Michael Corey's Database Virtualization/Database Administration as a Service® Blog
Posted on Fri, Jan 22, 2010 @ 02:00 PM
Posted on Sun, Feb 15, 2009 @ 10:35 PM
A very old saying Caveat Emptor or in english "Buyer Beware" or in the case of Facebook, should I say to all 175 Million users in over 30 languages "Facebook User Beware". They just changed there term of service agreement and they own your content. Yes I said that correctly, if you put something on Facebook, you are giving facebook rights to it forever. 
This is a scary thought. The lawyers will have a field day to this and rightly so, Think of all the people who use Facebook. Celebrities all the way to the average Joe. I am not sure this is a reasonable stance for Facebook to take.
It use to be once you removed something from Facebook their rights to the information expired. With this most recent change, they own rights to the pictures, comments forever. My hat goes off to The Consumerist who discovered this and is publishing this fact out to the world.
Here is a portion of that article... By Chris Walters,
6:14 PM on Sun Feb 15 2009 Facebook's terms of service
(TOS) used to say that when you closed an account on their network, any
rights they claimed to the original content you uploaded would expire.
Not anymore.
Now, anything you upload to Facebook can be
used by Facebook in any way they deem fit, forever, no matter what you
do later. Want to close your account? Good for you, but Facebook still
has the right to do whatever it wants with your old content. They can even sublicense it if they want. You hereby grant Facebook an irrevocable, perpetual, non-exclusive,
transferable, fully paid, worldwide license (with the right to
sublicense) to (a) use, copy, publish, stream, store, retain, publicly
perform or display, transmit, scan, reformat, modify, edit, frame,
translate, excerpt, adapt, create derivative works and distribute
(through multiple tiers), any User Content you (i) Post on or in
connection with the Facebook Service or the promotion thereof subject
only to your privacy settings or (ii) enable a user to Post, including
by offering a Share Link on your website and (b) to use your name,
likeness and image for any purpose, including commercial or
advertising, each of (a) and (b) on or in connection with the Facebook
Service or the promotion thereof. That language is the same as in the old TOS, but there was an important couple of lines at the end of that section that have been removed: You may remove your User Content from the Site at any time. If you
choose to remove your User Content, the license granted above will
automatically expire, however you acknowledge that the Company may
retain archived copies of your User Content.To read the entire article....
The Consumerist Facebook New Terms of Service 
I will end this blog as I started it... A very old saying Caveat Emptor or in english "Buyer Beware" or in the case of Facebook, should I say to all 175 Million users in over 30 languages "Facebook User Beware". After this blog came out, Facebook commented on this recent change to the terms of service.... Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com Twitter: Michael_Corey
Twitter: Ntirety
Posted on Tue, Feb 03, 2009 @ 10:39 PM
Firefox just released a new version that addresses several security issues. Here is an excert from the article I saw in PCWORLD. New Firefox Release Fixes Critical Security Bugs
Robert McMillan, IDG News Service
Feb 3, 2009 7:40 pm
Posted on Mon, Dec 22, 2008 @ 10:50 PM
Microsoft Security Advisory (961040)Vulnerability in SQL Server Could Allow Remote Code ExecutionPublished: December 22, 2008 Microsoft is investigating new public reports of a vulnerability
that could allow remote code execution on systems with supported
editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005,
Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000
Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine
(WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft
SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack
3, and Microsoft SQL Server 2008 are not affected by this issue. Microsoft
is aware that exploit code has been published on the Internet for the
vulnerability addressed by this advisory. Our investigation of this
exploit code has verified that it does not affect systems that have had
the workarounds listed below applied. Currently, Microsoft is not aware
of active attacks that use this exploit code or of customer impact at
this time. In addition, due to the mitigating factors for default
installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is
not currently aware of any third-party applications that use MSDE 2000
or SQL Server 2005 Express which would be vulnerable to remote attack.
However, Microsoft is actively monitoring this situation to provide
customer guidance as necessary. We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. Upon
completion of this investigation, Microsoft will take the appropriate
action to protect our customers, which may include providing a solution
through a service pack, our monthly security update release process, or
an out-of-cycle security update, depending on customer needs. Customers who believe that they have been attacked can obtain security support at Get security support
and should contact the national law enforcement agency in their
country. Customers in the United States can contact Customer Service
and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY.
Additionally, customers in the United States should contact their local
FBI office or report their situation at Internet Crime Complaint Center. Mitigating Factors: | • | This
issue does not affect supported editions of Microsoft SQL Server 7.0
Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft
SQL Server 2008. | | • | This
vulnerability is not exposed anonymously. An attacker would need to
either authenticate to exploit the vulnerability or take advantage of a
SQL injection vulnerability in a Web application that is able to
authenticate. | | • | By
default, MSDE 2000 and SQL Server 2005 Express do not allow remote
connections. An authenticated attacker would need to initiate the
attack locally to exploit the vulnerability. |
To read the original security alert from Microsoft......
Microsoft Security Advisory (961040)
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Thu, Dec 18, 2008 @ 11:06 AM
This is a pretty important security Bulletin. If you use Internet Explorer and go to a specially crafted web page you could be at real risk..... Microsoft Security Bulletin MS08-078 - CriticalSecurity Update for Internet Explorer (960714)  Executive Summary This security update
resolves a publicly disclosed vulnerability. The vulnerability could
allow remote code execution if a user views a specially crafted Web
page using Internet Explorer. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users
who operate with administrative user rights. This security update
is rated Critical for Internet Explorer 5.01, Internet Explorer 6,
Internet Explorer 6 Service Pack 1, and Internet Explorer 7. For
information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. For more information, see the subsection, Affected and Non-Affected Software, in this section. The
security update addresses the vulnerability by modifying the way
Internet Explorer validates data binding parameters and handles the
error resulting in the exploitable condition. For more information
about the vulnerability, see the Frequently Asked Questions (FAQ)
subsection under the next section, Vulnerability Information. This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051. Recommendation. Microsoft recommends that customers apply the update immediately.Affected and Non-Affected SoftwareThe
software listed here have been tested to determine which versions or
editions are affected. Other versions or editions are either past their
support life cycle or are not affected. To determine the support life
cycle for your software version or edition, visit Microsoft Support Lifecycle. Affected Software Note For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update.  | |
|
Internet Explorer 5.01 Service Pack 4 when installed on Microsoft Windows 2000 Service Pack 4 | Critical
Remote Code Execution | Critical | Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows XP Service Pack 2 and Windows XP Service Pack 3 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 6 for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet
Explorer 6 for Windows Server 2003 with SP1 for Itanium-based Systems
and Windows Server 2003 with SP2 for Itanium-based Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3 | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 | Critical
Remote Code Execution | Critical | Internet Explorer 7 for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 | Critical
Remote Code Execution | Critical | Internet
Explorer 7 for Windows Server 2003 with SP1 for Itanium-based Systems
and Windows Server 2003 with SP2 for Itanium-based Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Vista and Internet Explorer 7 in Windows Vista Service Pack 1 | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Vista x64 Edition and Internet Explorer 7 in Windows Vista x64 Edition Service Pack 1 | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Server 2008 for 32-bit Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Server 2008 for x64-based Systems | Critical
Remote Code Execution | Critical | Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems | Critical
Remote Code Execution | Critical |
Note For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. | |
A
remote code execution vulnerability exists as an invalid pointer
reference in the data binding function of Internet Explorer. When data
binding is enabled (which is the default state), it is possible under
certain conditions for an object to be released without updating the
array length, leaving the potential to access the deleted object's
memory space. This can cause Internet Explorer to exit unexpectedly, in
a state that is exploitable. An attacker could exploit the
vulnerability by constructing a specially crafted Web page. When a user
views the Web page, the vulnerability could allow remote code
execution. An attacker who successfully exploited this vulnerability
could gain the same user rights as the logged-on user. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-4844. | |
Mitigation
refers to a setting, common configuration, or general best-practice,
existing in a default state, that could reduce the severity of
exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation: | • | In
a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however,
an attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to convince users to visit the Web
site, typically by getting them to click a link in an e-mail message or
Instant Messenger message that takes users to the attacker’s Web site. | | • | An
attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights. | | • | By default, Protected Mode
in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista
and later helps protect users and their systems from malicious
downloads by restricting requests to start another program or requests
to save files without the user's consent. This includes user or system
files and settings. |
| |
Workaround
refers to a setting or configuration change that does not correct the
underlying vulnerability but would help block known attack vectors
before you apply the update. Microsoft has tested the following
workarounds and states in the discussion whether a workaround reduces
functionality: | • | Set
Internet and Local intranet security zone settings to “High” to prompt
before running ActiveX Controls and Active Scripting in these zones You
can help protect against exploitation of this vulnerability by changing
your settings for the Internet security zone to prompt before running
ActiveX controls and Active Scripting. You can do this by setting your
browser security to High. To raise the browsing security level in Internet Explorer, follow these steps: 1. | On the Internet Explorer Tools menu, click Internet Options. | 2. | In the Internet Options dialog box, click the Security tab, and then click the Internet icon. | 3. | Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. |
Note If no slider is visible, click Default Level, and then move the slider to High. Note
Setting the level to High may cause some Web sites to work incorrectly.
If you have difficulty using a Web site after you change this setting,
and you are sure the site is safe to use, you can add that site to your
list of trusted sites. This will allow the site to work correctly even
with the security setting set to High. Impact of workaround.
There are side effects to prompting before running ActiveX Controls and
Active Scripting. Many Web sites that are on the Internet or on an
intranet use ActiveX or Active Scripting to provide additional
functionality. For example, an online e-commerce site or banking site
may use ActiveX Controls to provide menus, ordering forms, or even
account statements. Prompting before running ActiveX Controls or Active
Scripting is a global setting that affects all Internet and intranet
sites. You will be prompted frequently when you enable this workaround.
For each prompt, if you feel you trust the site that you are visiting,
click Yes to run ActiveX Controls or Active Scripting. If you
do not want to be prompted for all these sites, use the steps outlined
in "Add sites that you trust to the Internet Explorer Trusted sites
zone". Add sites that you trust to the Internet Explorer Trusted sites zone After
you set Internet Explorer to require a prompt before it runs ActiveX
controls and Active Scripting in the Internet zone and in the Local
intranet zone, you can add sites that you trust to the Internet
Explorer Trusted sites zone. This will allow you to continue to use
trusted Web sites exactly as you do today, while helping to protect you
from this attack on untrusted sites. We recommend that you add only
sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. | 2. | In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. | 3. | If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. | 4. | In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. | 5. | Repeat these steps for each site that you want to add to the zone. | 6. | Click OK two times to accept the changes and return to Internet Explorer. |
Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update. |
| • | Configure
Internet Explorer to prompt before running Active Scripting or to
disable Active Scripting in the Internet and Local intranet security
zone You can help protect against exploitation of this
vulnerability by changing your settings to prompt before running Active
Scripting or to disable Active Scripting in the Internet and Local
intranet security zone. To do this, follow these steps: 1. | In Internet Explorer, click Internet Options on the Tools menu. | 2. | Click the Security tab. | 3. | Click Internet, and then click Custom Level. | 4. | Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. | 5. | Click Local intranet, and then click Custom Level. | 6. | Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. | 7. | Click OK two times to return to Internet Explorer. |
Note
Disabling Active Scripting in the Internet and Local intranet security
zones may cause some Web sites to work incorrectly. If you have
difficulty using a Web site after you change this setting, and you are
sure the site is safe to use, you can add that site to your list of
trusted sites. This will allow the site to work correctly. Impact of workaround.There
are side effects to prompting before running Active Scripting. Many Web
sites that are on the Internet or on an intranet use Active Scripting
to provide additional functionality. For example, an online e-commerce
site or banking site may use Active Scripting to provide menus,
ordering forms, or even account statements. Prompting before running
Active Scripting is a global setting that affects all Internet and
intranet sites. You will be prompted frequently when you enable this
workaround. For each prompt, if you feel you trust the site that you
are visiting, click Yes to run Active Scripting. If you do not
want to be prompted for all these sites, use the steps outlined in "Add
sites that you trust to the Internet Explorer Trusted sites zone". Add sites that you trust to the Internet Explorer Trusted sites zone After
you set Internet Explorer to require a prompt before it runs ActiveX
controls and Active Scripting in the Internet zone and in the Local
intranet zone, you can add sites that you trust to the Internet
Explorer Trusted sites zone. This will allow you to continue to use
trusted Web sites exactly as you do today, while helping to protect you
from this attack on untrusted sites. We recommend that you add only
sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. | 2. | In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. | 3. | If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. | 4. | In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. | 5. | Repeat these steps for each site that you want to add to the zone. | 6. | Click OK two times to accept the changes and return to Internet Explorer. |
Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update. |
| • | Disable XML Island functionality Warning
If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk. Create a backup copy of the registry keys by using the following command from an elevated command prompt: Regedit.exe /e Disable_XML_Island_backup.reg HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}
For Windows Vista and Windows Server 2008 only, take ownership
of [HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}], as
follows: 1. | As an administrator, click Start, click Run, type Regedit in the Open box, and then click OK | 2. | Go to [HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}] | 3. | Click Permission, then Advanced, then Owner | 4. | Change Owner to Administrator | 5. | Click Grant Full Control to Administrator | 6. | Then iterate for all subkeys |
Next, save the following to a file with a .REG extension, such as Disable_XML_Island.reg: Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}]
Run Disable_XML_Island.reg with the following command from an elevated command prompt: Regedit.exe /s Disable_XML_Island.reg
Impact of workaround: Embedded XML in HTML may not render correctly. How to undo the workaround Restore the original state by running the following command from an elevated command prompt: Regedit.exe /s Disable_XML_Island_backup.reg
|
| • | Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL This
workaround applies only to Windows Vista and newer operating systems
and requires that UAC prompting and Protected Mode be enabled, which
are the default settings. Save the following text to a temporary directory: For 32-bit systems Save to a text file called: "BlockAccess_x86.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
For 64-bit systems Save to a text file called: "BlockAccess_x64.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
"%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
Run the following command from the temporary directory as an Administrator: SecEdit /configure /db BlockAccess.sdb /cfg <inf file>
After the command completes, you should see the following messages: The task has completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.
Validating the workaround To validate that the workaround was successfully applied, run the following commands at a command prompt: For 32-bit systems icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
For 64-bit systems icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll"
Each time you run icacls, search through the output for the following line. Mandatory Label\Medium Mandatory Level:(NW,NR,NX)
Impact of workaround: Any ADO/OLE DB applications
running in Internet Explorer, which is not common, will stop
functioning. The impact is minimal since all other processes running in
Medium or higher integrity level would still be able to load the dll and use it. How to undo the workaround Save the following text to a temporary directory: For 32-bit systems Save to a text file called: "unBlockAccess_x86.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
For 64-bit systems Save to a text file called: "unBlockAccess_x64.inf" [Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
"%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
Run the following command from the temporary directory as an Administrator: SecEdit /configure /db UnblockAccess.sdb /cfg <inf file>
After the command completes, you should see the following messages: The task has completed successfully.
See log %windir%\security\logs\scesrv.log for detail info.
| | • | Disable Row Position functionality of OLEDB32.dll Warning
If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk. Create a backup copy of the registry keys by using the following command from an elevated command prompt: Regedit.exe /e Disable_Row_Position_backup.reg HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}
For Windows Vista and Windows Server 2008 only, take ownership
of [HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}], as
follows: 1. | As an administrator, click Start, click Run, type Regedit in the Open box, and then click OK | 2. | Go to [HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}] | 3. | Click Permission, then Advanced, then Owner | 4. | Change Owner to Administrator | 5. | Click Grant Full Control to Administrator | 6. | Then iterate for all subkeys |
Next, save the following to a file with a .REG extension, such as Disable_Row_Position.reg: Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}]
Run Disable_Row_Position.reg with the following command from an elevated command prompt: Regedit.exe /s Disable_Row_Position.reg
Impact of workaround: All ADO applications using the
RowPosition property and related information will stop functioning. All
OLE DB applications using the OLE DB Row Position Library will stop
functioning. How to undo the workaround Restore the original state by running the following command from an elevated command prompt: Regedit.exe /s Disable_Row_Position_backup.reg
|
| • | Unregister OLEDB32.DLL Run the following commands from a command prompt as an administrator: | • | For
supported versions of Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008 for 32-bit Systems Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" Regsvr32.exe /u "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" |
Impact of workaround:
All OLE DB and ADO applications will stop functioning. This includes
all ASP/ADO implementations, SQL Server linked services, .Net
applications using the System.Data.OLEDB namespace, and some Office
functionality that accesses external data. How to undo the workaround Run the following commands from a command prompt as an administrator: | • | For
supported versions of Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008 for 32-bit Systems Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" Regsvr32.exe "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" |
| | • | Use ACL to disable OLEDB32.DLL Run the following commands from a command prompt as an administrator: | • | For supported versions of Windows 2000, Windows XP, and Windows Server 2003 cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based
Systems cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N cacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N | | • | For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems takeown /f "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) | | • | For
supported versions of Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems takeown /f "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.64.dll.TXT icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) takeown /f "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) |
Impact of workaround:
All OLE DB and ADO applications will stop functioning. This includes
all ASP/ADO implementations, SQL Server linked services, .Net
applications using the System.Data.OLEDB namespace, and some Office
functionality that accesses external data. How to undo the workaround Run the following commands from a command prompt as an administrator: | • | For supported versions of Windows 2000, Windows XP, and Windows Server 2003 cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /R everyone | | • | For
supported versions of Windows XP Professional x64 Edition, Windows
Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based
Systems cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /R everyone cacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll" /E /R everyone | | • | For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems: icacls "%ProgramFiles%\Common Files\System\Ole DB" /restore %TEMP%\oledb32.32.dll.TXT | | • | For
supported versions of Windows Vista x64 Edition, Windows Server 2008
for x64-based Systems, and Windows Server 2008 for Itanium-based Systems icacls "%ProgramFiles%\Common Files\System\Ole DB" /restore %TEMP%\oledb32.32.dll.TXT icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB" /restore %TEMP%\oledb32.64.dll.TXT |
| | • | Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008 Local
Administrators can control DEP/NX by running Internet Explorer as an
Administrator. To enable DEP, perform the following steps: 1. | In Internet Explorer, click Tools, click Internet Options, and then click Advanced. | 2. | Click Enable memory protection to help mitigate online attacks. |
Impact of workaround:
Some browser extensions may not be compatible with DEP and may exit
unexpectedly. If this occurs, you can disable the add-on, or revert the
DEP setting using the Internet Control Panel. This is also accessible
using the System Control panel. |
| • | Disable Data Binding support in Internet Explorer 8 Beta 2 Perform the following steps: 1. | Set Internet and Local Intranet security zone settings to High. | 2. | Save the following to a file with a .REG extension, such as Disable_Data_Binding.reg to add the feature control key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_SUPPORT]
"iexplore.exe"=dword:00000000 | 3. | Run Disable_Data_Binding.reg with the following command from an elevated command prompt:
Regedit.exe /s Disable_Data_Binding.reg |
Impact of workaround:
This workaround turns off data binding for all security zones. Any
accessed Web sites that use data binding will no longer render properly. How to undo the workaround Use the following registry file to remove the feature control key: Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_SUPPORT] |
| |
What is the scope of the vulnerability?
This
is a remote code execution vulnerability. An attacker who successfully
exploited this vulnerability could gain the same user rights as the
logged-on user. If a user is logged on with administrative user
rights, an attacker who successfully exploited this vulnerability could
take complete control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who
operate with administrative user rights. What causes the vulnerability?
The
vulnerability exists as an invalid pointer reference in the data
binding function of Internet Explorer. When data binding is enabled
(which is the default state), it is possible under certain conditions
for an object to be released without updating the array length, leaving
the potential to access the deleted object's memory space. This can
cause Internet Explorer to exit unexpectedly, in a state that is
exploitable. As a result, memory may be corrupted in such a way that an
attacker could execute arbitrary code in the context of the logged-on
user. What might an attacker use the vulnerability to do?
An
attacker who successfully exploited the remote code execution
vulnerability could gain the same user rights as the local user. Users
whose accounts are configured to have fewer user rights on the system
could be less impacted than users who operate with administrative user
rights. How could an attacker exploit the vulnerability?
An
attacker could host a specially crafted Web site that is designed to
exploit this vulnerability through Internet Explorer and then convince
a user to view the Web site. The attacker could also take advantage of
compromised Web sites and Web sites that accept or host user-provided
content or advertisements. These Web sites could contain specially
crafted content that could exploit this vulnerability. In all cases,
however, an attacker would have no way to force users to visit these
Web sites. Instead, an attacker would have to convince users to visit
the Web site, typically by getting them to click a link in an e-mail
message or in an Instant Messenger message that takes users to the
attacker's Web site. It could also be possible to display specially
crafted Web content by using banner advertisements or by using other
methods to deliver Web content to affected systems. What systems are primarily at risk from the vulnerability?
This
vulnerability requires that a user is logged on and reading e-mail
messages or is visiting Web sites for any malicious action to occur.
Therefore, any systems where e-mail messages are read or where Internet
Explorer is used frequently, such as workstations or terminal servers,
are at the most risk from this vulnerability. Servers could be at more
risk if administrators allow users to browse and read e-mail on
servers. However, best practices strongly discourage allowing this. Which of the workarounds should I apply to my system in order to be protected?
Based on our investigation, setting the Internet zone security setting to High
will protect users from known attacks. However, for the most effective
protection, customers should evaluate a combination of using the High security setting in conjunction with one of the following workarounds. | • | Disable XML Island functionality | | • | Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL | | • | Disable Row Position functionality of OLEDB32.dll | | • | Unregister OLEDB32.dll | | • | Use ACL to disable OLEDB32.dll |
For additional workaround details, please see the following post: . Each
of these workarounds is equally effective in protecting customers;
however, each workaround has different impacts based on the environment
in which they are applied. We encourage customers to evaluate which of
the workarounds would be least impactful to their environment, based on
the impact statements included with each workaround. How does configuring the Internet zone security setting to High protect me from this vulnerability?
Setting the Internet zone security setting to High
protects against all currently known exploits of this vulnerability by
disabling scripting, disabling less secure features in Internet
Explorer, and blocks known techniques used to bypass Data Execution
Prevention (DEP). It is important to note that the vulnerable code may
be reached even with these protections in place, however current
attacks would not be successful with these workarounds in place. How does Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 on Windows Vista and later protect me from this vulnerability?
Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista run in Protected Mode
by default in the Internet security zone. (Protected Mode is off by
default in the Intranet zone.) Protected Mode significantly reduces the
ability of an attacker to write, alter, or destroy data on the user’s
machine or to install malicious code. This is accomplished by using the
integrity mechanisms of Windows Vista which restrict access to
processes, files, and registry keys with higher integrity levels. What is Data Execution Prevention (DEP)?
Data
Execution Prevention (DEP) is included in Internet Explorer; disabled
by default in Internet Explorer 7, and enabled by default in Internet
Explorer 8 Beta 2. DEP is designed to help foil attacks by preventing
code from running in memory that is marked non-executable. For more
information about DEP in Internet Explorer, please see the following
post: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx.
Recently, proof of concept code was published that demonstrates methods
to bypass DEP. However, the workarounds included in this bulletin, of
setting the security slider to High as well as applying one of the OLEDB32.dll workarounds, are still effective in blocking current attacks. What does the update do?
The
security update addresses the vulnerability by modifying the way
Internet Explorer validates data binding parameters and handles the
error resulting in the exploitable condition. When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2008-4844. When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited. | |
Manage
the software and security updates you need to deploy to the servers,
desktop, and mobile computers in your organization. For more
information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update." Finally, security updates can be downloaded from the Microsoft Update Catalog.
The Microsoft Update Catalog provides a searchable catalog of content
made available through Windows Update and Microsoft Update, including
security updates, drivers and service packs. By searching using the
security bulletin number (such as, “MS08-010”), you can add all of the
applicable updates to your basket (including different languages for an
update), and download to the folder of your choosing. For more
information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ. Detection and Deployment Guidance Microsoft
has provided detection and deployment guidance for this month’s
security updates. This guidance will also help IT professionals
understand how they can use various tools to help deploy the security
update, such as Windows Update, Microsoft Update, Office Update, the
Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool,
Microsoft Systems Management Server (SMS), and the Extended Security
Update Inventory Tool. For more information, see Microsoft Knowledge Base Article 910723. Microsoft Baseline Security Analyzer Microsoft
Baseline Security Analyzer (MBSA) allows administrators to scan local
and remote systems for missing security updates as well as common
security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer. The following table provides the MBSA detection summary for this security update. Microsoft Windows 2000 Service Pack 4 | Yes | Windows XP Service Pack 2 and Windows XP Service Pack 3 | Yes | Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | Yes | Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 | Yes | Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 | Yes | Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems | Yes | Windows Vista and Windows Vista Service Pack 1 | Yes | Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 | Yes | Windows Server 2008 for 32-bit Systems | Yes | Windows Server 2008 for x64-based Systems | Yes | Windows Server 2008 for Itanium-based Systems | Yes |
For more information about MBSA 2.1, see MBSA 2.1 Frequently Asked Questions. Windows Server Update Services By
using Windows Server Update Services (WSUS), administrators can deploy
the latest critical updates and security updates for Windows 2000
operating systems and later, Office XP and later, Exchange Server 2003,
and SQL Server 2000 to Windows 2000 and later operating systems. For
more information about how to deploy this security update using Windows
Server Update Services, visit the Windows Server Update Services Web site. Systems Management Server The following table provides the SMS detection and deployment summary for this security update. Microsoft Windows 2000 Service Pack 4 | Yes | Yes | Yes | Yes | Windows XP Service Pack 2 and Windows XP Service Pack 3 | Yes* | Yes* | Yes | Yes | Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 | No | No | Yes | Yes | Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 | Yes* | Yes* | Yes | Yes | Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 | No | No | Yes | Yes | Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems | No | No | Yes | Yes | Windows Vista and Windows Vista Service Pack 1 | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Server 2008 for 32-bit Systems | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Server 2008 for x64-based Systems | No | No | See Note for Windows Vista and Windows Server2008 below | Yes | Windows Server 2008 for Itanium-based Systems | No | No | See Note for Windows Vista and Windows Server2008 below | Yes |
*SMS
2.0 and SMS 2003 with SUSFP support all affected versions of Internet
Explorer except for Internet Explorer 7. For more information, see Microsoft Knowledge Base Article 924178. For
SMS 2.0 and SMS 2003, the SMS SUS Feature Pack (SUSFP), which includes
the Security Update Inventory Tool (SUIT), can be used by SMS to detect
security updates. See also Downloads for Systems Management Server 2.0. For
SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can
be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates.
SMS 2003 can also use the Microsoft Office Inventory Tool to detect
required updates for Microsoft Office applications. For more
information about the Office Inventory Tool and other scanning tools,
see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003. System
Center Configuration Manager 2007 uses WSUS 3.0 for detection of
updates. For more information about Configuration Manager 2007 Software
Update Management, visit System Center Configuration Manager 2007. Note for Windows Vista and Windows Server 2008
Microsoft Systems Management Server 2003 with Service Pack 3 includes
support for Windows Vista and Windows Server 2008 manageability. For more information about SMS, visit the SMS Web site. For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles. Update Compatibility Evaluator and Application Compatibility Toolkit Updates
often write to the same files and registry settings required for your
applications to run. This can trigger incompatibilities and increase
the time it takes to deploy security updates. You can streamline
testing and validating Windows updates against installed applications
with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0. The
Application Compatibility Toolkit (ACT) contains the necessary tools
and documentation to evaluate and mitigate application compatibility
issues before deploying Microsoft Windows Vista, a Windows Update, a
Microsoft Security Update, or a new version of Windows Internet
Explorer in your environment. | |
Microsoft Security Bulletin MS08-078 - Critical
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Thu, Nov 20, 2008 @ 01:25 PM
Minimum Standard for protection of personal informationIn the Commonwealth of Massachusetts we have a new (law) regulation that establishes minimum standards to be met in connection
with the safeguarding of personal information contained in both paper
and electronic records. Its my understanding this effects all business. It has been postponed till May 2009. but it is the law. 
For your light reading late at night, here is a copy of the law.... 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth
Section: 17.01: Purpose and Scope
17.02: Definitions
17.03: Duty to Protect and Standards for Protecting Personal Information
17.04: Computer System Security Requirements 17.01 Purpose and Scope (a) Purpose
This
regulation implements the provisions of M.G.L. c. 93H relative to the
standards to be met by persons who own, license, store or maintain
personal information about a resident of the Commonwealth of
Massachusetts. This regulation establishes minimum standards to be met
in connection with the safeguarding of personal information contained
in both paper and electronic records. Further purposes are to (i)
ensure the security and confidentiality of such information in a manner
consistent with industry standards, (ii) protect against anticipated
threats or hazards to the security or integrity of such information,
and (iii) protect against unauthorized access to or use of such
information in a manner that creates a substantial risk of identity
theft or fraud against such residents. (b) Scope
The
provisions of this regulation apply to all persons that own, license,
store or maintain personal information about a resident of the
Commonwealth.
17.02: Definitions The following words as used herein shall, unless the context requires otherwise, have the following meanings: "Breach
of security", the unauthorized acquisition or unauthorized use of
unencrypted data or, encrypted electronic data and the confidential
process or key that is capable of compromising the security,
confidentiality, or integrity of personal information, maintained by a
person or agency that creates a substantial risk of identity theft or
fraud against a resident of the commonwealth. A good faith but
unauthorized acquisition of personal information by a person or agency,
or employee or agent thereof, for the lawful purposes of such person or
agency, is not a breach of security unless the personal information is
used in an unauthorized manner or subject to further unauthorized
disclosure. “Electronic,” relating to technology having
electrical, digital, magnetic, wireless, optical, electromagnetic or
similar capabilities. "Encrypted," the transformation of data
through the use of an algorithmic process, or an alternative method at
least as secure, into a form in which meaning cannot be assigned
without the use of a confidential process or key, unless further
defined by regulation by the office of consumer affairs and business
regulation. “Person,” a natural person, corporation, association,
partnership or other legal entity, other than an agency, executive
office, department, board, commission, bureau, division or authority of
the Commonwealth, or any of its branches, or any political subdivision
thereof. "Personal information," a Massachusetts resident's
first name and last name or first initial and last name in combination
with any one or more of the following data elements that relate to such
resident: (a) Social Security number; (b) driver's license number or
state-issued identification card number; or (c) financial account
number, or credit or debit card number, with or without any required
security code, access code, personal identification number or password,
that would permit access to a resident’s financial account; provided,
however, that “Personal information” shall not include information that
is lawfully obtained from publicly available information, or from
federal, state or local government records lawfully made available to
the general public. “Record” or “Records,” any material upon
which written, drawn, spoken, visual, or electromagnetic information or
images are recorded or preserved, regardless of physical form or
characteristics. 17.03: Duty to Protect and Standards for Protecting Personal Information Every
person that owns, licenses, stores or maintains personal information
about a resident of the Commonwealth shall develop, implement, maintain
and monitor a comprehensive, written information security program
applicable to any records containing such personal information. Such
comprehensive information security program shall be reasonably
consistent with industry standards, and shall contain administrative,
technical, and physical safeguards to ensure the security and
confidentiality of such records. Moreover, the safeguards contained in
such program must be consistent with the safeguards for protection of
personal information and information of a similar character set forth
in any state or federal regulations by which the person who owns,
licenses, stores or maintains such information may be regulated. Whether
the comprehensive information security program is in compliance with
these regulations for the protection of personal information, whether
pursuant to section 17.03 or 17.04 hereof, shall be evaluated taking
into account (i) the size, scope and type of business of the person
obligated to safeguard the personal information under such
comprehensive information security program, (ii) the amount of
resources available to such person, (iii) the amount of stored data,
and (iv) the need for security and confidentiality of both consumer and
employee information. Without limiting the generality of the
foregoing, every comprehensive information security program shall
include, but shall not be limited to: (a) Designating one or more employees to maintain the comprehensive information security program; (b)
Identifying and assessing reasonably foreseeable internal and external
risks to the security, confidentiality, and/or integrity of any
electronic, paper or other records containing personal information, and
evaluating and improving, where necessary, the effectiveness of the
current safeguards for limiting such risks, including but not limited
to: (i) ongoing employee (including temporary and contract employee)
training; (ii) employee compliance with policies and procedures; and
(iii) means for detecting and preventing security system failures. (c)
Developing security policies for employees that take into account
whether and how employees should be allowed to keep, access and
transport records containing personal information outside of business
premises. (d) Imposing disciplinary measures for violations of the comprehensive information security program rules. (e)
Preventing terminated employees from accessing records containing
personal information by immediately terminating their physical and
electronic access to such records, including deactivating their
passwords and user names. (f) Taking reasonable steps to
verify that third-party service providers with access to personal
information have the capacity to protect such personal information,
including (i) selecting and retaining service providers that are
capable of maintaining safeguards for personal information; and (ii)
contractually requiring service providers to maintain such safeguards.
Prior to permitting third-party service providers access to personal
information, the person permitting such access shall obtain from the
third-party service provider a written certification that such service
provider has a written, comprehensive information security program that
is in compliance with the provisions of these regulations. (g)
Limiting the amount of personal information collected to that
reasonably necessary to accomplish the legitimate purpose for which it
is collected; limiting the time such information is retained to that
reasonably necessary to accomplish such purpose; and limiting access to
those persons who are reasonably required to know such information in
order to accomplish such purpose or to comply with state or federal
record retention requirements. (h) Identifying paper,
electronic and other records, computing systems, and storage media,
including laptops and portable devices used to store personal
information, to determine which records contain personal information,
except where the comprehensive information security program provides
for the handling of all records as if they all contained personal
information. (i) Reasonable restrictions upon physical
access to records containing personal information, including a written
procedure that sets forth the manner in which physical access to such
records is restricted; and storage of such records and data in locked
facilities, storage areas or containers. (j) Regular
monitoring to ensure that the comprehensive information security
program is operating in a manner reasonably calculated to prevent
unauthorized access to or unauthorized use of personal information; and
upgrading information safeguards as necessary to limit risks. (k) Reviewing
the scope of the security measures at least annually or whenever there
is a material change in business practices that may reasonably
implicate the security or integrity of records containing personal
information. (l) Documenting responsive actions taken in
connection with any incident involving a breach of security, and
mandatory post-incident review of events and actions taken, if any, to
make changes in business practices relating to protection of personal
information.
17.04: Computer System Security Requirements Every
person that owns, licenses, stores or maintains personal information
about a resident of the Commonwealth and electronically stores or
transmits such information shall include in its written, comprehensive
information security program the establishment and maintenance of a
security system covering its computers, including any wireless system,
that, at a minimum, shall have the following elements: (1) Secure user authentication protocols including: (i) control of user IDs and other identifiers;
(ii)
a reasonably secure method of assigning and selecting passwords, or use
of unique identifier technologies, such as biometrics or token devices;
(iii)
control of data security passwords to ensure that such passwords are
kept in a location and/or format that does not compromise the security
of the data they protect;
(iv) restricting access to active users and active user accounts only; and
(v)
blocking access to user identification after multiple unsuccessful
attempts to gain access or the limitation placed on access for the
particular system;
(2) Secure access control measures that: (i) restrict
access to records and files containing personal information to those
who need such information to perform their job duties; and
(ii) assign
unique identifications plus passwords, which are not vendor supplied
default passwords, to each person with computer access, that are
reasonably designed to maintain the integrity of the security of the
access controls;
(3) To the extent
technically feasible, encryption of all transmitted records and files
containing personal information that will travel across public
networks, and encryption of all data to be transmitted wirelessly. (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (5) Encryption of all personal information stored on laptops or other portable devices; (6) For
files containing personal information on a system that is connected to
the Internet, there must be reasonably up-to-date firewall protection
and operating system security patches, reasonably designed to maintain
the integrity of the personal information. (7) Reasonably
up-to-date versions of system security agent software which must
include malware protection and reasonably up-to-date patches and virus
definitions, or a version of such software that can still be supported
with up-to-date patches and virus definitions, and is set to receive
the most current security updates on a regular basis. (8)
Education and training of employees on the proper use of the computer
security system and the importance of personal information security.
17.05: Effective Date
These regulations shall take effect on January 1, 2009. REGULATORY AUTHORITY:
201 CMR 17.00: M.G.L. c. 93H It is my understanding, this will not go into effect now till May, 2009. You shoud go to the actual state law, for the most current information. Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Mon, Nov 10, 2008 @ 09:35 PM
I became acutely aware first hand how important it is to protect oneself online, when my 20 year sons Identity was stolen. It hit home so hard, that I have written a number of blog entrys on it. Ntirety also has launched a practice that specializes in Database Security. Here are some of my past blogs.... You thought you had to worry about your identity being
stolen what about that of your PC. Identity theft is a real problem and
keeps growing. On January 30th, 2008, I talked
about how my son who is attending college Identity was stolen. Who
would have thoguht they would steal the credit identity of a 20 year
old. Click here to read the blog entry.. Identity Theft Hits Home - Lessoned Learned In that blog I give you many helpful hints on what to do when your credit identity is stolen. It loaded with a lot of useful tips. On
August 14th, 2008, I posted a video of someone using a SQL Injection
attack to break into an Oracle Linux database. Seeing how easy it was
is quite a shock. Face it there big money is stealing the information
stored in an Oracle Database, SQL Server Database and any other
database that contains credit card information, etc. Click here to see the video of a SQL Injection attack.. SQL Injection Attack Oracle LINUX Database What is clear to me, that you have to be very careful. The latest blog in on Nigerian Scammers who recently infiltrated Facebook. It comes to me via the
Sydney Morning Herald Cyber criminals target Facebook users
Asher Moses
November 10, 2008 - 2:27PM
Facebook has been infiltrated by Nigerian scammers and other
cyber criminals who use compromised accounts to con users out of
cash.
Now that even non-tech savvy internet users know not to respond
to, or click on links in, emails from strangers, online thieves
have turned to social networks and are finding it is easier to
trick people when posing as their friends.
On Friday, Sydneysider Karina Wells received a Facebook message
from one of her friends, Adrian, saying he was stranded in Lagos,
Nigeria, and needed her to lend him $500 for a ticket home.
Adrian used relatively good English but, after chatting further,
words such as "cell" instead of "mobile phone" tipped Wells off
that she was not talking to her friend but someone who had taken
over his account.
Using sites such as Facebook allows scammers to research and
target victims more effectively and avoid having their messages
blocked by spam filters, said Paul Ducklin, head of technology at
Sophos Asia Pacific.
It is likely the scammer obtained Adrian's Facebook login
details after he was infected with a virus delivered by email or in
an infected web page.
There are a number of viruses which, once installed on a
computer, send back to the hacker a detailed log of everything
entered using the keyboard, including online banking details and
passwords for services such as Facebook.
Wells played along with the scammer, who asked her to transfer
the money into a Western Union account.
"Naturally I was concerned as, to all intents and purposes, this
seemed to be legitimate," she said.
"I pretended that I would help, obtained all the details of
where he was and forwarded them to both Facebook and the relevant
authorities."
But while the Nigerian scammer used the compromised Facebook
account coupled with social engineering tactics to try to convince
Wells to hand over money, many are using compromised accounts to
spread malware.
Typically, the victim receives a Facebook message from a friend
with a subject such as "LOL. You've been catched on hidden cam, yo"
or "Nice dancing! Shouldn't you be ashamed?"
The body of the message contains a video clip link that appears
to go to a legitimate site such as Facebook or YouTube but, when
clicked on, it takes the user to a bogus web page.
Before the users can play the video they are told they need to
download a video player upgrade, which is in fact a
password-stealing virus.
The next time the victim logs into Facebook the malware-laden
message is sent to all of their friends and the infected link is
automatically added in comments on friends' pages.
Other less sophisticated attacks on Facebook members use spam
emails, some appearing to come from Facebook itself, to spread
viruses.
In September security firm WebSense reported on spam emails,
purportedly sent from an @facebookmail.com address, that tell the
victim they have received an invitation from Facebook to add a
friend.
"The spammers included a zip attachment that purports to contain
a picture in order to entice the recipient to double-click on it.
The attached file is actually a Trojan horse," WebSense said. To read the Original Article... Cyber criminals target Facebook Users
Posted Michael Corey, Founder & CEO, Ntirety www.ntirety.com
Posted on Fri, Oct 24, 2008 @ 03:14 PM
As you are well aware if you read my previous blog entry, Microsoft has just released a new crtical patch Microsoft Security Bulletin MS08-067 Here are some FAQ's
What is the scope of the vulnerability? This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability over RPC without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability? The vulnerability is caused by the Windows Server service not properly handling specially crafted RPC requests. What is the Server service? The Server service provides RPC support, file and print support, and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. What is RPC? Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system. How could an attacker exploit the vulnerability? An attacker could try to exploit the vulnerability by sending a specially crafted message to an affected system. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, any anonymous user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability. On Windows Vista and Windows Server 2008 systems, however, only an authenticated user with access to the target network could deliver a specially crafted network packet to the affected system in order to exploit this vulnerability.
What systems are primarily at risk from the vulnerability? While all workstations and servers are at risk regarding this issue, systems running Microsoft Windows 2000, Windows XP, or Windows Server 2003 are primarily at risk due to the unique characteristics of the vulnerability and affected code path. What does the update do? The update addresses the vulnerability by correcting the manner in which the Server service handles RPC requests. When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? Yes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published. Does applying this security update help protect customers from the code that attempts to exploit this vulnerability? Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number.
CVE-2008-4250
Here are some additional resources you should be aware of.......Full bulletin for MS08-067 is available at Full bulletin for MS08-067
File information details can be found in Microsoft Knowledge Base Article 958644 ****** Security Updates Are Available from...
Office Update
Microsoft Update
Windows Update
Microsoft TechNet Security TechCenter as a source of security information:
http://technet.microsoft.com/securitySecurity updates are also available from
the Microsoft Download Center
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Note this was updated from original Post
Posted by Michael Corey, Founder & CEO www.ntirety.com
Posted on Thu, Oct 16, 2008 @ 10:02 PM
Many a company did not take security serious enough and has paid the price. The problem is not only did they pay the price, but so did there customers. Too many times in the past few years, have I had to request new credit cards to protect myself.
My oldest child who was attending college even had his identity stolen. I wrote a blog entry with lots of useful information....
Identity Theft Hits Home - Lessons Learned 
One of the most important jobs of a DBA is the protection of your corporate data. From Internal and external threats. As if the job of a DBA was not hard enough, they now have the added burden of dealing with Security. In many small companies the DBA is your defacto security officer. Many of Ntirety's clients ask us what their options are in terms of protecting the Database from External and Internal threats. The correct answer to that question depends on a lot of factors specific to your situation and budget. A good friend of mine Paresh Amin has agreed to do a webinar on the value of Database Penetration & vulnerability testing. I have known Paresh since he worked at State Street Bank. Paresh is a CISSP, former Director of Information Security with Experian. Paresh is very articulate and very knowledgeable about all the options open to you when securing your database. Paresh is very knowledgeable on the whole suite of software and hardware options also. Anyone interested in learning more on the topic of Database Security should attend this webinar. Here is the description of the webinar… Ntirety, The Database Administration Experts To Discuss The Value of Database Penetration & Vulnerability Testing Ntirety invites Paresh Amin, a CISSP, former Director of Information Security with Experian and Tizor Systems, to discuss some of the best practices to maintain a high level of database security. His presentation will focus on the importance of Database Penetration and Vulnerability Testing, in today's highly sensitive information security world. During this webinar, Mr. Amin will discuss: - Why backend database testing is just as vital as front end testing
- How to avoid backend database malfunctions that cause things like: system deadlock, data corruption, poor database performance, and data loss
- An overview of backend database testing (functional vs. structural)
- An overview of high profile database attacks in the past few years
By attending this event you will walk away with an understanding of the overall benefits of a database vulnerability assessment (or database penetration test) and some basic ideas on how to structure your own database security testing policies.
To learn more and sign up to attend the Webinar .......
Ntirety, The Database Administration Experts To Discuss The Value of Database Penetration Vulnerability Testing
Posted Michael Corey, Ntirety www.ntirety.com
Posted on Sat, Sep 13, 2008 @ 03:55 PM
All Posts | Next Page
Error sending email
Email sent successfully
|