September 2011 - Posts
Trend Micro shares some excellent user safety tips and administrative design standards to help mitigate attacks. One key practice is to close secure websites by logging out to keep sessions as short as possible.
BEAST and TLS/SSL Security: What It Means For Users and Web Admins
What can users do?
• Keep time spent on sensitive SSL sessions as short as possible. The attacker needs time to decode the encrypted message. If the session cookie is invalid before the attacker has finished, this attack fails.
• When leaving an SSL protected site, be sure to actually log out, not just move to a new site. In many cases, actively logging out will invalidate any cookie/session data that the attacker may have successfully decoded.
• Standard security best practices still work. For this attack to be successful, the attacker must have access to either your network or your computer. At the very least, up-to-date security software will make life harder for an attacker.
What can website administrators do?
• Make sure your logout button performs the expected action. You are leaving users at risk if your site does not actually invalidate session cookies when they click “log out”.
• Ensure that session cookies are tied to an IP address where the session was established. If that IP address changes, consider validating that the source of the requests is still your user. This will not prevent this attack, but it will make it harder to exploit your users.
• Resist the temptation to change SSL ciphers without carefully considering the risks first. While it is true that RC4 is not subject to this attack, it presents more risk than AES. Also, it isn’t a bad idea to keep an eye on the IETF TLS working group. New versions of the TLS standard exist that eliminate the weaknesses used in this attack. Unfortunately HTTP server and browser coverage of these new standards is spotty at the moment at the moment. So you have to carefully consider both your environment and your user base before such a change.
TLS (Transport Layer Security) Working Group
TLD4 is one of the most advanced Windows malware agents circulating. It is highly stealth and hides in the master boot record of the Windows O/S. Trend Micro shares developments related to a new version:
TDL4 Worm Component Employs Bitcoin Mining
QUOTE: TDL4 is a well known variant of the TDSS malware family known for evading detection by antivirus products by infecting affected systems’ boot sector. We’ve been monitoring developments related to TDSS, and earlier this year we saw TDL4 exhibit propagation routines through a worm component that Trend Micro detects as WORM_OTORUN.ASH.
This is an interesting development as a low-cost high technology tablet:
Amazon Unveils $199 Kindle Fire Tablet
QUOTE: The Kindle Fire will have a 7-inch display and sell for $199, compared with $499 for Apple’s cheapest iPad, Amazon executives said in interviews with Bloomberg Businessweek. The device, a souped-up version of the Kindle electronic-book reader, will run on Google Inc.’s Android software, the Seattle-based company said. Amazon also introduced a touch-screen version of its e-reader, to be called Kindle Touch.
F-Secure has developed a security product designed to integrate with Facebook and check for malicious links.
F-Secure ShareSafe Beta - Security Application for Facebook
QUOTE: Security applications and Facebook tend to mix together like oil and water. Therefore, when attempting to develop a security application for Facebook… it had better not be boring. And that brings us to our new beta: F-Secure ShareSafe. The development team behind ShareSafe aims to build an entertaining Facebook app, with security benefits tagging along for the ride.
A total of 15 screenshots illustrate some of the initial features for this new operating system.
eWeek Microsoft's Windows 8 Developer Preview: First Look
QUOTE: Microsoft has offered its Developer Preview of its upcoming Windows 8 to the world. This early glimpse of the operating system, while nowhere near finished, offers a one-of-a-kind perspective into Microsoft’s thinking when it comes to the next generation of Windows. For one thing, the company also intends Windows 8 to make substantial inroads into the tablet category, currently dominated by Apple’s iPad—and it plans to do so by offering a touch-centric “Metro” interface that consists of colorful tiles linked to applications.
Early this morning, Windows Automatic Update notified me of a second MSRT update and below are the details. Wishing them success in eradicating this malicious threat.
Microsoft MSRT - 2nd Release for September 2011
QUOTE: For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool. This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. The Win32/Kelihos malware family distributes spam email messages that may contain links to web sites serving installers of Kelihos itself. It may also communicate with remote computers to exchange information that it uses to execute various tasks such as bootstrapping to the botnet, sending spam emails promoting bogus products or services, stealing sensitive information, or downloading and executing arbitrary files.
Microsoft killed Kelihos botnet
QUOTE: Great news for Internet security. Microsoft has effectively killed off the Kelihos botnet which has about 42-45K nodes. The signature to remove the botnet agent from infected machine is added to the Malicious Software Removal Tool which will be rolled out to users taking automatic updates. Microsoft also took a proactive approach on the legal front, filing for court order to get Verisign (the domain registrar for the malicious domains) to take down the malicious domains related to the botnet operations.
Users with modern systems should be able to upgrade without needing more RAM or processor power, as noted below:
Windows 8 - No increased hardware requirements from version 7
QUOTE: Microsoft says Windows 7 users won't need bigger and better hardware to run the freshly unveiled Windows 8. The PC system requirements will be the same if not less than what's needed to run Windows 7, although the new operating system definitely appears tailored for the touch-screen interfaces of tablets. Speaking at a press event at Computex in Taiwan yesterday, Microsoft's Michael Angiulo said, "Windows 8 will be able to run on a wide range of machines because it will have the same system requirements or lower" as Windows 7. Microsoft Windows President Steven Sinofsky reiterated the approach at the All Things D conference in California.
Users should avoid clicking on suspicious news alert links offered to them via Facebook:
Facebook - Fake BBC Video scams continue to surface
QUOTE: It seems scammers have a bit of thing for spoofing BBC websites at the moment. Yesterday it was work from home scams, and last month it was a Facebook wheeze which (in a nutshell) went like this: "Lady Gaga is dead and here's a BBC video to prove it, also click here." Maybe the (unrelated) work from home fakeout has inspired scammers into a fresh round of BBC shenanigans, because the phony BBC video rides again on Facebook. As usual, it's surveytacular and is geared around fake Facebook messages promoting the completely fake BBC page
Please update systems as prompted for better protection from malicious attacks currently circulating:
Adobe Flash out-of-band security update for September 2011
QUOTE: Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player. One of the six, a cross-site scripting vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets through email messages. Users are strongly advised to apply the patches as soon as possible, especially since exploiting any the addressed vulnerabilities can lead to either remote code execution, or information disclosure.
Note that users who utilize multiple browsers may need to update their other browsers separately. Users can visit this page through all their browsers to check if they have the latest version of Adobe Flash Player installed, and this page to update.
Adobe continues to gradually improve internal security in each version of their products as noted below:
Adobe Flash v11 - to offer improved security
QUOTE: Adobe Flash has struggled over the last few years to conquer a bad security reputation which, combined with ubiquity, as made it one of the more problematic components on the typical computer. Flash 11, announced this past week, continues Adobe's work in tightening up the security of the product. The new version adds a private browsing mode, like those available in all web major browsers now, and a Flash control panel for mobile versions. ('Mobile versions' in this context means Android, and the control panel is available for Android Honeycomb, version 3.0).
But the more significant features will probably be those less visible to the user. Flash 11 apps will be able to open SSL socket connections so that their communications aren't completely open for all to see. There will also be a more secure random number generator, one that can be used for secure programming. Finally—and I mean finally—there will be a 64-bit version of Flash which brings with it some side benefits in security.
This law is beneficial and shares the need for companies to improve their security controls, as highlighted by ESET security
2.1 million users’ data breached in Massachusetts
QUOTE: Since 2010 that is, following a law enacted in 2007 that requires all companies doing business in Massachusetts to inform consumers and state regulators about security breaches that might result in identity theft. Attorney General Martha Coakley’s office released the information, including a breakdown of the data.
It seems her office received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 25 percent were as a result of a deliberate hacking attempt, followed by 23 percent for accidental unauthorized sharing of information, i.e. faxes or e-mails with personal information sent to the wrong recipient. 15 percent of cases were reports of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.
The ISC celebrates next month with a series of best practices and articles related to computer security.
October 2011 - Cyber Security awareness month
QUOTE: It is that time of the year again, Cyber Security Awareness Month. Over the last few years we have participated in the October Cyber Security Awareness month (just search the archive for "cyber security awareness month"). During the month, in addition to our normal diaries, we take a specific topic or theme and publish a diary on the topic.
This year the theme is the "20 Critical Security Controls". I know what you are thinking, 20 controls 31 days. A number of the controls will easily take a few days to cover. For those of you that are unfamiliar with the 20 critical security controls, please see this link:
Microsoft notes an active attack for at least one DigiNotar certificate.
MS Security Advisory Update - Fraudulent DigiNotar Certificates
QUOTE: Microsoft re-released Microsoft Security Advisory (2607712) regarding fraudulent DigiNotar Root CA. "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. The update is available for all supported version of Windows here and via automatic updates.
Trend Security warns of major improvements found in this new variant in this comprehensive review:
Massive Code Change for New DroidDreamLight Variant
QUOTE: We saw several key developments in the new variant of DroidDreamLight, which we were able to analyze earlier this month. This new variant, found in a China-based 3rd party application store, comes off as applications such as a battery monitoring tool, task listing tool, and an application that lists the permissions used by installed applications. Please note though that the apps are in English, so potential victims are not limited to users who understand Chinese. This Android malware is now detected as AndroidOS_DORDRAE.N.
Another important update is the addition of information theft routines. Based on our analysis, this new variant can steal certain information from the device, such as:
* SMS messages (inbox and outbox)
* Call log (incoming and outgoing)
* Contacts list
* Information related to Google accounts stored in the device
I'm anxious to test this new operating system in the future. PC Magazine highlights the new Metro User Interface and other changes found in Windows 8
Windows 8 - PC Magazine review of Developer Preview
QUOTE: Windows 8 is a coin with two very different sides: On one side is a tablet operating system, with the tile-heavy Metro user interface inspired by Windows Phone 7. On the other is an improved version of the full Windows 7-like desktop operating system. The first is very simple and consumer-oriented, and competes with tablets like Apple’s iPad and Google Android tablets. The other is the operating system favored by power users of complex and professional Windows program.
Microsoft insists that all Windows 7 apps will run in Windows 8, and that any machine that can run Windows 7 can run Windows 8. That said, the company seems most excited about the new species of app it calls Metro-style apps--referring to the Window Phone 7 Metro UI. These are touch-optimized, full-screen affairs that only show their menus and settings if you swipe up from the bottom of the screen. Swiping from the right side of the screen towards the middle brings up what the company calls “Charms”—icons for Search, Share, Start, Devices, and Settings.
The Internet Storm Center shares an important emergency release that corporations should apply expediently:
Oracle Emergency Patch for CVE-2011-3192 has been released!
QUOTE: This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems. The bug is serious enough for Oracle to issue the patch outside of its usual large quarterly updates, the next of which is scheduled for Oct. 18.
QUOTE: The Obama administration argued to the Senate Judiciary Committee yesterday for legislation that would impose minimum sentences for anyone convicted of attacks or attempted attacks on critical infrastructure. The administration's proposed updates the Cyber Fraud and Abuse Act would also make it clear that RICO, the Racketeering Influenced and Corrupt Organization Act, a major law enforcement tool against organized crime, applies to such offenses.
Trend Micro provides an update related to bank related malware and fraud attacks:
Banking Trojan Attacks continue to target large companies
QUOTE: Trend Micro has uncovered a significant international banking malware gang. Unusually for such gangs, a wide variety of large organizations and US multi-nationals in a variety of sectors were victimized. The complete take over the first 6 months of this year was $3.2 million US. The weapons used were pretty conventional banking spyware: SpyEye, Zeus, and exploit kits to drive blackhat SEO traffic to the malware. According to Trend Micro, some pretty significant organizations, in the following categories, were hit:
- US Government (Local, State Federal)
- US Military
- Educational & Research Institutions
- Other Companies (Automobile, Media, Technology)
ESET highlights a sharp increase in mobile device malware. Users should be careful in everything they install or provide permissions to for these devices.
Android banking malware increases in wild
QUOTE: Recently, we’ve noted a steep rise in Android malware and predicted the rise in banking malware, now we see another example in the wild, this time SpyEye. Trusteer has a good rundown on it, saying “It seems that SpyEye distributors are catching up with the mobile market as they (finally) target the Android mobile platform. Ever since Man in the Mobile attacks (MitMo/ZitMo) first emerged in late 2010, SpyEye followed Zeus’ tracks by introducing its own hybrid desktop-mobile attacks (dubbed SPITMO).”
More Posts Next page »