BCS Cybercrime Forensics SG Briefing: 20th September 2011

Not sure if I am allowed to blog these? but let try this an see

Opinion: Evolution of Incident Response Computer Weekly 19th September 2011
Security Firms’ Plan Targets Cyberthreats UPI 19th September 2011
The All-Seeing Eye of the Camera: New TV Series Person of Interest Set in a Not-Too-Distant Future of Crime ’Prediction’
Canada.com 19th September 2011
Chinese Hackers Pledge to Reject Cybercrime Computer World 19th September 2011
Navy War-Room Leak: Case Falling Apart Zee News—India 19th September 2011
Counter What? Family Security Matters—USA 19th September 2011
Clarke: Outdated Cyber Defence Leaves US Open to Attack GCN—USA 19th September 2011
Feds: Wi-Fi Hacking Burglars Targeted Dozens of Seattle-Area Businesses Seattle Pi—USA 19th September 2011
Hackers Breach Japan’s Missile, Nuclear Plants Mobileda 19th September 2011
No Set-Back in Naval War Room Leak Accused Extradition: CBI The Hindustan Times—India 20th September 2011
US Matrix-Style Cyberwar Firing Range Moves Forward The Register 20th September 2011
ComodoHacker Declares Private Cyber-War eWeek 20th September 2011
Integralis Takes a Proportional Approach to Cybercrime Source Wire 20th September 2011
Cyber Attacks Coincide With 80th Anniversary of Manchurian Incident The Telegraph 20th September 2011
Cyber Attacks on South Korea Foreign Policy Journal 20th September 2011
Japan Defence Firm Mitsubishi Heavy in Cyber Attack BBC News 20th September 2011
Complaints relating to Spam Text Messages Increase BBC News 20th September 2011
UK Firm Denies ’Cyber-Spy’ Deal With Egypt BBC News 20th September 2011
Cybercrime: Ugly Face of Social Media The National 20th September 2011
Last Line of Defence: Why is ANZUS Prepping for a Cyber War?
The Conversation—Australia 20th September 2011

Microsoft Security Advisory 2607712 Revised

Microsoft Security Advisory 2607712 – Fraudulent Digital Certificates Could Allow Spoofing: http://www.microsoft.com/technet/security/advisory/2607712.mspx

Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

MS Security Bulletin MS10-106: Vulnerability in #Exchange 2007 SP2 Could Allow Denial of Service


Just seen this: http://www.microsoft.com/technet/security/bulletin/MS10-106.mspx

This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

This security update is rated Moderate for Microsoft Exchange Server 2007 Service Pack 2 for x64-based Systems.

Non-Affected Software

  • Microsoft Exchange Server 2000 Service Pack 3
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007 Service Pack 3
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2010 Service Pack 1

Upgrade Your Hotmail Live Account.

If you get an email like this in your hotmail account DO NOT reply to it .. and I really mean DO NOT reply to it.  Microsoft NEVER sends email like this out!

Check these out:




From: Windows Live Hotmail Member Services [mailto:member–services@live.com]
Sent: 03 October 2009 10:12
Subject: Upgrade Your Hotmail Live Account.

Welcome to Hotmail.

Attention: Hotmail.com Account holder,

This message is from the Database Information Technology service messaging center, to all our e-mail account holders. All Mail hub systems will undergo regularly scheduled maintenance. Access to your mailbox via our mail portal will be unavailable for some period of time during this maintenance period. We shall be carrying out service maintenance on our database and e- mail account center for better online services. We are deleting all unused-mail accounts to create more space for new accounts.

Coming Soon!

Find out what else is new or coming soon to Hotmail.

In order to ensure you do not experience service interruptions/possible deactivation Please you must reply to this email immediately confirming your Hotmail.com email account details below for confirmation/identification.You may get this message in your inbox or junk.

1. First Name & Last Name:

2. Full Login Email Address:

3. Username & Password:

4. Confirm your Current Password:


Failure to complete the above process within the shortest possible time will result in both inbound and outbound failures on your email. This will prevent you from sending or receiving email messages. Make sure the details above are correct to enable us restore your account details; this will help prevent your account from suspending or closing. Users have often told us that the more they use Hotmail.com Service, the more they discover its benefits. We’ll keep working on making Hotmail.com the best email service around, and we appreciate your joining us for the ride.

We are sorry for any inconvenience we might have cause you, Expect our new mail features. Please do help spread this important information by forwarding it to other users. You will be sent a confirmation letter from our customer service after our upgrading.Plan your next event, write a blog, create a discussion group, even get updates from other websites you use. –

“Your Life, Your Stuff, All Together at Windows Live.”

Thanks for understanding our plight.

Engr. Festus English

Windows Live Hotmail ®

For more information or for general questions regarding your e-mail account, please visit Windows Live Hotmail Help. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA © 2008 Microsoft Corporation. All rights reserved.

Forefront Unified Access Gateway (UAG) RC0

Sweet http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a3f5729a-3989-4f60-980f-1b87dd198988

Microsoft Forefront Unified Access Gateway (UAG) is a secure application gateway, to manage, control, and optimize remote access for managed and non-managed endpoints, to corporate applications and resources. Forefront UAG RC0 provides a number of new features, including support for migration from Forefront UAG Beta 2.

Forefront UAG provides the following:

  • Remote access: Using Forefront UAG you can allow and control access to internal resources and applications from a range of managed and unmanaged client endpoints.
  • Application support: Forefront UAG provides broad application support for a wide range of Microsoft and third-party applications. Application optimizers, consisting of predefined settings and values, provide optimum settings for accessing a specific application via Forefront UAG.
  • Access control: Forefront UAG provides granular access control, to ensure that only client endpoints complying with corporate health guidelines can access internal applications and resources.
  • Authentication: Forefront UAG provides frontend and backend authentication mechanisms. Frontend authentication allows you to pre-authenticate users using a wide range of authentication mechanisms, ensuring that only authenticated traffic reaches published application servers. In addition, Forefront UAG provides a single sign-on experience for authentication to backend applications.

Find more information about Forefront UAG as follows:

Forefront UAG RC0 provides a number of new features, including support for migration from Forefront UAG Beta 2. If you want to migrate a Forefront UAG Beta 2 configuration to RC0, ensure that you run the UAG_RC0_4_0981_2.msp file after running Forefront UAG Setup.

Forefront Security 2010 for Exchange Server Release Candidate


Source: http://www.microsoft.com/downloads/details.aspx?FamilyID=b8a7d36f-cc8d-4335-ae60-8f27c48f3a37&displayLang=en

Microsoft Forefront Security 2010 for Exchange Server provides fast and effective protection against malware and spam by including multiple scanning engines from industry-leading security partners. It also integrates with Forefront Online Security for Exchange to provide the defense-in-depth benefits of hosted and on-premise filtering in a single solution.

Powershell Cmdlets for Forefront Security 2010 for Exchange Server Beta 2

Just install forefront and here are the new cmdlets




Adds items to an existing filter list.


Resets a report about FSE activities.


Clears a filter list. The filter list may still be associated with scan jobs.   


Saves quarantined items to disk.    


Exports the configuration settings.     


Retrieves the advanced options.     


Retrieve records from the incident database.   


Gets the incident database options.


Retrieves logging options.  


Retrieve settings for e-mail notifications.  


Retrieves the configuration of all filter lists of a particular type enabled for the on-demand scan.    


Retrieves the configuration for the on-demand scan.  


Retrieves server and product information.  


Retrieve records from the quarantine database. 


Retrieves the quarantine options.    


Retrieves the configuration of all filter lists of a particular type enabled for the realtime scan.


Retrieves configuration settings for the Realtime scan.  


Retrieves statistical reports about FSE activities.     


Retrieves the configuration of all filter lists of a particular type enabled for the scheduled scan.  


Retrieves the configuration for the scheduled scan.     


Retrieve configuration options for the Forefront DNS Block List (DNSBL). 


Retrieves the settings for the spam content filter.    


Retrieve the status of spam filtering.   


Retrieves a spam blocking report.     


Retrieves the configuration of all filter lists of a particular type enabled for the transport scan.    


Retrieves configuration options for the transport scan.     


Get an extended option.


Retrieves filter lists.   


Retrieves engine definition update settings.   


Retrieves the schedules for updating engine definitions.   


Retrieves trace settings.  


Imports the configuration settings.  


Create an extended option. 


Creates a new filter list.  


Removes an item from the incident database.     


Removes an item from quarantine.    


Remove an extended option.    


Deletes a filter list.    


Removes one or more items from a filter list.  


Resumes a suspended on-demand scan.


Delivers an item that has been quarantined to the specified recipients.


Sets advanced scan options.  


Sets the incident database options.  


Sets logging options.     


Configure settings for e-mail notifications.   


Configures a filter list for use with the on-demand scan.


Sets configuration options for the on-demand scan.  


Sets the quarantine options.    


Configures a Realtime filter list.   


Configures the realtime scan    


Associates a filter to the scheduled scan and enables it    


Configures the scheduled scan. 


Sets configuration options for the Forefront DNS Block List (DNSBL).    


Sets the configuration options for the spam content filter.  


Enables or disables Forefront antispam filtering.  


Configures a filter list for use with the transport scan.  


Configures the transport scan.   


Set an extended option.     


Replaces all the values in a filter list.


Sets engine and definition updating options.  


Sets the schedule for updating engine definitions.   


Sets trace settings.   


Starts the on-demand scan.    


Starts a background scan.     


Starts engine updating.


Stops the on-demand scan.


Stops a currently-running scheduled scan.     


Suspends the on-demand scan.    

Forefront Security for Exchange Server SP1 Capacity Planning Tool

Source: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=522da65d-5263-4f5d-b929-8428a394b9af

The new Forefront Security for Exchange Server SP1 capacity planning tool helps customers understand what hardware, architecture, and configuration settings will produce recommended system performance and message throughput results for comprehensive protection of their Exchange Servers. This tool, an excel spreadsheet with built in workflow, applies to the Forefront Security for Exchange Server SP1 product. The user will be able to plan the details for a new deployment or understand the impact of adding security protection to an existing deployment. In short, the user will choose their CPU and memory tolerances for deployment, their target reference architecture, their desired protection settings, and their targeted supported user load. Once this is defined, the tool will either recommend scaling up or out on the base recommended hardware for each server role.

For additional details, please read the “Directions” and “Readme” tabs. A “Resource” tab is also provided with links to obtain additional data to help make an informed decision during the planning stage.

This tool has a specific purpose and a limited scope. Please carefully read this entire page to understand the data output by this tool and how to use it properly.

Description: The Microsoft Forefront Security for Exchange Server (FSE) capacity planning tool acts as a complement to a Microsoft Exchange Server capacity plan to help you understand the additional computing power required to add Forefront Security for Exchange Server to an Exchange Server environment. Whether you are planning an Exchange deployment or you are adding Forefront Security for Exchange Server to your existing Exchange environment, you can use this tool to estimate the total hardware required to run Forefront Security for Exchange Server on your Microsoft Exchange Server infrastructure. Based on knowledge of your unique environment and requirements, you can use the information from this tool to help make decisions about scaling your infrastructure to maximize performance without over-allocating server hardware when you deploy Forefront Security for Exchange Server.

NOTE: This capacity planning tool is not a replacement for thorough Exchange capacity planning. It should not be used to create an Exchange capacity plan, nor should you base hardware purchase decisions exclusively on the information gleaned from this tool. Rather, this tool should be used to help further inform a detailed Exchange capacity plan.


The Capacity Planning Tool is designed to help you estimate your Microsoft Exchange capacity needs, and is intended to assist but not replace your complete Microsoft Exchange capacity planning. Network configurations vary, so you may need more software and/or hardware than that which the Capacity Planning Tool estimates in order to effectively deploy Microsoft Exchange Server and/or Microsoft Forefront Security for Exchange Server on your network.

You may use the Capacity Planning Tool only to estimate the Microsoft Exchange Server capacity needs for your network and not for any other purpose.

All organizations are unique, and they have requirements, policies, behaviors, and cultures that guide the specification of requirements and inform hardware purchase decisions. The output from this tool gives you an idea of the additional load created by Forefront Security for Exchange Server on sample server environments created for each of the reference architectures. You can use the data we collected from the sample environments to understand how Forefront Security for Exchange Server impacts utilization and performance, and that understanding can be combined with the Exchange capacity plan and your knowledge about the organization and its IT landscape to help guide decisions. Exchange capacity plan and your knowledge about the organization and its IT landscape to help guide decisions.

Background: It is not logistically feasible to test every possible combination of deployment scenario, application configuration, and user load profile. Therefore, Microsoft established a baseline for each reference architecture using FSE Service Pack 1 (SP1) and then identified a total of 80 different test scenarios to run the reference architectures, plus an additional 30 scenarios to run specifically against the edge. Details about baseline settings and hardware specifications are below. The data collected from the test environments enabled us to predict the additional computing resources consumed based on the various settings, message rates, and so forth.

FSE Settings: Forefront Security for Exchange Server (FSE) is highly configurable and has many settings. In this tool, you are using settings that have a practical impact on performance. There are a number of other settings that have minimal or no performance impact and are not included in the tool.

This tool refers to user load profiles, which characterize the e-mail usage patterns across an organization. The profiles correspond to specific data as follows:

User Load Profile

Send/Receive Messages per day

Database cache/user

Estimated IOPS/user

Logs Generated / mailbox


5 sent/20 received

2 MB




10 sent/40 received

3.5 MB




20 sent/80 received

5 MB



Very Heavy

30 sent/120 received

5 MB



Note these values, and then select the user load profile that corresponds most closely to the e-mail usage patterns in your organization.

Reference Architectures:  The results used to create this capacity planning tool were derived from two reference architectures for Forefront Security for Exchange Server: Standard and Enterprise.

Standard Reference Architecture (SRA): The SRA combines the hub and mailbox roles on a multi-role server. 

In our environment, the SRA was deployed with 1,600 users with an “average” user load profile.


Enterprise Reference Architecture (ERA): The ERA breaks out roles for the hub and mailbox servers.

In our environment, the ERA was deployed with two mailbox servers. Each mailbox server had 1,000 users with a “heavy” user load profile.


Recommended Hardware: In line with Microsoft Exchange Server 2007 hardware recommendations, we recommend that you use an enterprise-class server device with:

  • Processor – 4 cores
  • Memory – 4 GB RAM

Hardware recommendations output by the tool use this as the baseline.

Hardware Utilized:

In this study, servers were configured as follows:

  • Edge and hub servers – HP DL380G4, 2 Intel Xeon 3-GHz hyper-threaded processors, 4 GB RAM, connected to an HP Storage Area Network (SAN) via Fibre Channel
  • Multi-role server – HP DL380G4, 2 Intel Xeon 3-GHz hyper-threaded processors, 10 GB RAM, connected to a HP SAN via Fibre
  • Mailbox servers – HP DL380G4, 2 Intel Xeon 3-GHz hyper-threaded processors, 8 GB RAM, connected to a HP SAN via Fibre
  • Domain Controller (DC), clients – Hyper-V virtual machines running on a HP DL380G5 with 2 Intel Xeon 3-GHz quad-core processors and 14 GB RAM. Each virtual machine was allocated 100% of 1 processor core and 2 GB RAM.

959241 : Description of Update Rollup 6 for Microsoft Exchange Server 2007 Service Pack 1

So we all know RU6 is out, but have you checked out what it fixes? .. http://support.microsoft.com/kb/959241/en-us

Version2.0 says:

You use Microsoft Outlook Web Access (OWA) 2007 to access a mailbox on a computer that is running Microsoft Exchange Server 2007 Service Pack 1. When you download an .xls file attachment and then try to open the file, the downloaded file is empty.

This problem occurs if the .xls file contains XML data. In Exchange Server 2007, if a file that contains XML data is attached to a message, the XML content in files is removed when you open or save the attachment by using OWA.


In a Microsoft Exchange Server 2003 and Exchange Server 2007 coexisting environment, some free/busy messages are not successfully replicated from Exchange 2007 servers to Exchange 2003 servers after some mailboxes are migrated from an Exchange 2003 server to an Exchange 2007 server. Therefore, the updated free/busy messages of those migrated users are not available on the Exchange 2003 server. Additionally, the following error is logged in the application event log on the Exchange 2003 server.

Event Type: Error Event Source: MSExchangeFBPublish Event Category: General Event ID: 8207 Description: Error updating public folder with free-busy information on virtual machine . The error number is 0x80070057. </P> <P>&nbsp;</P> <UL> <LI> <P><A href=”http://support.microsoft.com/kb/956536/”><STRONG>956536</STRONG></A><STRONG&gt; (http://support.microsoft.com/kb/956536/ ) The Microsoft Exchange File Distribution service uses lots of memory and processor time when Exchange Server 2007 processes many OABs </STRONG></P></LI></UL> <P>On a Microsoft Exchange Server 2007 server, you create many Offline Address Books (OABs). After that, you may notice that the Microsoft Exchange File Distribution service uses lots of memory and processor time on a computer that has Microsoft Exchange Server 2007 Client Access Server (CAS) role installed. When this occurs, the Exchange 2007 CAS computer responds slowly and does not perform as expected. </P> <P>When Exchange Server 2007 processes OABs, the Exchange 2007 server uses temporary objects. However, those temporary objects are not controlled well. This may cause the size of the temporary objects to grow larger than expected on the computer.</P> <P>&nbsp;</P> <UL> <LI> <P><A href=”http://support.microsoft.com/kb/956624/”><STRONG>956624</STRONG></A><STRONG&gt; (http://support.microsoft.com/kb/956624/ ) The Microsoft Exchange Transport service crashes continuously after you enable journal rule or deploy an antivirus application on an Exchange Server 2007 server </STRONG></P></LI></UL> <P>After you enable journal rule or deploy an antivirus application on Exchange Server 2007, the Microsoft Exchange Transport service crashes continuously.</P> <P>When Exchange Server 2007 processes the filename of the attachments of certain digitally signed messages, an error causes a stack overflow.</P> <P>&nbsp;</P> <UL> <LI> <P><A href=”http://support.microsoft.com/kb/957748/”><STRONG>957748</STRONG></A><STRONG&gt; (http://support.microsoft.com/kb/957748/ ) The custom message class of contact object is overwritten by the normal IPM.Contact class when an Exchange 2007 server replicates the contact object to any other public store </STRONG></P></LI></UL> <P>When a Microsoft Exchange 2007 server replicates a Contact object that is using a custom form, the custom message class is overwritten by the normal <B>IPM.Contact</B> class during content conversion. This issue occurs when a public store is replicated from Exchange 2007 server to any other public store that is hosted on an Exchange 2007 server or on an Exchange 2003 server. As a result, Exchange users cannot use the custom message class of the contact object in the public folders in an Exchange 2007 related environment.</P> <P>&nbsp;</P> <UL> <LI><A href=”http://support.microsoft.com/kb/959239/”><STRONG>959239</STRONG></A><STRONG&gt; (http://support.microsoft.com/kb/959239/ ) MS09-003: Vulnerabilities in Microsoft Exchange could allow remote code execution </STRONG></LI></UL> <P>MS09-003 is interesting (<A title=http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx href=”http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx”>http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx</A&gt;)</P> <P>This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. </P> <P>The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.</P> <P>&nbsp;</P> <P>I wonder if this affects Blackberry?</P>

Forefront Security for Exchange and Multiple Engines

It took ages to find some decent information, so this is what I found out ..

Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:


Figure 1: Forefront for Exchange Antivirus Engines

Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously


Figure 2: Multiple Engines

Why Multiple Engines

One of the most important factors in the successful protection of your network against viruses is how fast you get new virus engine signature files. Email allows viruses to be spread in a matter of hours, and a single email virus is enough to infect your whole network. So a critical factor is how fast the signature files of your anti-virus solution are updated when a new virus emerges.

Every anti-virus vendor in the market claims to have a fast response time. Anti-virus labs produce updates for virus and worm outbreaks at different intervals. For example, the same lab may produce an update for one virus within six hours, yet take 18 hours for the next one.

The problems with a single antivirus engine approach originate from having only one system in place to identify threats – no engine is immune to vulnerability. Although the signature files used by an engine to identify viruses are generally updated several times a day, they are often released after a new virus has already hit and damage has been done. Even if an engine is 99.9 percent effective, it only takes one infection to cost an organization hundreds of thousands of dollars in lost productivity and downtime.

The Forefront Security for Exchange provides the capability to use multiple anti-virus engines and allows you to concurrently run up to 5 of the included Microsoft and third-party anti-malware engines. Using multiple scan engines delivers several critical advantages:

  • It increases the chances that emerging threats will be quickly caught.
  • It provides redundancy to help protect against scan failures or defects in individual engines; if an engine fails, other engines continue scanning messages.
  • It gives administrators an effective way to choose the most appropriate level of protection for their environment given their security needs and server performance capabilities.
  • It allows engines to be taken offline for updates or reconfiguration without forcing messages to be queued.

A recent set of tests performed by the independent AV-Test.org group found some surprising differences in signature update times from various vendors.

The tests compared AV lab response times were tested for 68 “In the Wild” viruses and variants that appeared from April – June 2007. (The tests used five randomly chosen Forefront engines versus three single-engine vendors.)

The results showed that 37 viruses were proactively detected by all labs, while 23 viruses showed significant variations in detection times

Forefront engine sets performed much better when compared to the three leading competitors tested – both the competitors’ release and beta engines (the data in this table include beta engines’ times).


Figure 3: Multiple Antivirus Engines

All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.


When using Multiple Antivirus engines with Forefront for Exchange, you can control how many engines are needed to provide an acceptable probability that the system is protected.

The Forefront for Exchange Server Multiple Engine Manager (MEM) controls the selected engines during the scan job. It ranks each engine based on its past performance and its age, and uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.

The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance. Microsoft recommends FAVOR CERTAINTY, which is the default setting, and MAX CERTAINTY where possible.

Bias Setting


Max Certainty

Each item is virus-scanned by all five of the selected engines

Favor Certainty

Fluctuates between virus scanning each item with three and five engines


Each item is virus-scanned by at least three engines

Favor Performance

Fluctuates between virus scanning each item with one and three engines

Max Performance

Each item is virus-scanned by only one of the selected engines