Security update MS09-017 addresses the PowerPoint (PPT) zero-day vulnerability

From MSRC Engineering :

Security update MS09-017 addresses the PowerPoint (PPT) zero-day vulnerability that has recently been used in targeted attacks. We issued security advisory 969136 with workarounds on April 2nd after we first saw the exploits in-the-wild abusing this vulnerability. We also published an SRD blog entry describing how to analyze exploits and an MMPC blog entry with more details about the exploits we had seen. Now the security update is ready for you to install. This update has a few differences compared to previous Office security updates that we’d like to make sure you understand.

Microsoft Security Bulletin MS09-017 - Critical

When recruiters lie II

Rules of thumb when dealing with recruiters:

• Stay away from anything that has the word “contract”.
• Don’t trust the recruiter (internal company recruiters can be trusted a little more but still be careful).
• If they don’t speak good English when calling you about a job hang up.
• Don’t waste your time interviewing with a recruiter at a physical location. They often ask for this so they can see that you look presentable to the client. It has nothing to do with your skills and is a waste of your time. If they insist on this then move on….unless you want to waste your time.
• If the job description is vague insist on getting details. Be persistent they will hide as much from you as possible.
• When you interview with the company confirm it is a permanent position (recruiters will say it is perm just to get you to the interview where you find out it is really a contract).
• Ask to see the benefits package before accepting the position.
• Ask the recruiter how they are paid by the company seeing the contractor? Knowing the type of arrangement they have will help determine your standing. If they are a new recruiter to the company you might have a little more leverage.
• Ask the recruiter how much they are charging the company for you. I doubt they will tell you but that put them on notice you know what they are up to and not to play games with you.
• Often the recruiter is stupid, and does not know about the industry you work in or your skills (most of time they don’t care and just want a warm body) so ask lots of questions be persistent.
• Stick to your guns when negotiating. Ask for way more then you think you are worth (trust me you are worth more then you think). If they say you are too high what they are really saying is that they can’t make any profit off of you. Ask them what the margin is? Remember you bargaining with the recruiter not the company and the company does not care how much you make from the recruiter. They have worked out a separate deal with the recruiter. The recruiter sends the most profitable candidate for them to the company not the most qualified for the job. The company does not care who is most qualified because it is just a temp job to them.

When recruiters lie

The phrases “contract to hire” or “temp to hire” seem at first to be tempting offers if you trust the recruiter you are working with. Keep in mind most recruiters don’t care about your well being and will say anything or do anything to get you into the position they are pushing. Think of them as car salesmen. It is their commission that matters most to them. They will say the job is contract to hire when in fact it is only a contract and you will be out of a job in 30 or 90 days once the project is finished.

The reasoning they use is that the employer wants the opportunity to evaluate you before they make you permanent. This is a lie. If the company actually wanted a permanent employee they would hire and would not use a recruiter. The company does not want to spend money on finding temporary employees so they use recruiters. Recruiters know that most people won’t take an outright contract so they have to fudge the truth and say it will turn into a permanent job. The truth is there is no such thing as a contract to hire. There is only contracts (temp jobs). Recruiters spin it to make it look better then it is. Don’t be fooled.

Companies play the game as well and may also say it will turn into a permanent position just to get you on board for the project. Once the project is finished however , they get rid of you because to them you were nothing more then a temp worker. This setup works out great for the company because most of the work they have is project based and they need highly skilled workers for only a short time. They don’t have to worry about benefits or taxes, all they have to do is use a recruiter who is good at lying to people who think they are getting an opportunity to prove themselves when in fact it is all a lie.

If you decide to take a contract anyway remember when negotiating pay that YOU have to pay your benefits. That means you pay for healthcare, retirement, and you get no time off. No sick time, no vacation time, not family leave time….nothing. If you have to miss work you simply lose pay because as a contract worker you are paid hourly not a salary. There are no raises and no bonuses. It may seem like they pay you a lot hourly but remember they are not paying taxes for you and no benefits. They actually save money on you when you are a contractor. If they paid you the hourly rate that factored in all the benefits, loss wages for being sick, vacation, whatever; they could not afford you and they would not be able to make money off of you. A lot of people forget about this and realize (after they become a contractor) they are making less then if they were as a perm employee. Think about it. How are recruiters able to stay I business? Why do companies do it? It’s not because they love paying high hourly wages. There are hidden costs to having a perm employee. Contractors are a cheap work force and it is all based on the lies of the company and the recruiters. The business of contracting is based on taking advantage of people who simply don’t know any better. Recruiters may even try to offer you benefits but guess what, the benefits are only available to you while you are on the contract and typically are not very good to begin with. They will try to keep you on the contract by extending it and telling you more lies like your doing a good job and just to wait a little longer and you will be perm. Don’t believe them. It is a lie. They are profiting more and more the longer you are on the contract. Don’t fall for this, it is an effort to keep you from leaving and finding perm work.

The only time a contracting position should be considered is if you are unemployed and you need to make ends meet. Even then, you must understand it should be a temporary situation until you can find permanent employment. No one regulates this industry and it is kept hush because businesses benefit greatly from this type of arrangement. Recruiters benefit. You do not.

Why people quit Linux...its the users fault.

Keir Thomas wrote an article for PC World discussing his "Top 7 Reasons People Quit Linux". at first I thought it might be an insightful essay on why Linux is unable to make in roads into desktop OS industry Microsoft still dominates. Instead I was treated too to the same arrogant single mindedness so common among Linux fanboys. To make it worse Mr. Thomas gloats that he writes Linux guidebooks for Windows users. Wow! No wonder Linux can't make the cut to mainstream desktop OS and server OS.

The tone of this article is astounding.

Under reason No. 2 I installed Linux but some element of my hardware didn't work!

Thomas states:

Some people expand this complaint to point out that Linux can sap their precious time as they work through getting it setup the way they like. Again, this is as true of Linux as it is of Windows. It's just the way PCs are.

Mr Thomas, maybe you have lots of free time and maybe you enjoy endless frustration but most people just want things to work. You don't have to berate them for wanting that.

Under reason No. 3 I tried Linux but I had to type commands!

Thomas goes off:

OMG!!! Really?

But seriously. So what? Are you scared of the keyboard? This is usually related to point #2 above, and it's usually a one-off manoeuvre designed to get something working.

and

But typing a few strange words won't kill you.

and

Why do we always assume that other people can't possibly be as smart as we are?

Good question Mr Thomas, perhaps you should heed your own words.

And this beauty under No. 4:

Again, so what? Nobody said Linux was a clone of Windows. Things are going to be different now you're using Linux. Not necessarily better, not necessarily worse. Just different. You're over the rainbow, Dorothy! Rather than griping about your troubles, why don't you get used to it? If you're unable to adapt, it says more about you than it does about Linux.

I see, so it is the user and not the OS that is the problem.

Another under No. 6:

But what people with this complaint always do is make a spurious argument about usability – that wonderfully nebulous term that means different things to different people. “Linux just isn't as usable as Windows or OS X,” they'll say. When asked to backup their complaint with evidence, they don't bother to reply.

How about the fact Linux has barely 1% of the market. If Linux was truly so great then was is there not wider acceptance. I could go on but you get the picture. Unfortunately, this is the typical condescending attitude you find in Linux land. The simple truth is Windows is easier too use the Linux. Period.

Perhaps if Linux people were nicer there would be broader appeal of the OS but I won't hold my breath.

But hey keep writing your books Mr. Thomas someone might buy them.

Track the Swine Flu in your reader

http://maps.google.com/maps/ms?ie=UTF8&hl=en&t=p&source=embed&msa=0&output=georss&msid=106484775090296685271.0004681a37b713f6b5950 Update: Also see the WHO (World Health Organization) rss feed. Get a Global view at Healthmap.org. You can also jump directly into the panic on twitter. Center for Disease Control CDC Swine Flu

Verizon and Apple working it out

Lots and lots of rumors on the net about iPhone coming to Verizon in 2010.

SlashGear actually has some interesting details about the potential offering. There are more details from Businessweek and they suggest that all the rumor talk is really leverage by Apple to sweeten their part of a new deal with AT&T.

For me, I like the idea of a Kindle like Media Pad from Apple. Maybe that is how Apple will sell too AT&T(iPhone) but still be able to sell a device to Verizon (Media Pad). Not sure I want to carry around and iPhone and a Media Pad though. Maybe we will find out this summer!

Payback

Funny little payback story about the Nigerian Craigs List scams. Since I dealt with this a few months ago I had done some digging.

What is Advance -fee fraud?

Also a nice Nigerian 419 scam FAQ.

Common Fraud Schemes from the FBI.

Educate yourself before using auction sites like Craigs List and Ebay the fraud is rampant and those companies do very little to protect you.

The Kindle Costs

Why get a Kindle?

According to PC World, the Kindle costs a consumer $359 but it only costs Amazon $185 to build. So $174 profit. You still have to buy the ebooks which are supposed to $9.99 but most are not if you read about the ebook boycott going on.

If you can stomach the cost of the ebooks why not just use your iPhone for ebook reading. Oddly, even Amazon seems to be pushing this. See Further thoughts on the Kindle iPhone experience for a review.

What is Whispersync?

Kindle for iPhone comes with Whispersnyc, which means you can sync your reading locations and annotations between your Kindle and your iPhone. In addition, any book that you buy for your Kindle can be accessed on your iPhone as well. And let’s not forget that you get the same Kindle book discounts on your iPhone.

This is my iPod.....

Newsweek has a cool article about how our soldiers are using new technology to defeat the enemy. Some of the uses Newsweek notes are pretty interesting uses.

• iPhone software that would enable a soldier to snap a picture of a street sign and, in a few moments, receive intelligence uploaded by other soldiers (the information would be linked by the words on the street sign).
• The U.S. Marine Corps is funding an application for Apple devices that would allow soldiers to upload photographs of detained suspects, along with written reports, into a biometric database. The software could match faces, making it easier to track suspects after they're released.
• Software developers and the U.S. Department of Defense are developing military software for iPods that enables soldiers to display aerial video from drones and have teleconferences with intelligence agents halfway across the globe.
• Snipers in Iraq and Afghanistan now use a "ballistics calculator" called BulletFlight, made by the Florida firm Knight's Armament for the iPod Touch and iPhone.
• Army researchers are developing applications to turn an iPod into a remote control for a bomb-disposal robot (tilting the iPod steers the robot).
• In Sudan, American military observers are using iPods to learn the appropriate etiquette for interacting with tribal leaders.
• A new program, Vcommunicator, is now being issued to soldiers in Iraq and Afghanistan. It produces spoken and written translations of Arabic, Kurdish and two Afghan languages. It also shows animated graphics of accompanying gestures and body language, and displays pictures of garments, weapons and other objects.

I’m sure are boys are being pretty creative and are using it for a lot more. I’m surprised the Pentagon allows the use but I guess they understand they can’t prevent the soldiers from using them anyway so might as well use it as another weapon against the bad guys. This is a great example about how consumer products are used first by consumers then brought into business, in this case the military. It used to be the military would develop a product for use in war then uses would be found in civilian life like with the Hummer. In this case the reverse is true.

SANS:Some conficker lessons learned

Good Conficker lessons learned from SANS

"The outbreak was not due to a lack of patching. The vast majority of the machines that were compromised via the worm were managed machines and were in fact patched up to date - including the patch for MS08-067 - and have actively maintained anti-virus software installed."

1. Ensure that when an average user logs in it does not allow them to mount via RPC resources on other workstations in the domain. (i.e. When Alice logs into her workstation she cannot mount the Admin$ share on Bob's machine without being prompted for credentials.) Using the GPO [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network] to limit RPC logins to workstations can be very helpful in this regard. see: <http://technet.microsoft.com/en-us/library/cc740196.aspx>
2. Disable Auto-Run on all machines. This can also be accomplished via GPO.
3. Ensure that all anti-virus software is very up-to-date and is enabled to "On-Access" scan for both the reading and writing of files.
4. Ensure that all machines are patched for MS08-067, including vendor managed machines.
5. Ensure that all privileged accounts have strong passwords. Apparently conficker is smart enough to enumerate accounts with elevated privileges such as Domain Admins. We observed conficker attempting to brute-force unique domain admin accounts.
6. Monitor for 445/TCP scanning, particularly off-subnet scanning.
7. Force all users to utilize a proxy to access the web.

Interesting VMware Critical Vulnerability

iTWire has an interesting tid bit about a VMware vulnerability that can result in inter-machine vulnerability. The advisories of note are VMSA-2009-005 and VMSA-2009-006.

David Heath notes:

"Now we find that any one of those virtual machines can influence the base OS, and by implication have dire effects upon other virtual environments on the same system."

I created a custom feed for VMware's Security Advisories for those with RSS addiction like me.

There had to be a chink in the armor somewhere right?

Trade in your old cell phone

I have not used this but it looked interesting and I do have a lot cell phones laying around.

http://www.flipswap.com/

Dilemma

I was recently involved in a situation where a server’s hard drive failed. During research on the issue it was discovered that the server’s firmware and drivers were out of date. In fact they were never updated. Now my philosophy is, if it is not broke don’t fix it when it comes to firmware. OS security updates are different and should be applied (after testing) immediately. But firmware it is normally not a security fix but an enhancement to the hardware. If the hardware is working fine why tempt fate?

In my view, the time to update drivers and patches is at the request of vendor support and that usually happens when you are trying to fix a server. Most of the time support won’t even talk to you until you are the latest version of firmware and software. So the question is; do you make firmware and driver updates part of the regular server maintenance even if the server is in fine working condition? I know the answer would be yes if you are able to test the updates but how many IT shops have a test server for every model server they have. I have seen firmware and driver updates go bad more often than not. Is it worth risk on a production server that is working? Just food for thought.

Nessus version 4 released

Tenable released the latest version of Nessus last Thursday. There are some performance enhancements and now all Nessus Unix command-line tools are available on Windows. Plus 64 bit support. There are more at the Tenable blog.

The fuss about Netbooks

For some time now I have thinking which would be more useful an iPhone or a Netbook. Each has it advantages and disadvantages some obvious some not so obvious. But on the go, as an IT Professional which would you rather have, the small compact but versatile iPhone or something a little more robust yet more difficult to carry around like the HP Mini 2140. Erica Sadun wrote an article about Netbooks that does a slight comparison between Netbooks and the iPhone although she focuses on the data plans. I liked the article though because it finally defined for me what a Netbook is really designed for. She states:

"In the real world, laptops let you perform serious work and let you do so without a lot of compromise. In the portable world, netbooks just aren't meant for that standard of computing. The screen is small; the keyboard is compromised; the chip runs slow. So consider them in the light of the activities that people use netbooks for: sending e-mail, browsing the net, enjoying multimedia, and chatting on the go."

Email, browsing, multimedia and chat. I'm not sure about the multimedia (unless she means just limited to music) but I will along with the rest. Light activities, not hardcore computing like video editing, gaming, or something database intensive.

For the mobile IT pros though might a Netbook be a possibility? They are cheaper then a laptop and they would be great for rdp sessions to servers which is what you use from pc at work anyway. Now if I can just justify the the required data plan. Of course you can rdp from the iPhone too.

RDP from your iPhone

I am more then a little intrigued buy some of the iPhone apps I have seen lately. One is called Jaadu RDP . This product seems geared towards the consumer rather the IT professional but if your off site a lot this could be pretty handy. Here is a review from Macworld magazine. It seems pretty favorable. There is video demo of the product here. You can purchase and download it from Apptism for $24.99. That seems a bit pricey to me but perhaps it could be worth it. The latest version is 2.0.1.

More and more reasons for me to get a iPhone. Verizon really blew it!

Google Lattitude..the stalkers choice

Decent article over at Geek.com about the uses of Google Latitude. Personally I think this will be a a stalkers choice software. But there could be good uses too like tracking the elderly who have Alzheimer's or making sure children make it to school ok. All say this for Google they innovate.

Trojan Time

I’m supposed to no better.

All the classic signs were there. PC slowness. Programs acting strange. Pop-ups galore to great security programs! What a coincidence. Just click me and I will save you they promise. Yeah right I thought . I trust a popup about as much as car salesman. At first Mcafee seemed to have everything under control but it only saw innocuous tmp files and every reboot they would reappear. After I checked my DAT files were up to date I did a Mcafee scan that found nothing but took forever. Then I noticed Windows Defender was missing from the system tray and Ad aware would not start. Hmmm…..

No problem I can handle this. I’m IT professional! Mcafee put me on the trail but that is about it. Vundo!grb. What is Vundo? The next day, NQ-Host84 appeared , then another Vundo variant. Things were starting to snowball. I had Spybot installed so I tried that to clean things. It found some stuff but I still had popups and the PC was still slow. I downloaded HijackThis and looked at the logs and tried to fix any problems. No change but the logs showed an unusual dll file named wenijalu.dll. I didn’t want to go delete files without knowing what they are first so I kept digging. I had Process Explorer installed so using that I checked the properties Winlogon.exe under the Threads tab and I saw that strange dll file listed along with two other dll files tikiwki.dll and bowiki.dll. I checked the Mcafee process Mcshield.exe and sure enough they were there. I checked the rest of my running process and all of them had these strange dll files.

I searched Google and sure enough these dlls were linked adware and Trojans. I was really concerned at this point. Every running process seemed to be infected and my anti-virus and anti-spyware was either crippled or disabled. I killed all strange dlls that were attached to a process. I then checked my Automatic Updates and it was disabled! No way I would have done that! I was fully patched though. I checked my firewall and it seemed ok. These dlls had to go. I made backups of all my important files and put them on an USB drive. I found the creepy dll files in the Windows\systems32 directory and they were set to be hidden (unusual compared to normal dlls). I renamed the dlls by changing the extension to .bad and it let me do that surprisingly. I rebooted things seemed better. The popups went away and the pc was a little faster...but not much.

The problem with cleaning things manually is that you are never 100% sure you got everything. My mind wondered, could there still be a rootkit on there? Did I get everything? If my security programs miss it so could I. What did I miss in the registry? I checked my running processes in process explorer and saw no sign of the dlls but I worried about the registry. I ran Spybot again and it found some registry items related to Vundo. I ran a scan with Mcafee, Hijackthis, and Spybot again to find anything and things seemed clean. Still my paranoia, which had saved me before, was screaming at me now. Wipe it, Wipe clean and start all over. So that is what I did.

During my research I saw some tools that claim to get rid of certain Trojans like Vundo such as, VundoFix, ComboFix, and Malware Bytes. I have mixed feeling about these types of programs. I don’t trust them. They may work or they may not. They all claim they just want to help you but most just want to sell you there software. And no one can guarantee you they cleaned your pc 100% unless they completely format it which defeats the purpose of their use.

The lesson here . Even if you think you can handle a Trojan or Virus think again. The bad guys are ahead of security companies so we are always one step behind as well. Do yourself a favor prepare for your own personal PC disaster.