Did you (ever) patch your Oracle...??

Dozens of security patches were issued every quarterly by Oracle. Last week, they release 26 security fixes across its product line, including nine that address remotely exploitable flaws.
There are five of the six vulnerabilities in Oracle's Application Server can be exploited over a network without the need for a username or password.
Due to the threat posed by a successful attack, Oracle strongly recommends their customers to apply the fixes as soon as possible.

-Don't be shock, only 26 patches
Don't be shock to see 26 patches for the latest patch update (compare with Microsoft's 2 patches), there were 51 fixes in October's update. Furthermore, it is a quarterly update (instead of monthly by Microsoft).

-Don't be surprise, two-third did not patch
But to my surprise, according to survey results from Sentrigo Inc., vendor of database security products, two-thirds of the Oracle DBAs did not fixed Oracle's security patches at all (no matter how critical the vulnerabilities). The survey was done on 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008.

Some might think that the result is abit skeptical, using it to sell patching solution. But from my experience in managing critical servers, i think the survey result is quite credible. There are many concerns when applying patches to enterprise servers, which involve databases and applications inter-relationship.

Here are some common concerns face by DBA,
"You change the database behavior in some ways that may affect application performance".
Typically before applying the patches, it will involve testing against the applications that feed off the database. "This is a very long and very hard process to do, especially if you are in enterprises with a large number of databases and applications". Require months of labor and sometimes significant downtime, which most companies can't afford.
Some application vendors don't certify Oracle patches to run with their applications, making companies unwillingly to apply the patches.

Hopefully, after reading this blog, let your management understand the concerns for patching the server and accept the risks if they decided not to patch. At least you will not be seeing surprised faces (like Stephen Chow above) from the management when the system crashed (during patching) or hacked (when system not patched).

Related Reports:
- Oracle Critical Patch Update Advisory - January 2008

- Two-thirds of Oracle DBAs don't apply security patches (ComputerWorld)

Anti Spammer sued by "Spammer"

David Ritz, the veteran American spam-fighter, was sued by Sierra Corporate Design, a North Dakota business run by alleged former spammer Jerry Reynolds for hacking and trespass offenses.

The court has order Ritz to pay $53,000 in damages, a $10,000 fine for contempt against breaching an injunction and lawyers' fees, which could run into tens of thousands.

Can you believe it, Anti spammer like David was trying to stop spammer by getting domain information on the "possible" spamming systems. Publishing them for the anti-spam community, but was being punished. Further more, he only uses DNS host command and Whois command, which are commonly used by system administrators to troubleshoot problems, admin their systems, and track spammers.

Spammer "scores"..!! Spammer WON!! Hopefully there will be a "re-match" where David (with the help of "Spam-Fighters Legal Defense Fund") go for an appeal.

BTW, i don't like SPAM, i prefer fried China's luncheon meat. :P

Related Report:
- Anti-spammer fined $60K for DNS lookup 'hack' (The Register)

Any new patches for your windows...

Friends and readers ever ask me why i did not feature the monthly Microsoft Security updates in my blog. Majority of the computer users are using Microsoft products and they should be informed on those updates.

But i think it will not be productive for me to highlight on their monthly security updates. Even my granny knows that the security updates will be on the second Tuesday of each month and there are also many websites and blogs that will be commenting on those security updates. Anyone that surf the web will definitely be informed on those updates.

But I think highlighting on microsoft "out of band" updates or Zero-day vulnerability advisory (like the one i wrote yesterday - "Vulnerability in Microsoft Excel") will be good as these are critical vulnerability that everyone needs to be informed. So you will be seeing more of these advisories in my blog.

If you need to check on the latest Microsoft security updates, you can go to this official link http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx). You can also sign up for the security update alerts via MSN messenger, E-mail, or mobile phone from the this link. Users using RSS reader can also get the latest updates from this RSS feed.

Wondering why the picture above shows a cute little penguin (Tux) sucking on his "drink"? Make a guess... or u can email me for the answer.

Vulnerability in Microsoft Excel....

A vulnerability was reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create an Excel file with a specially crafted header that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system. The code will run with the privileges of the target user.

All version of Excel are affected except Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac, and Microsoft Office Excel 2003 Service Pack 3

Currently there is no solution available (at the time of this entry).

While pending for the availability of a patch, hackers and malware creator will be targeting IM and Emails actively during this period. I will advise users running older versions of Excel to avoid opening unfamiliar or unexpected email/IM attachments.

Related Reports:
- Microsoft Security Advisory (947563), Vulnerability in Microsoft Excel Could Allow Remote Code Execution

- Hackers go after Excel (The Register)

SANS Threat List 2008

SANS Institute has recently released the "Top Threat List" for 2008 at the SANS Security 2008 conference in New Orleans. The predictions for this year is quite widely covered, from web attack to malicious malware, to insider attacks and even social engineering. You can find the list below.

1. Increasingly sophisticated website attacks that exploit browser vulnerabilities - especially on trusted websites.

2. Increasing sophistication and effectiveness in botnets

3. Cyber espionage efforts by well resourced organisations looking to extract large amounts of data – particularly using targeted phishing.

4. An increase in mobile phone threats, especially against iPhones and Android-based phones.

5. Insider attacks

6. Advanced identity theft from persistent bots. Malicious agents that stay on compromised machines for months will be able to gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks.

7. Increasingly malicious spyware

8. Web application security exploits

9. Increasingly sophisticated social engineering including blending phishing with VoIP and event phishing. For example, a blended attack may include an inbound email, apparently being sent by a credit card company, asks recipients to "re-authorise" their credit cards by calling a 1-800 number. The number leads them (via VoIP) to an automated system in a foreign country that, quite convincingly, asks that they key in their credit card number, CVV, and expiration date.

10. Supply chain attacks infecting consumer devices (USB thumb drives, GPS systems, photo frames, etc.) Retail outlets are increasingly becoming unwitting distributors of malware-infected devices, the experts warns.


Related Report:
- Browser vulns and botnets head threat list (The Register)

Battery not included ... but Malware is...

For past months, there are several reports of digital device containing malware. Those digital devices affected were digital photo frame, portable music player and portable storage.

According to Internet Storm Center, a network-threat monitoring group, some end-users reported that their digital photo frames contains malware that attempted to install malicious code into their systems

In October last year, password stealing malware was discovered in Seagate's hard disk. Those affected disk drives were infected and shipped from the china factory.

Reported last year, some Apple's Ipod were shipped with virus and several music title CD from Sony BMG comes with a draconian copy-protection system that qualified as malicious software.

So the next time you buy a digital device or even a present from Santa, remember to scan the device thoroughly with a renown and updated Anti-Virus. You never know what free "gift" it will comes with.

Related Reports:
-Malware hitches a ride on digital devices (Security Focus)
-Seagate Support Announcement - Maxtor Basics Personal Storage 3200
-Apple ships virus on some video iPods (Security Focus)

Teen hack tram network

A 14-year-old Polish teenager modified a TV remote control to change the track points of the tram system in the city of Lodz (Poland's second largest city). Derailing four vehicles and injuring more than twelve people.

Beside the techincal knowledge in building the device, the boy possess the Social Engineering skills by trespassing into the tram depots to gather information needed to build the device. It maybe a prank to modify the tram setting but kids with these skills could one day bring down the nation's infrastructure for his own benefit.

In the movie "Die Hard 4.0", which i watch several months ago, the hackers sabotages the nation's network of traffic signals, rail transport and air traffic control. Causing chaos on the roads. They even hack into the federal building systems and force the evacuation of numerous buildings with a false anthrax alarm. They also sabotages the nation's financial systems (Stock Exchange) causing panic to the whole nation. It maybe just a movie, but it is possible. Especially with Information Technology heavily integrated with the country's infrastucture nowadays.

I think educating the young on the correct values will be more effective against hacking than just blindly banning hacking tools (related blog "Banned "Hacking Tools"..."), which some countries are doing.

Related Report:
- Polish teen derails tram after hacking train network (The Register)

Banned "Hacking Tools" ....

Germany banned “hacking” tools such as Nmap and Wireshark last year, causing a lot of criticisms by Security industry and professional.
Following Germany, UK is amending their Computer Misuse act to ban the development, ownership and distribution of those tools. There are many criticisms on it as many system administrators and Security consultants are using those tools legitimately to probe vulnerabilities and troubleshoot problems on their corporate environments.

With this ban, I personally feel that legitmate users (i.e. IT professionals) will not be able to properly assess and secure their corporate environments without the help of those useful tools. Allowing the actual hackers to hack into systems more easily.

We will be seeing more countries to follow suit in the near future, especially Singapore who always follow behind the “big boys”. So you guys be careful on bring “hacking” softwares across borders especially entering Germany or UK.

BTW, How many "hacking tools" can you recognised from the picture above?

Related report:
- UK gov sets rules for hacker tool ban (The Register)
- Germany enacts 'anti-hacker' law (The Register)

Keylogger.... on Sale

Saw this interesting hardware keylogger from a online shop. Unlike software keylogger (which will normally captured by anti-virus), this device is connected directly between the system and the keyboard. It will record all keystrokes and stores information in the non-volatile memory (which retains the information even when there is a loss of power.)

To access the recorded data, you simply type your password in a text editor and a menu will displayed with options to erase data, view data, search data for keywords, change password, or disable the device.

As this is a hardware keylogger, no software installation required. It will work with any operating systems and comes with PS/2 and USB version. The device is small and portable (can be as small as a penny).

Many of you might be thinking that it is nothing new as hardware keylogger have been around for years. But the thing i want to highlight is that it is easily available from the online store selling between USD$39.99 - $159.99.

You can have the best anti-virus, firewall and intrusion detection on your system. But with this device in hand, you can steal passwords and data effortlessly. Who say physical security in not important. Make sure all your server racks are properly locked.

Mobile Warrior Part 3 - Chain it up or Hide it out

In this part of the MW series, I tried to address two simple yet effective ways of lost prevention: Chain it up or Hide it out

Chain it up: - Like the picture shown, Laptop security cable can be purchased at any good IT shop and it is not too expensive to get. It comes with key/locks or numeric lock. It idea is to prevent an easy meal.

Hide it out: - Yes, you carried your bag around that is why you are mobile and like any bag containing valuable items, should you not hide it if you cannot keep an eye on it?

Keep it in the boot of the car instead of the car cabin and do it before moving out. Putting it at the destination and in the cabin is a sure fire way of shouting: "Free Laptop come and get it".

If not, just simply carry it around. Sound a lot of effort?

You wait until it gets stolen. With your car window smashed, laptop lost, angry customer shout and more other people get involved for the damage recovery, You wished that you had read this blog earlier.

I knew someone is wishing that he did, so it is not too late for you. Cheers.