The online security forum CastleCops has ceased operations after more than 5 years of support to malware victims through out the world. Going to the site today, http://www.castlecops.com/, I was meet with this page:

Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium (ISC.org). This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.

We thank everyone in creating our unique footprint and memories in time.

Love, Best Wishes and Happy Holidays, CastleCops
PST 23 Dec 2008

CastleCops was home to many unique communities that aided in the fight against the spread of malware software and sites. Communities such as the Malware Incident Response Team, Phishing Incident Response Team, and the Malware Digest. CastleCops was at the forefront of the battle for quite some time, and many of the malware removal experts could be found hanging out at CastleCops at any givien time of the day or night. CastleCops has been a victim of numerous DDoS attacks over the past 2 years; and with Paul and Robin Laudanski having transfered ownership of CastleCops, after Paul took a job with MicroSoft, in steady decline.

CastleCops will be missed.

Normally Microsoft does not push out updates until the 2nd Tuesday of the Month. They deemed this one critical enough to make it available right now from Windows Update.

Windows Update Site

Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

Version: 1.0

MS08-067: Vulnerability in Server service could allow remote code execution

Recommendation is to update and install this fix as soon as possible.

Over that past few months Castle Cops has been experiencing technical difficulties that often cause connection issues.  Frustrating many and leading me to wonder about the health and future of this great asset to the online security community at large.  A great many of us rely on the information contained in the various lists, maintained at Castle Cops, to determine the legitimacy of an entry in a HijackThis log.  Those lists have a new home, http://www.systemlookup.com/.

In a message by javacool:

I’m happy to announce a new, dedicated home for the CLSID + other helper lists: http://www.systemlookup.com

The list maintainers, contributors and I have been working on this site non-stop, and enough features are up and running to get it in the hands of the people that need it.

Although global search of all lists isn’t yet up, you can browse and search by list: http://www.systemlookup.com/lists.php
The following lists are currently available, with more (the O4s and others) coming soon:

* CLSID List - BHOs, Toolbars, SHs, Explorer Bars
* O9 List - Internet Explorer Buttons
* O10 List - Layered Service Providers
* O18 List - Extra protocols
* O20 List - AppInit_DLLs & Winlogon Notify
* O21 List - ShellServiceObjectDelayLoad
* O22 List - Shared Task Scheduler
* O23 List - Services

We look forward to continuing to improve the site and building some great new features to make things even easier.

But for now - Enjoy!

Best regards,

Javacool & the List Maintainers and Contributors:

TonyKlein
miekiemoes
Metallica
random/random
nasdaq
teacup61
Marckie
Zupe

Looks fantastic!  Congratulations on your new home.

think you can tell if you have a virus without av? think you’re smart enough to avoid viruses? you might need to think again

read more | digg story

Posted today by Chris Keroack [MSFT] at 21 Apr 2008 5:04 PM UTC on TechNet Forums

Today we are happy to announce that Windows XP Service Pack 3 (SP3) has released to manufacturing (RTM). Windows XP SP3 bits are now working their way through our manufacturing channels to be available to OEM and Enterprise customers.

We are also in the final stages of preparing for release to the web (i.e. you!) on April 29th, via Windows Update and the Microsoft Download Center. Online documentation for Windows XP SP3, such as Microsoft Knowledge Base articles and the Microsoft TechNet Windows XP TechCenter, will be updated then. For customers who use Windows XP at home, Windows XP SP3 Automatic Update distribution for users at home will begin in early summer.

Thanks to everyone here who installed the public betas – you not only gave us detailed feedback but also helped each other out with timely troubleshooting. Through the beta program we found several important issues and were able to confirm some essential fixes. We couldn’t have done this without you.

We will still be monitoring this forum during the next few weeks in case you have more feedback about the release of Windows XP SP3.

On behalf of myself, Shashank Bansal and Windows Serviceability, many thanks.

Chris Keroack
Release Manager, Windows XP Service Pack 3
Windows Serviceability

Microsoft Security Advisory (951306)

Vulnerability in Windows Could Allow Elevation of Privilege

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

General Information

Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to Windows service accounts. For more information, see the Workarounds and Suggested Actions sections of the security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

This advisory discusses the following software.

Frequently Asked Questions

Originally posted at Photo Matt

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.  [More ...]

I’ve come the conclusion, that the writer’s for main stream technical publications; are just as over-the-top, as any other journalist.

Very recently, some one discovered the Microsoft article, Strong passwords: How to create and use them, published 22 March, 2006. It’s 2 years old. The article as you can imagine is about creating strong passwords. About two-thirds down the page, you encounter this: The “blank password” option.

The author of the article goes on to say at this point, “A blank password (no password at all) on your account is more secure than a weak password such as “1234″.” Whoa, wait-a-minute, what the… Then he/she clarifies that statement, be explaining what he/she means.

What’s so special about a blank password? On a computer with Windows XP or newer installed, an account without a password cannot be accessed remotely by means such as a network or the Internet.

If the default settings have not been altered by the system user.

Under very specific conditions, and somewhat rare, the use of a blank password is just fine.

• You only have one computer or you have several computers but you do not need to access information on one computer from another one
• The computer is physically secure (you trust everyone who has physical access to the computer)

The second bullet is the most difficult condition to meet.

So, this passage of the MS article has been translated into “Blank Passwords Are More Secure” by the technical media. Have you lost your minds? Get real! The average non-technical reader is going to take that as gospel, and switch to using no password at all. Which, I have no doubt that many are doing so or using something like “password1″ or “1234″.

Now here comes my thoughts of the subject:

The sheer lunacy of even suggesting using a blank password for local log-on. That’s the first thing a hacker will try, when sitting in front of a terminal.

Forcing local log-in using a strong password is meant to prevent unauthorized access to the local system; and if the system is configured properly, you’ll be locked out after x number of failed attempts. Which, means reboot and start over. Brute force attacks aren’t effective when the system in configured correctly; and a hacker won’t spend that much time trying to get into the system.

If the system is connected to a network, then Network log-on should be required, and if that is configured properly; not only are you locked out of the system after x number of failed attempts, you are locked out of the network. Until the Network Administrator resets your account and issues you a new password.

There’s been a lot of articles talking about password strength, password security, password cracking of late. None of them, absolutely none of them, with the exception of the MS article, talk about the use of pass phrases of 15 character or greater in length. Why a pass phrase 15 characters or longer? They can not be broken by existing methods. They can be captured by keyloggers.

If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

These articles also fail to point out that the hacker must have access, either remotely or locally, to crack a password. If they have access to the system, then they don’t need to crack the password. There are far more reliable (quicker) methods of compromising a system, Social Engineering attacks leading the way.

The rest of the Microsoft article, Strong passwords: How to create and use them, gives very sound advice on creating strong passwords. You should read it, following the advice given on that page will go a long ways to making your online experience a safer one.

Creating strong passwords and keeping them private, is just one piece of the security puzzle; a very critical piece, but still just one piece.

Products:
VMware ACE
VMware Player
VMware Workstation

Details:
Summary
On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host’s complete file system and create or modify executable files in sensitive locations.

Relevant Releases
Windows hosted versions of:

• VMware Workstation 6.0.2 and earlier
• VMware Workstation 5.5.4 and earlier
• VMware Player 2.0.2 and earlier
• VMware Player 1.0.4 and earlier
• VMware ACE 2.0.2 and earlier
• VMware ACE 1.0.2 and earlier

Note: The following VMware products are not affected:

• VMware Server is not affected because it does not use shared folders.
• No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture, not a hosted architecture, it does not include any shared folder abilities.
• VMware Fusion and Linux-hosted VMware products are unaffected.

Problem Description
The following description is from the Core Security Technologies advisory at http://www.coresecurity.com/?action=item&id=2129:
To improve user inter-operation with virtualized systems VMware’s software implements a number of inter-system communication features. The Shared Folder mechanism is one of such feature.

VMware’s shared folders allow users to transfer data between a virtualized system (Guest) and the non-virtualized Host system that contains it. This form of data transfer is available to users of the Guest system through read and write access to filesystem folders shared by both Guest and Host systems. To maintain effective isolation between Guest and Host systems, this mechanism should limit access from the Guest only to the Host system’s folders that are selected for sharing with the virtualized guests.

A vulnerability was found in VMware’s shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host’s file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.

Solution:
Response
By default, the shared folders feature is disabled in Workstation 6, Player 2, and ACE 2. In order to exploit this vulnerability, the virtual machine must have the shared folders feature manually enabled and at least one folder configured for sharing between the host and guest. Given the requirements of the vulnerability, it cannot be exploited by default in Workstation 6, Player 2, and ACE 2.

Workstation 5, Player 1, and ACE 1 enable the shared folders feature by default, but exploiting this vulnerability still requires at least one folder to be configured as shared between the host and guest. Given the requirements of the vulnerability, it cannot be exploited by default in Workstation 5, Player 1, and ACE 1.

The issue affects all currently supported Windows-hosted versions of VMware Workstation, ACE, and Player. The issue does not affect VMware ESX Server or VMware Desktop Infrastructure products. There have been no reports of this issue occurring in customer environments.
Workaround
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.

To disable shared folders in the Global settings:

1. From the VMware product’s menu, choose Edit > Preferences.
2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.

To disable shared folders for the individual virtual machine settings:

1. From the VMware product’s menu, choose VM > Settings.
2. In the Options tab, select Shared Folders and Disable.

References

• http://www.coresecurity.com/?action=item&id=2129
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1744
• http://www.securityfocus.com/bid/27944
• http://www.vmware.com/security/alerts/

Note: Some links might not be available until 2/25/2008.

Product Versions:
VMware ACE 1.0.x
VMware ACE 2.0.x
VMware Player 1.0.x (Windows Hosts)
VMware Player 2.0.x (Windows Hosts)
VMware Workstation 5.0.x (Windows hosts)
VMware Workstation 5.5.x (Windows hosts)
VMware Workstation 6.0.x (Windows Hosts)

Check your security applications before installing

According to Microsoft certain security applications are blocked from running, knowledge base article, due to “reliability” issues with Vista SP1.

The following security applications are blocked from running, if installed, after install SP1 for Vista:
BitDefender AntiVirus or Internet Security 10
Jiangmin KV Antivirus 10
Trend Micro Internet Security 2008
Zone Alarm Security Suite 7.1.078

If you have any of the above applications installed, see the vendor for a supported version; before installing SP1 for Vista.