but with a bit more sophistication. For me as an IT guy looking at all this, i’m getting the wow factor from some of the new developments and traits of the threat. So my take today will not be to overwhelm you with all the techno jargon and high level breakdown of the threat but just to speak on it in the most basic form so that even those who are non technical can grasp the severity of it.

So here goes.

If you get infected with the Conficker worm you’re screwed. Bottom line.

If this is a system that is on a business network it must be removed, quarantined, disinfected by any means necessary. Take no chances with this threat.

Get my drift?

Is this basic enough to understand?

Ok, let’s take it from another angle.

This worm is a blended (virus, worm, rootkit, botnet, adware, malware and the what else factor) threat in a blended threat with blended characteristics. It’s like catching a cold and getting a headache, ear ache, stomach ache, backache and chest pains all in one. It starts with a simple cold but quickly spreads to other critical areas of the body causing serious effects and harm. This threat is in a class by itself as it deploys various additional agents around the system that causes complete successful removal to be unclear.

If you have been infected with the worm you’re only real option is to completely wipe the system. Unplug, power down, power drain, complete power loss to all storage capacities of the system. This is a very serious threat.

As for those who have been asking about which anti-virus solution is best to protect against this, there isn’t one. Anti-Virus alone is not going to protect you from this threat and the blended effects. It will take a number of things to make this happen and here’s my list.

1.      System must be fully patched from all angles, the operating system, the applications, services, devices and drivers. When patching the Microsoft Windows operating system many people have auto update enabled but in different settings. Some have alert me of new updates but never apply the new updates. Some have it set to download and wait for my approval and they never approve the installation of the updates. Some have it set to download and install all updates. This is a good option to have. When patching the OS one must be prudent so as not to only apply critical patches but all software, severe and high updates as well. So I recommend if you’re doing the built in auto update please use the download and apply all. If doing it manually do a custom update which will reveal all the patches and updates needed.

2.      Anti-Virus alone will not protect you from this worm and most of the new threats in the IT Security Threats Landscape today and tomorrow. The need for an anti-malware solution is critical to combine the protective layers of web/content filtering, IDS/IPS, anomaly/heuristics based detection, network and proactive threat protections. This is a backup to the patching already performed on the system. A fully patched system can still be compromised if a targeted malicious code is allowed to reach it.

3.      Common sense if the name of the game and the winner of all security practices. Adding to the patching of the system and having the needed security solution comes the best practice of all, the user’s common sense in using the system effectively. As the person using the system one needs to pay very close attention to details in their messaging, web browsing and IM practices. Opening emails from known and unknown sources requires due diligence in thinking about the nature of the message, the contents and what is its relevance to you. A message from a known source may not have been sent by them but could have been the result of an infection on their system(s). This is the same for email and IMs. There are many IM worms that will hijack your IM client and send out messages to everyone in your contact list pointing them to a website for them to get a drive-by-download. Many people think very little of web based attacks while they are the fastest growing today because of the ease of infection and the delivery of the payload.

4.      User education and awareness. This is a very critical issue as many seem to think that these issues are a corporate or industry problem. When a threat like Conficker goes into the wild it is not targeting specific systems in specific industries only, it is doing a general attack across all systems within its path. IT Security is a people problem and we are all in its path whether we like it or not and no matter what OS vendor platform you’re on/running.

5.      Enable your built in firewall or get a third party one to put up some form of perimeter defenses.

6.      There are security suite solutions that bundles multiple security technologies and features in one suite. That may be a more viable option for you because of the integration and management options.

The fact of the matter is, we have these issues at the level they should have been years ago, in the media and across all industries as a people problem, not an industry one. I take the same approach to Conficker as I do to rogue Anti-Virus 2008/9 threat, if detected, wipe, clean, rebuild, reimage.

This isn’t something to play around with what is or if it is cleaned. The only way to be sure is to wipe it all out.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

This is from an email I sent out to my network distribution list today at 12 noon.

Good day to you,

This is a critical issue that has been highly overlooked and is a bigger problem than most people care to think. For those of us consultants who are responsible for our client’s infrastructure, please help them to understand where these laws apply and how it affects them. I’m bringing in someone from the attorney general’s office to do a presentation on this for us in the coming month. I’m trying to work with their schedule so stay tuned for the date of the meeting.

There are some serious new threats on the loose and the more I look at them is the easier i’m seeing the rate of success in their deliverables. Our organization speaks to these issues and we must understand what they mean for those we’re helping to understand. This new variant of the Conficker worm has some nasty new tricks to it and while following its development and path, i’m more convinced that this is a new level of sophistication way above the rogue Anti-Virus/Anti-Spyware 2008/2009 threat we encountered last year that is still being a major pain point for IT today. Whether this is an April fools days joke or not, as you can see, the financial ramifications of negligence will be heavy.

Get those system (OS, applications, devices) patches updated and current. Most people tend to patch the OS and leave vulnerable applications running with system access to the OS that even fully patched is still vulnerable. Patching is an all round process that applies to the OS, applications running on it and the devices being connected to it. Even the device drivers are a point of entry to a system today so patch them if needed. Check on those security policies and rules and ensure they are up and running. We have a few days before April 1^st so talk with your people about this and let them understand the need for being prudent about it.

Make no mistake people, this is a new age where technology rules and the threats are more real than ever before. This is not someone physically walking in and taking your data, this is someone sitting anywhere in the world and having access to it (if allowed).

I posted this on LinkedIn here http://www.linkedin.com/answers/using-linkedIn/ULI/447971-3071950 for a broader visibility from the business professional’s community. More feedback and input will be found there as well. Spread the word.

Thank you and have a great day,

~Brett A. Scudder~

State Security Breach Notification Laws

As of December 16, 2008

http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm