With millions of personal records and payment card information stolen on a regular basis, several recently released reports independently confirm some of the main sources of breaches. Not surprisingly, that's not zero day flaws, not even insiders, but good old fashioned SQL injections next to malware infections.
With companies investing more resources into ensuring their networks and employees are protected against the very latest threats, some are clearly overlooking the most basic threats, usually requiring simple or average attack sophistication on behalf of the cybercriminal.
Let's review the reports detailing the true impact of SQL injections and malware in the context of data breaches.
- UK Security Breach Investigations Report - An Analysis of Data Compromise Cases - 2010
- Trustwave's Global Security Report 2010
- The Poneman Institute - Cost of a Data Breach
- Verizon's 2009 Anatomy of a Data Breach Report
- The KISS (Keep It Simple Stupid) principle within the cybercrime ecosystem
- The role of automated web application vulnerability scanning in the process of achieving a (false) feeling of security
Details in http://blogs.zdnet.com/security/?p=5421
Overview
Panda ActiveScan fails to properly validate downloaded software, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
I. Description
Panda ActiveScan is an online scanner that is reported to detect malware, vulnerabilities, and unknown threats. Panda ActiveScan, which is available as an ActiveX control for Internet Explorer browsers and as an NSAPI plug-in for other browsers, includes an installer component (as2stubie.dll) for downloading and installing the remaining components of the ActiveScan product (as2guiie.cab).
The Panda ActiveScan installer fails to validate the digital signature of downloaded components. The location of the components to download can also be specified by an attacker.
II. Impact
By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could run arbitrary code with the privileges of the user running the application.
III. Solution
Apply an update
This vulnerability is addressed with as2stubie.dll version 1.3.3.0. This version of the stub installer verifies the digital signature of the downloaded components. This updated version can be obtained by revisiting the ActiveScan website and installing the updated components as prompted. This will replace the old, vulnerable installer component. The vulnerable ActiveX control is also disabled in Microsoft Security Bulletin MS10-008.
http://www.kb.cert.org/vuls/id/869993
Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
Published: February 09, 2010
Microsoft is investigating public reports of a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. At this time, Microsoft is not aware of any attacks attempting to exploit the reported vulnerability.
As an issue affecting an Internet standard, we recognize that this issue affects multiple vendors. We are working on a coordinated response with our partners in the Internet Consortium for Advancement of Security on the Internet (ICASI). The TLS and SSL protocols are implemented in several Microsoft products, both client and server, and this advisory will be updated as our investigation continues.
As part of this security advisory, Microsoft is making available a workaround which enables system administrators to disable TLS and SSL renegotiation functionality. However, as renegotiation is required functionality for some applications, this workaround is not intended for wide implementation and should be tested extensively prior to implementation.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, depending on customer needs.
Affected
This advisory discusses the following software.Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems*
Windows Server 2008 R2 for Itanium-based Systems
*Server Core installation affected.
Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
-Enable SSLAlwaysNegoClientCert on IIS 6 and above
http://www.microsoft.com/technet/security/advisory/977377.mspx
Over the past year, we set out to identify and solve any possible pain points that might arise during a person's experience downloading and installing Firefox. Thanks to feedback from users, and some resulting product changes, we can now safely say that there are no issues confronting new users when installing Firefox for the very first time.
How do we know this?
Last week, we re-ran our installer feedback mechanism for a short period of time. If a user clicked “cancel” while walking through the Firefox installer, they were asked if they wanted to provide feedback.
After making an initial round of product improvements based on our first time feedback (March ‘09), here are the transformed feedback results from our more recent efforts (both July 2009 and last week):
While we still have plans to tackle the remaining big slice of the pie (see concluding paragraph), we were able to successfully solve the red and green pie slices from last time. In our latest feedback results (pie on the right), the big pie slice now represents nearly 100% of the total feedback (the previously seen categories virtually evaporated). One way to interpret this is that we’ve now successfully identified and resolved 3 of the top 4 issues originally encountered by users.
More in http://blog.mozilla.com/metrics/2010/02/09/an-improved-experience-for-new-users-of-firefox/
To entice security researchers to look for holes in the Chrome browser, Google has announced it will pay US$500 for bugs found in the code. But several experts have said that's not enough money to motivate skilled vulnerability researchers.
Under Google's new "experimental" incentive program, announced last week, people will get paid US$500 for select interesting and original security vulnerabilities discovered in Chrome, or US$1337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or "leet", which can be spelled out using the numbers.
Mozilla pays US$500 to researchers who find valid security bugs in the Firefox browser, the Thunderbird email client or the Mozilla suite.
Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's plan could be the start of an interesting trend.
"If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too," he said. "I've been suggesting Microsoft should do this for a long time but they have a moral issue with it."
Microsoft has decided to stick with its no-bounty stance.
http://www.zdnet.com.au/news/security/soa/Google-stingy-on-malware-handout-/0,130061744,339300941,00.htm
Computer hackers disabled several Australian government websites Wednesday in coordinated attacks protesting against a planned internet filter aimed at pornography.
The attacks, confirmed by the Attorney-General's Department, crippled Australia's parliamentary website for almost an hour, including the Communications Department, which is pushing a compulsory internet filter for pornography and offensive content.
The attacks were launched by hackers aligned with an anti-Church of Scientology group known as "Anonymous."
"No government should have the right to refuse its citizens access to information solely because they perceive it to be 'unwanted'," the group said in an email.
"The Australian government will learn that one does not mess with our porn."
http://uk.reuters.com/article/idUKTRE6190E020100210
A Queensland man will have to pay Nintendo $1.5 million in damages after illegally copying and uploading one of its new games to the internet ahead of its release, the gaming giant says.
James Burt, 24, of Sinnamon Park in Queensland will pay Nintendo $1.5 million after an out-of-court settlement was struck to compensate the company for the loss of sales revenue.
Nintendo said the loss was caused when Burt made New Super Mario Bros for the Wii gaming console available for illegal download a week ahead of its official Australian release in November last year.
Under Australian law, copying and distributing games without the permission of the copyright holder is a breach of the Copyright Act.
Nintendo applied and was granted a search order by the Federal Court forcing Burt to disclose the whereabouts of all his computers, disks and electronic storage devices in November.
http://www.smh.com.au/digital-life/games/nintendo-pirate-to-pay-15m-20100209-np4i.html
Apple executives have hinted that an early price drop for the $500-and-up iPad may be in the works. A Credit Suisse analyst who reportedly met with Apple executives learned that Apple may slash the price of the iPad if demand for the new device is low.
For eager iPad early adopters that could turn out to be a big iBummer, but then again, the news of an iPad price drop should not be coming as a shock. Most technology companies have a history of screwing over their first batch of customers with price cuts and early upgrades, and Apple is no exception. In fact, Apple was behind one of the most famous early adopter scandals of all time.
So before you go spending your money on the first edition of the iPad, let's take a quick look back at just a few times when early adopters were left out in the cold by buying technology products before anyone else.
- iPhone
- Blu-Ray
- Tivo Down Under
- Wal-Mart Music Downloads
- Kindle 2 and DX
http://www.pcworld.com/article/188889/ipad_early_adopters.html
EBook Outlines Why Organizations Need to Shift from a Threat Centric Approach to a Trust Centric Endpoint Security Model to Eliminate Risks, Reduce Complexity, and Lower TCO
Shift happens. The threat landscape has changed for the worse as evidenced by the recent highly publicized attacks by hackers who used sophisticated methods to steal core intellectual property from Google, Adobe, and other high profile companies. Cyber criminals have become more agile than ever, insiders have increasingly taken advantage of trust and new Web 2.0 technologies have given both parties open access to sensitive data stores. Traditional technologies such as antivirus and firewalls can no longer act as the mainstay of modern security programs. The year 2009 was believed to be the tipping point of a cybercrime epidemic in which more malware was identified than any other time in the history of computing. With current growth rates of malware, it is feasible to see billions if not trillions of malware signatures within the span of a few short years. Organizations must begin to shift from a threat centric approach where the focus is on stopping what is known to be bad, to a trust centric model where the focus is on protecting what is known to be good and trusted in order to achieve greater intelligence around endpoint risks. In doing so, organizations will better eliminate risk, reduce complexity, lower TCO and improve overall endpoint security and compliance posture.
Lumension, the global leader in endpoint management and security, today unveiled a new eBook titled, “Shift Happens: The Evolution in Application Whitelisting.” The eBook is designed to arm security professionals with a better understanding of the new endpoint security risks to confidential data and proprietary systems and why organizations must make a shift away from traditional approaches to endpoint security models and look to adopt a trust centric model with application whitelisting.
“Whitelisting may be perceived as a new novel idea, but the old oak trees of IT security will tell you that it is hardly a new approach to shoring up systems,” Paul Zimski, vice president of solution marketing, Lumension. [...]
To download the free eBook, click on Shift Happens: The Evolution in Application Whitelisting.
http://news.yahoo.com/s/prweb/20100209/bs_prweb/prweb3582184
Sixty thousand accounts compromised
A Lebanese hacker claims to have hacked Orange's regional website in Cote d'Ivoire (Ivory Coast) through SQL injection. The attack allegedly gave him access to the website's administration interface and information on almost 60,000 customers.
Orange is the fifth largest telecom provider in the world with a presence in 166 countries and territories and an estimated 189 million subscribers. According to information on its website, Orange Cote d'Ivoire was the group's first subsidiary on the African continent and has over 4 million customers.
In an e-mail to Softpedia, a self-confessed grey hat hacker going by the name of Idahc took credit for compromising the organge.ci domain. The attached screenshots and a video demonstration clearly show the hacker navigating through the website's administration interface at will.
The site seems to have been compromised around the date of January 25, when Idahc used the administrative credentials to add a news story entitled "Hacked by Idahc" on the website. The entry is still online at the time of publishing, suggesting that the webmasters might not be aware of the security breach.
However, it appears that Idahc is not the only hacker to have targeted the orange.ci domain recently. According to a post on Web defacement archive Zone-H.org, someone else hacked the server and uploaded a rogue HTML file back in December. Similar to Idahc's news story, that file is still online and reads "3viLboy was here."
http://news.softpedia.com/news/Orange-Regional-Website-Hacked-134467.shtml
Sunbelt Software is supporting tomorrow’s Safer Internet Day, an awareness-raising initiative co-funded by the European Commission. Organizations in more than 60 countries are behind the campaign, this year focusing on the theme "Think B4 U post!"
New technologies have turned all of us, and mostly young people, into publishers of information, pictures, and videos. While bringing about new opportunities for personal expression and creativity, the same technologies can also conjure up embarrassing or even traumatic situations. For example, photos, once posted online, remain online and can be seen by anybody, even years after they have been posted. Therefore, children and teenagers need guidance to manage their online identity in a responsible way, to be in control of their own online identity.
“We are proud to be supporting Safer Internet Day. Whilst it is generally assumed that the latest generation will be the most technologically savvy, we see that children are taking increasingly liberties with their online identity and opening themselves up to a wealth of very real dangers,” explained Sunbelt Software CEO Alex Eckelberry. “By following this simple five point checklist they can enjoy the many social and academic benefits of the Internet safely.”
http://sunbeltblog.blogspot.com/2010/02/sunbelt-supports-safer-internet-day.html
We got a huge number of Microsoft security updates today:
- MS10-003 - Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
- MS10-004 - Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
- MS10-005 - Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
- MS10-006 - Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
- MS10-007 - Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
- MS10-008 - Cumulative Security Update of ActiveX Kill Bits (978262)
- MS10-009 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
- MS10-010 - Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
- MS10-011 - Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
- MS10-012 - Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
- MS10-013 - Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
- MS10-014 - Vulnerability in Kerberos Could Allow Denial of Service (977290)
- MS10-015 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
The full version of their bulletin summary is in http://www.microsoft.com/technet/security/Bulletin/MS10-feb.mspx and MSRC's blog entry on the above is in http://blogs.technet.com/msrc/archive/2010/02/09/february-2010-security-bulletin-release.aspx
Banning web users suspected of illegally downloading content from the internet could breach human rights legislation, says the Joint Select Committee on Human Rights.
According to the group of MPs and members of the House of Lords, the proposals set out in the Digital Economy Bill reference 'technical measures' which could be employed to block internet pirates' web connections.
However the committee said the technical measures had not been "sufficiently specified".
"The concern we have with this Bill is that it lacks detail," said Andrew Dismore MP and chair of the Committee.
http://www.networkworld.com/news/2010/020810-banning-illegal-file-sharers-could-breach.html
Even users running up-to-date anti-virus software still get infected with malware, according to stats from an online malware scanning service.
Nearly a third (25,000 out of 78,800) of computers with up-to-date anti-virus software were discovered to be infected with malicious code when users scanned their PC using SurfRight's HitmanPro 3 behavioural scan.
SurfRight's analysis is based on 107,435 users who put their PC through its scanner between 10 October and 4 December 2009. Around a quarter of these users (28,608) either had no scanner installed or were running security software that was out of date.
Surfers are much more likely to turn to SurfRight's software if they suspected their Windows PC was running slowly or might be infected with malware, so the figures from SurfRight's audit are bound to come out worse than those from the general web population.
http://www.theregister.co.uk/2010/02/08/security_scanner_shortcomings/
China officials have shut down Black Hawk Safety Net, the country's biggest hacker training Website, and arrested three people for making hacker tools available online.
China announced it has arrested three people in connection with operating a hacker training school that distributed malware and hacking tools to its members in online forums.
According to Xinhua, China ’s state-run newspaper, three people were arrested in connection with making the tools available online through a business known as Black Hawk Safety Net. Established in 2005, Black Hawk Safety Net is reportedly headquartered in Xuchang of the central Henan Province and has more than 180,000 members. Police reportedly uncovered the operation as part of an investigation into a cyber-attack in Macheng City in 2007.
The three suspects arrested in the case are charged with offering online hacker tools, a crime newly listed in the country's criminal law last year, the paper reported.
http://www.eweek.com/c/a/Security/China-Closes-Hacker-Training-School-Arrest-3-827095
N.Y. man claims Symantec didn't tell him before charging his card, as 2009 settlement required
A New York man has sued security software maker Symantec for automatically renewing his subscription to Norton Antivirus, alleging that the company did not notify him before charging $76 to his credit card.
The lawsuit comes seven months after the New York Attorney General's office fined Symantec $375,000 for the practice and ordered it to give notice before renewing any subscription.
According to the lawsuit filed Jan. 19 in a New York County court, Kenneth Elan of Port Washington, N.Y., purchased a copy of Norton Antivirus in 2007. Early in November 2009, Symantec told him that it had automatically renewed his license to the software for one year, and charged his credit card $76.03. Elan said he had not been notified prior to the charge hitting his card.
http://www.computerworld.com/s/article/9153118/Symantec_hit_with_class_action_lawsuit_over_auto_renewals
Same incident as last year: http://www.calendarofupdates.com/updates/index.php?showtopic=20325
Google will today announce some big changes to its social media strategy. It is believed these will include changes to Gmail that will allow users to post messages in a similar way to Twitter or Facebook.
That social media sites Facebook and Twitter have a huge potential for advertising in the future will not have gone unnoticed at Mountain View, CA.
Google recently announced that its only social success to date; YouTube, has started to make a profit. Google bought the already successful but loss making YouTube in 2006, and has steadily increased the amount of advertising on the site since.
Google has numerous products that have some form of social aspect to them. Reader, Calendar, Bookmarks and others all encourage sharing, there is a full social network site in Orkut, Google Profiles links in well with Wave the much maligned collaboration tool. Then let's not forget SideWiki which allows users to leave messages on any site via a browser add-on.
The problem that Google has had is that these products have been too disparate. There hasn't been a single combining element that has allowed all the best features to appear in one single interface in a way that could compete with Facebook. It sounds like Google is attempting to make up for lost time now.
http://www.bigmouthmedia.com/live/articles/google-to-use-gmail-to-challenge-facebook.asp/6751/
Google to add social-media tools to Gmail similar to facebook, Twitter
Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages and email, eavesdrop, and track victim's physical location via smartphone's GPS
A researcher at the ShmooCon hacker conference yesterday demonstrated how BlackBerry applications can be used to expose sensitive information without the use of exploits.
Tyler Shields, senior researcher for Veracode's Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, D.C., that forces the victim's BlackBerry to hand over its contacts and messages. The app also can grab text messages, listen in on the victim, as well as track his physical location via the phone's GPS.
The spyware sits on the victim's smartphone, and an attacker can remotely use the app to dump the user's contact list, email inbox, and SMS message. It even keeps the attacker updated on new contacts the victim adds to his contact list. "This is a proof-of-concept to demonstrate how mobile spyware and applications for malicious behavior are trivial to write just by using the APIs of the mobile OS itself," Shields says.
http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=222700260
An Adobe product manager has apologized for allowing a potentially serious bug in Flash Player to remain unfixed for more than 16 months.
The admission, by Emmy Huang, product manager for Flash, came a week after Apple CEO Steve Jobs lambasted Adobe engineers as "lazy" and said when Macs crash, "more often than not it’s because of Flash." Adobe CTO Kevin Lynch struck back, insisting that at Adobe, "we don't ship Flash with any known crash bugs."
The crash bug at issue in Huang's blog post published over the weekend was reported in September 2008, but it has yet to be excised from release versions of Flash. She said a beta version of Flash scheduled for official release later this year has fixed the problem.
Continued here: http://www.theregister.co.uk/2010/02/09/adobe_flash_crash_bug/
Flash Bug Report
As has been pointed out by the community, there is an existing crash bug that was reported by Matthew Dempsky in the Flash Player bugbase (JIRA FP-677) in September of 2008 that still exists in the release players. It is fixed in Flash Player 10.1 beta, and has been since we launched the beta in early November 2009.
I want to reiterate that it is our policy that crashes are serious "A" priority bugs, and it is a tenet of the Flash Player team that ActionScript developers should never be able to crash Flash Player. If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level. Depending on where an issue occurs we work to resolve the crash internally or with our partners.
So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
The team is actively reviewing all unresolved crash bugs in JIRA and will reach out to the submitter if we need their help. We have been updating JIRA bugs with status when we ship pre-release and release players with fixes, but will be focusing on scrubbing these more vigilantly so the community will be able to get status on their issues earlier. Again, FP-677 is fixed in Flash Player 10.1 beta on Adobe Labs and was made public in a regular bugbase scrub that happened yesterday.
http://blogs.adobe.com/emmy/archives/2010/02/flash_bug_repor.html
From Bruce at his "Schneier on Security":
At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2252.4, 42 (out of 72) rounds of Threefish-512 with a complexity of 2507, and 43.5 (out of 80) rounds of Threefish-1024 with a complexity of 21014.5. (Yes, that's over 21000. Don't laugh; it really is a valid attack, even though it -- or any of these others -- will never be practical.)
This is excellent work, and represents the best attacks against Threefish to date. (I suspect that the attacks can be extended a few more rounds with some clever cryptanalytic tricks, but no further.) The security of full Threefish isn't at risk, of course; there's still plenty of security margin.
http://www.schneier.com/blog/archives/2010/02/new_attack_on_t.html