Hi,

IFor those of you with computer networks/systems in case your IT department isn’t aware. (attached)

Bill
*** Joint USSS/FBI Advisory ***
PREVENTIVE MEASURES
Over the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization’s ability to detect and respond to similar incidents quickly and thoroughly.
Attacker Methodology:
In general, the attackers perform the following activities on the networks they compromise:

1.
They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.

2.
They use “xp_cmdshell”, an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.

3.
They obtain valid Windows credentials by using fgdump or a similar tool.

4.
They install network “sniffers” to identify card data and systems involved in processing credit card transactions.

5.
They install backdoors that “beacon” periodically to their command and control servers, allowing surreptitious access to the compromised networks.

6.
They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.

7.
They use WinRAR to compress the information they pilfer from the compromised networks.

We are providing the following preventive measures. Performing these steps may not prevent the intruders from gaining access, but they will severely impact their effectiveness based on current attack methods.
Recommendation 1: Disable potentially harmful SQL stored procedure calls.
The xp_cmdshell, OPENROWSET, and OPENDATASOURCE stored procedures should be disabled on all databases unless they are explicitly serving a business need within the network.
The xp_cmdshell procedure allows someone to execute commands on a local system from the database, with the permissions of the service account used for the database. The OPENROWSET and OPENDATASOURCE procedures allow one to cause the database to transfer data from the local database to a remote database and vice versa.
The following two steps should be taken to remove the potentially harmful stored procedure calls.

1.
Disable access to the xp_cmdshell functions within Microsoft SQL Server.

Microsoft SQL Server 2000
xp_cmdshell’
EXEC sp_dropextendedproc ‘Microsoft SQL Server 2005
EXEC sp_configure ‘xp_cmdshell’, 0

2.
Remove the “xplog70.dll” file from the server.

If it is necessary to use the potentially harmful stored procedure calls, limit the exposure by applying IP filters on the SQL servers. Assign explicit ALLOW rules to the interfaces for the application the SQL server is supporting. Disallow communication between SQL Server hosts unless an application necessitates otherwise.
Recommendation 2: Deny extended URLs.
Excessively long URLs can be sent to Microsoft IIS servers, causing the server to fail to log the complete request. Unless specific applications require long URLs, set a limit of 2048 characters. Microsoft IIS will process requests over 4096 bytes long, but will not place the contents of the request in the log files. This has become an effective means to evade detection while performing attacks.

1.
Modify “%windir%system32inetsrvurlscanurlscan.ini”

Ensure “MaxQueryString=2048” is present

Ensure “LogLongUrls=1” is present

Recommendation 3: Implement specific approaches to secure dynamic web site content.
Certain measures can be taken to mitigate the risk of these types of attacks by developing a secure code base. The steps below are a few of the best practices for secure coding that will help prevent the attack associated with this incident. Additional information can be found at http://msdn2.microsoft.com/en-us/library/ms998271.aspx.

1.
Replace escape sequences

private string SafeSqlLiteral(string inputSQL)
{
inputSQL.Replace(“‘”, “””);
}

2.
Use parameters with stored procedures

using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
“SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id”,
connection);
myCommand.SelectCommand.Parameters.Add(“@au_id”, SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters[“@au_id”].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}

3.
Constrain input in ASP.NET web pages

if (!Regex.IsMatch(userIDTxt.Text, @”^[a-zA-Z’./s]{1,40}$”))
throw new FormatException(“Invalid name format”);
Recommendation 4: Install and run authorized Microsoft SQL Server and IIS services under a non-privileged account.
Unless a specific application requires system or administrative level permissions, all instances of Microsoft SQL Server and IIS should run under accounts with restricted user permissions.
Recommendation 5: Apply the principle of ‘least privilege’ on all SQL machine accounts.
The attackers generally create tables into which they store malware or data collected from the enterprise. Unless specific applications dictate otherwise, restrict the capabilities of the accounts used to modify databases on the servers. In particular, remove the ability to create new tables, denying the attackers a means of transporting malware and stolen data.
Recommendation 6: Require the use of a password on Microsoft SQL Server administrator, user, and machine accounts.
Several SQL servers examined had an empty password on the “sa” SQL account. All accounts with access to resources should be protected with passwords or certificates.
Recommendation 7: Lock out accounts on the mainframes after several unsuccessful logon attempts.
Locking accounts and requiring IT support to restore service aids in protection against brute force attacks. This can serve as an early detection of potential security problems.
Recommendation 8: Run the minimum required applications and services on servers necessary to perform their intended function.
Several servers, to include Active Directory master servers, have unnecessary software installed (e.g. Microsoft Office). In addition, ensure that no unnecessary services are running. This includes SQL Server and SQL Server Express on support and other workstations. Should these services be necessary, restrict access through IP filters on Microsoft Windows or through third-party firewall software.
Recommendation 9: Deny access to the Internet except through proxies for Store and Enterprise servers and workstations.
Attacks on victim networks make extensive use of HTTP, HTTPS, and DNS network ports. Denying direct access to the Internet will frustrate and mislead an attacker.
Recommendation 10: Implement firewall rules to block or restrict Internet and intranet access for database systems.
Disallow all traffic outbound from servers harboring sensitive data. Communication to the SQL servers and data warehousing servers should be tightly controlled. Restrict traffic between data centers and stores to essential ports and services only.
Recommendation 11: Implement firewall rules to block known malicious IP addresses.
Firewall rule sets designed to block all ingress (incoming) and egress (outgoing) traffic to the known malicious IP addresses have been put in place. Note that traffic violating the rules should be logged and observed in near-real time.
Recommendation 12: Ensure your HSM systems are not responsive to any commands which generate encrypted pin blocks. More specifically, HSMs should not accept commands that allow plain text PINs as an argument and respond with encrypted PIN blocks.
HSMs are normally used to verify Personal Identification Numbers (PINs), generate PINs used with bank accounts and credit cards, generate encrypted Card Verification Values (CVVs), generate keys for Electronic Funds Transfer Point of Sale systems (EFTPOS), and generating and verifying Message Authorization Codes (MACs). These systems, if accessed by an unauthorized intruder, can provide the attacker the ability to discover the appropriate PIN number for a corresponding credit or debit card. Therefore, in an effort to prevent this, HSMs should be configured to disallow “in the clear” PINs as an argument for performing its tasks.

Article printed from SiteProNews: http://www.sitepronews.com

HTML version available at: http://www.sitepronews.com/archives.html

The Campaign Killers: 12 People You Need To Fire
By Jerry Bader (c) 2008

Sometimes it seems like the hardest thing to do in business is
to get things done: so little time, so many obstacles. And when

it comes to marketing it gets even worse, after all there are
all those administrative details that need to be dealt with,
emails, inquiries, suppliers, and on and on. Finding the time to
devote to creating a sustained, focused marketing effort seems

like it’s near impossible. But the biggest obstacles of all are
some of your trusted colleagues and advisors; you know the ones
I’m talking about, the ones that are a royal pain-in-the-ass.
So lets just call them on the proverbial carpet and fire their

butts; but first let’s check the files and find out who they
are.

File One: Mr. Inertia
Everybody knows this guy. He’s the one who hasn’t had a new
idea in five years. This is the fellow who thinks everything is

just fine the way it is, so let’s not rock-the-boat, everything
is just hunky-dory, thank you very much.

You have to treat your business like it’s a shark: no standing
still, if you don’t keep moving forward, you won’t survive.

It’s a competitive world out there, and in the Web-centric
marketing environment, you’re not only competing with the shop
down the street, you’re competing with the whole world, so
standing still is not an option. Mr. Inertia, you’re fired!

File Two: Mr. Know-It-All
I love this guy, he knows everything, he’s done everything, and
if you ask him he’ll tell you he invented it. It doesn’t
matter what it is or even if it relates to your business, he’s

done it all and seen it all, or so he says. This is Mr.
Know-It-All; he stopped learning, stopped improving, and stopped
listening years ago.

Despite all his self-proclaimed knowledge and insight, this guy

hasn’t contributed anything meaningful to the marketing effort
since a Blackberry was something you ate. Mr. Know-It-All,
you’re fired!

File Three: Mr. My-Business-Is-Unique
We all like to feel that we have created something unique,

something different, something that no one else does. The fact
is business is business; it’s very dangerous to think that your
company is so unusual that it’s irreplaceable, so different
that you don’t need to market, so special that branding isn’t

required, and so singular that positioning is a waste of time.

Don’t be fooled, finding your ‘mark of differentiation’ is
just as much an exercise in marketing as it is an exercise in
product development. Mr. My-Business-Is-Unique, you’re fired!

File Four: Mr. We-Always-Do-It-This-Way
At one point in my career I ran a company that manufactured
photo albums. We had a large competitor who always undercut our
price no matter what we sold our product for. In an effort to

find out how they were gaining this advantage, we cut open one
of their new albums and found that they were using cheap
corrugated cardboard as a stiffener instead of the more
expensive traditional 80-point board everybody in the industry

used.

Our sales manager made an appointment with a major photo chain
known for only buying quality. He made a dramatic presentation
by cutting open our competition’s product illustrating the
superior nature of our product and demonstrating how they were

being duped into buying the inferior junk our competitor was
selling them. The buyer, who was also one of the owners looked
at the products on his desk, uttered an expletive-deleted and
laughed, “Yea,” he said, “but they are cheaper.”

Just because things were done the same way forever, doesn’t
mean that you can keep doing it that way. Keep innovating,
experimenting, challenging the status quo. Mr.
We-Always-Do-It-This Way, you’re fired.

File Five: Mr. Everybody-Is-Stupid (But Me)
This clown’s a real buzz-kill. In brainstorming sessions this
is the guy who shoots down every idea that comes up without
offering any alternatives. If some idea is actually adopted he

immediately begins to try and change it. You’ll usually find
him with a coffee in one hand and a donut in the other, standing
over someone who is actually trying to work, telling them to
move it a pixel to the right or add a little blue or saying

stuff like, “I think it needs a pony, ya add a pony.” This
jerk is like a dog going from hydrant to fencepost depositing
his mark without any purpose or validity other than leaving his
scent. Not only is this guy unproductive, he makes everybody

around him less productive. Mr. Everybody-Is-Stupid (But Me),
your fired!

File Six: Mr. I-Know-All-The-Customers-Worth-Knowing
Hard to believe but this guy does exist. I once called on a
potential client who told me he didn’t need a website because

he knew all the customers worth knowing, all six of them. He was
a manufacturer and he did sell to the six largest retail buyers
of his merchandise but one thing I’ve learned over the years,
you never have enough customers, and as soon as you think

you’ve got them all sewed up, watch out, because every
competitor is out to take them away from you. And as good as you
are or as good as you think you are clients will eventually be
pursued by a competitor offering something better or cheaper.

Never stop prospecting, never stop looking for new business, and
never be satisfied. Mr. I-Know-All-The-Customers-Worth-Knowing,
you’re fired.

File Seven: Mr. I-Know-All-The-Benefits
We all could be guilty of this marketing sin if we’re not

careful. Thinking you know everything that people do with your
product or service is a risky mindset and speaks to a lack of
vision. This guy goes to the appropriate conventions, listens to
all his industry’s experts and reads only stuff about his own

established market. If it’s about something else, he’s just
not interested, and he doesn’t see or understand the
relevance.

The fact is all your customers are people who have lives outside

of business; they all have problems, insecurities, hobbies, and

interests that have nothing to do with business. And they may
have a totally different point-of-view as to what you offer and
how they can use it. You must pay attention to what’s going on

in the world and how people think and react to events and

situations. The market is an emotional and psychological
minefield and you must pay attention to outside forces because
if you don’t you’re limiting your potential. Mr.

I-Know-All-The-Benefits, I’m sorry but you’re fired!

File Eight: Mr. Everything-Is-Bulls@%t
This employee is not just useless, he’s downright destructive;
no matter what marketing plan you’re considering implementing

this guy thinks it’s bull. He doesn’t believe in branding,

positioning, or any form of sophisticated marketing. He doesn’t
believe that psychology or emotion plays any part in the sales
process and is probably the master of wining and dining clients

resulting in the biggest expense account in the company but not

much else. His clients were customers before he arrived and will
probably be there after he leaves unless he pisses them off.
This guy still doesn’t see the benefit of a website and keeps

repeating, ‘it’s just an electronic brochure.’ His answer to

a dip in sales is always the same, to cut prices. Mr.
Everything-Is-Bulls@%t, you’re fired!

File Nine: Mr. I’ll-Get-Around-To-It

Nobody really knows what this guy does. He is pleasant, tells
good jokes, and he most likely is the guy who brings coffee and

cookies to the office for everybody once a week. His desk is
always piled high with papers, files, and binders, and when you

ask him for something he invariably starts to rummage through
this heap of junk ultimately telling you that he’ll bring it

along as soon as he finds it, he’s just been ‘sooo’ busy. It
takes him three days to answer an email, a week to return a

phone call, and at least two weeks to respond to a request for
a quotation. This guy just has to go. Mr. I’ll-Get-Around-To-It,

you’re fired!

File Ten: Mr. Automatic Pilot
This chap believes that the great benefit of having a Web-based

business is that he doesn’t have to work. This guy spent a
considerable sum of money having a bunch of programmers,

probably from one of those offshore sweatshops, develop a
website system that automatically answers emails, fills orders,

and processes inquiries. The only problem is that it doesn’t
matter if a customer has a question or complaint they all get

the same email-response that says they can order even more stuff
they can’t figure out how to use. Mr. Automatic Pilot, you’re

fired!

File Eleven: Mr. I-Don’t-Need-No-Stinking-Creativity
This guy doesn’t believe in any kind of creativity, he thinks

everything is based on rational dollar-and-cents
decision-making. His website lists as many features and benefits

in 48 point red Times Roman as he can think of; he highlights
each point in yellow and underlines them in green with a big

purple checkmark beside each one. He adds several royalty-free
photographs of fake customers with quotations he made-up while

sitting on the john. And just to enhance his special offer page,
he tacks-on a bunch of extra bonus gifts like a useless free

e-book. This guy’s idea of marketing got stuck in the fifties;
so Mr. I-Don’t-Need-No-Stinking-Creativity, you’re fired.

File Twelve: Mr. Get-Me-the-Coast
You run across these types every now and again. I once went to a

meeting with this guy who was the Vice President of Whatever
Mega Corporation. At first glance, he was very impressive,

handsome and tall with a big office and lots of hair, and a
voice made for AM radio. He talked faster than anyone I ever

met. As we made our presentation, he slammed his hand down on
the intercom and bellowed to his secretary to “Get me Johnny on

the coast!” Before I knew what hit me, he’s talking to his guy
in California who’s on his way to his dry cleaner to pick up

his laundry. He asked him a couple of questions as fast as I
ever heard without much reference to anything we were discussing

and slammed down the phone with a thud. I had no idea what we
were talking about or if this guy heard a single word we said.

This guy was the master of taking meetings and impressing
people, but with what I am still not sure. Mr. Get-Me-the-Coast,

your fired!

A Final Thought

The single most important thing about managing good staff or

contractors is that they will only be as good as you let them.
So now that you’ve laid-waste to a staff of deadweight, what’s

next? You need to hire or outsource the right people; people who
are creative, innovative, and talented; people who are

interested in getting things done, whether it’s filing or
creating your next marketing campaign.

================================================================
Jerry Bader is Senior Partner at MRPwebmedia, a website design

firm that specializes in Web-audio and Web-video. Visit
http://www.mrpwebmedia.com/ads, http://www.136words.com, and

http://www.sonicpersonality.com. Contact at info@mrpwebmedia.com

or telephone (905) 764-1246.
================================================================

Copyright � 2008 Jayde Online, Inc. All Rights Reserved.

SiteProNews is a registered service mark of Jayde Online, Inc.

—
Bill Hoidas
Consultant Manager Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
http://chicago.citysearch.com/review/44659273
John 3:16 For God so loved the world, that he gave his only begotten
Son, that whosoever believeth in him should not perish, but have everlasting life.