Friday, May 22, 2009

Around The Horn vol.1,105

Microsoft cleans password stealer tools from 859,842 PCs

By emil.protalinski@arstechnica.com (Emil Protalinski) on malware

The Malicious Software Removal Tool (MSRT) is a small program Microsoft pushes out to computers on Patch Tuesday to clean out a list of malware. Each month, the company adds removal information for more threats. On this month's Patch Tuesday, Microsoft added scans for the malware family Win32/Winwebsec, which the company ranked at #17 after finding 34,792 infected machines.

OpenSSH Protocol Pwned

By Robert A. on Vulns

"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG). An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead...

Clickjacking: Hijacking clicks on the Internet

By Elinor Mills

Jeremiah Grossman, chief technology officer of Whitehat Security, and another researcher coined the term clickjacking.

What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store ...

Mystery virus strikes FBI, U.S. Marshals

By Steven Musil

The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies Thursday, according to an Associated Press report.

A spokesperson for the U.S. Marshals Service confirmed that it

...

Kaspersky impressed by botnet slickness

By Liam Tung

Cybercrime fighter Eugene Kaspersky can't help but be impressed by the slick operations behind the Conficker botnet, and says that it could have been worse had the botnet been after more than just money.

"They are high-end engineers who write code in a good way," Kaspersky told ZDNet.com....

Deja vu: New scams hit Facebook and Twitter

By Elinor Mills

Updated at 4:20 p.m. PDT with Twitter phishing attack, at 4:10 p.m. with Facebook comment and 2:30 p.m. with attack also downloading malware onto computers.

Phishers were having a field day with Facebook and Twitter on Thursday.

A new phishing scam hit Facebook users ...

Phish Twice a Day - The Twitter Diet

By Rik Ferguson on web

The chickens have come home to roost. The hundreds of accounts compromised this morning are now being used to post messages directing people toward a second phishing site located in China.   After this morning’s phishing attack on Twitter by the (almost) typosquatting tvviter, this evening is seeing waves of new attacks using the previously compromised accounts.   This [...]

Center For Internet Security Issues Free Security Metrics

Global coalition of enterprises, government, and vendors looks to its vendor members to automate collection of new metrics in their products

Hardened OS Vendor Builds Secure Virtual Layer For Network Devices

"Tier one" networking equipment vendors are adopting Green Hills Software's secure virtualization platform as an extra layer of protection for their devices

Sophos: Twitter Phishing Scam Lures Users with TinyURL

In Social networking

Sophos has uncovered a phishing scam targeting users of Twitter. The attack tries to trick users into visiting a rogue site posing as the legitimate Twitter.com page and giving up their passwords and usernames.

Now You, Too, Can Deploy a Portable Video Security Station

In Intrusion Detection/Prevention

The shocking events of Sept. 11, 2001, will always haunt us, but they're also helping the video security business big-time right now. As one might imagine, George Orwell's Big Brother is now well ensconced--make that accepted--in our daily lives, let's...

Emergency responder ID program progresses

FEMA officials demonstrated a pilot program today for interoperable credentials for emergency responders.

Wedded bliss: NAC and identity management

Network access control is one of those technology categories that has a lot of promise but not a lot of users, despite the fact that solutions have been available for years. There are so many challenges to deploying a NAC solution, including cost, network security and infrastructure. A couple of veteran Cisco engineers set out to address those challenges and came up with a standards-based solution that combines NAC with identity management.

Twitter hit with phishing attacks

Twitter users who thought friends were directing them to a "funny blog" Thursday ended up experiencing something completely different: a phishing scam.

X86 virutalization not ready for regulated, mission-critical apps, IBM security expert says

X86 virtualization is not ready for highly regulated, mission-critical applications, IBM security expert Joshua Corman argued at Interop Las Vegas this week.

iPhones in the enterprise leaving IT pros at wit's end

LAS VEGAS--Executives smitten with iPhones are forcing enterprise IT departments to come up with ways to support the mobile devices even though big security and management questions abound. IT pros peppered panelists at a standing-room only Interop session titled “The iPhone and the Enterprise: Is this the Future of IT?” with such questions and left without many answers. One healthcare IT pro said supporting iPhones would be a nightmare given industry data protection regulations and the ability of end users to relatively easily “jailbreak” their iPhones. Another IT pro pointed out that supporting a bunch of native apps on iPhones would seem to run counter to other IT trends, such as the move toward desktop virtualization and centralized applications control. Panelist J.T. Starzecki, president of application development and consulting company iPhone Zen Masters, acknowledged that IT pros are left with the “dilemma of how to fit iPhones into their current infrastructure” in light of executives adopting iPhones for personal use and then calling on IT to support them in the business. “iPhone 2.0 made some leaps toward enterprise adoption [with support for Exchange ActiveSync, etc, but it’s not where it should be,” he said. One big challenge in supporting iPhones is that it’s hard to find an organization that wouldn’t also have a handful of other mobile device types to support, said Adam Blum, CEO of Rhomobile, which makes a framework for building native mobile device apps that can work across platforms. Supporting multiple platforms would only add to an IT department’s workload, he said. “We’ll always have heterogeneity,” he said. While IT shops might not be happy about losing control over end devices stuffed with applications, Blum said there’s not much they can do about the shift. He noted that some applications, such as GPS and cameras, must be on the end device. He pointed to the emergence of applications on iPhones and other smartphones in the enterprise as part of the seemingly never-ending back and forth nature of centralized and decentralized computing. While some IT shops might being feeling forced to support iPhones because of top execs’ desires, others might be the supporters themselves. In these cases, the panelists recommended selling higher ups on iPhone support by showing first how it could benefit customers. “The wedge is ‘We want to support our customers,’” Starzecki said. The panelists pointed to some high profile iPhone business apps, such as AAA enabling customers to report their location via the iPhone and Nationwide allowing insurance clients with iPhones to send in claims data, including accident photos. Among inhibitors to iPhones taking off in the enterprise is the lack of a good iTunes-like distribution channel for enterprise apps, Blum said. He said enterprise app developers can’t abide by a system that wouldn’t allow them to have more control over when their offerings become available. “This is an area that’s ripe for innovation,” he said.

DNS attack downs Internet in parts of China

An attack on the servers of a domain registrar in China caused an online video application to cripple Internet access in parts of the country late on Wednesday.

'Security Metrics' and risk-assessment guides out this week

The Center for Internet Security and the Open Group's security division have each published comprehensive risk-management guides, the first defining a basis for security metrics and the second a high-level view on the pros and cons of risk-assessment approaches.

Investigators replicate Nokia 1100 online banking hack

An old candy-bar style Nokia 1100 mobile phone has been used to break into someone's online bank account, affirming why criminals are willing to paying thousands of euros for the device.

Security experts: No Java fix in OS X leaves Macs vulnerable

Last week's sizable Mac OS X 10.5.7 update, which included 20 bug fixes as well as a number of security updates, failed to fix a critical Java flaw security experts have warned.

Microsoft sets July kill date for Office 2000

Microsoft is reminding Office 2000 users that it will discontinue security updates for the aged suite in less than two months when it drops all support for the software.

DDoS attack chokes Chinese net surfing
Five-province traffic jam

Millions of internet users in China had trouble accessing websites earlier this week after an attack on a domain registrar in that country touched off a network traffic jam.…

Microsoft IIS vuln played no role in server breach, uni says
No in-the-wild attacks reported

Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver.…

Scrubbed geo-location data not so anonymous after all
Your commute = your fingerprint

Anonymized data collected from GPS-enabled devices may not be as anonymous as you think, according to researchers who show that knowing someone's general home and work locations can be enough to identify an individual uniquely.…

Twitter typosquatting site preys on gullible
Well, duh

Miscreants have launched an aggressive phishing attack that aims to dupe the unwary into handing over their login credentials for the microblogging service.…

IIS admins, help finding WebDAV, (Thu, May 21st)

Microsoft have pointed to one of their KB articles for helping admins in an enterprise to locate IIS ...(more)...

Gumblar analysis and writeup, (Thu, May 21st)

Andrew has performed a client side analysis and writeup of recent gumblar malware attacks. It can be ...(more)...

Why the Conficker Worm Is Still Plaguing Windows Users

Conficker just won't go away. Despite the efforts of the security community and the presence of numerous tools for detection and removal, the worm is still trying to infect as many as 50,000 new Microsoft Windows PCs a day. The question is: why?
- Perhaps it should come as no surprise that after the Internet failed to implode after April 1, the hype surrounding the Conficker worm died down. The worm itself, however, is still alive kicking. So the question is - why? According to Symantec, the worm is still attempting to infect 50,0...

Anti-virus Testing Standards Come to the Cloud

The Anti-Malware Testing Standards Organization has adopted a set of best practices around testing cloud security offerings. The body - which is made up of officials from companies such as Symantec, McAfee and Trend Micro - has also agreed to make analysis of product reviews public to educate consumers.
- The words quot;in the cloud quot; were heard numerous times at this years RSA security conference in San Francisco. With the number of cloud-based security products growing, the Anti-Malware Testing Standards Organization (AMTSO) has been stirred to action. Last week, the two-year-old indus...

Apple Slow To Fix Java Flaws

In Safety Tips

Instructions showing wannabe Mac-hackers a way to remotely take control over OS X systems through an unpatched security hole have been posted online. The researcher who published the blueprints said he did so to nudge Apple into fixing the problem, which the company has known about for more than six months. But Security Fix has found that half a year is about the average time it takes Cupertino to plug these types of holes. On Tuesday, renowned Apple researcher Landon Fuller published a proof-of-concept exploit for a particularly dangerous bug in Java that Sun Microsystems fixed in a patch released Dec. 3, 2008. However, Apple -- which ships its own version of Sun's Java with OS X -- has yet to push out an update to fix that particular flaw. "Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not

Report: IRS Created Dumpster-Diver Swimming Holes

In U.S. Government

The Internal Revenue Service has long advised consumers to shred old tax returns and other documents that contain sensitive data, as a way to thwart identity thieves who sometimes root through trash bins in search of identity information. But it seems the IRS doesn't take its own advice: a recent investigation of more than a dozen IRS document disposal facilities found that -- at each location -- old taxpayer records were being tossed out in regular waste containers and dumpsters. The audit by the Treasury Inspector General for Tax Administration also found that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks. In addition, investigators also had trouble finding anyone responsible for overseeing most of the facilities that the IRS contracted with to burn or shred sensitive taxpayer documents. "We found evidence of only 2 instances where IRS personnel conducted

Brief: Adobe moves to quarterly patch schedule

Adobe moves to quarterly patch schedule

Cheap IT Is Ultimately Expensive

By Richard Bejtlich

I'm positive many of you are familiar with the idea that there are benefits to detecting software security defects early.
[Image reference: Software Security Engineering: A Guide for Project Managers.]
In other words, it is ultimately cheaper to design, code, sell, and support a more secure software product than a more insecure software product. Achieving this goal requires recognizing this advantage, investing in developers and processes that work, and dealing with exceptions (defects) as soon as possible through detection and response capabilities, even including customer-facing organizations (like PSIRTs).
I'm not aware of any studies supporting the following assertion, but I would be interested in feedback if you know any. I think it should be obvious that it's also cheaper to design, build, run, and support more secure computing assets than more insecure computing assets. In other words:

  • It is not cheaper to run legacy platforms, operating systems, and applications because "updates break things."
  • It is not cheaper to delay patching because of "business impact."
  • It is not cheaper to leave compromised systems operating within the enterprise because of the "productivity hit" taken when a system must be interrupted to enable security analysis.
  • It is not cheaper to try to manually identify and remove individual elements of malware and other persistence mechanisms, rather than rebuild from the ground up (and apply proper updates and configuration improvements to resist future compromise).
  • It is not cheaper to watch intellectual property escape the enterprise in order to prove that intruders are serious about stealing an organization's data.

Security doesn't make money; security is a loss prevention exercise. It's tough to justify security spending. However -- and these are the killers:
  • It's easy to show cost savings when experienced, professional system administrators are replaced by outsourced providers who are the lowest bidders.
  • It's easy to show the financial benefit of continuous availability of a revenue-producing system, or, conversely, easy to show the financial cost of downtime of a revenue-producing system.

Unfortunately, being seduced by those arguments ignores intrusion debt. One day the intrusion debt of poorly-run systems will be claimed by the intruders already inside the enterprise or those who are unleashed like an earthquake. Worse for you and me, the costs of dealing with the disaster are likely to be borne by the security team!
I thought of this vicious cycle when reading about The Sichuan earthquake in last week's Economist magazine:
In the days after the earthquake, senior officials vowed to investigate whether shoddy construction was to blame for the destruction of more than 7,000 classrooms in the disaster. But the issue was soon played down...
Mr Ai [investigating the disaster] says the refusal of central leaders to admit policy failures has exacerbated parents’ frustration. In the 1990s, he says, shoddy school buildings were erected across China because of the government’s drive to provide enough classrooms for all children to undergo nine years of compulsory education. Building costs were supposed to be shared by central and local authorities, but the latter often failed to chip in. This led to quality problems.

Ultimate, security is an IT problem, not a "security" problem. The faster asset owners realize this and be held responsible for the security of their systems, the less intrusion debt will mount and the greater the chance that enterprise assets will survive digital earthquakes. Cheap IT is ultimately expensive -- more expensive than proper investment in IT in the first place.

Computer virus strikes US Marshals, FBI affected (AP)

In technology

AP - Law enforcement computers were struck by a Mystery computer virus Thursday, forcing the FBI and the U.S. Marshals to shut down part of their networks as a precaution.

Conficker Still Attacking 50K PCs Each Day (PC Magazine)

In technology

PC Magazine - The Conficker virus is still infecting about 50,000 new PCs every day, according to Guy Bunker, a computer security expert at Symantec.

Exchange 2007 performance on vSphere 4

By vmtn@vmware.com (VMTN) on Technical Information

VMware recently released a whitepaper showing the performance scalability of Exchange 2007 on VMware vSphere. This paper shows that vSphere 4.0 achieves excellent performance and scalability both with regards to scale up (adding more vCPUs) and scale out (adding more...

Twitter Hit With Phishing Attacks

Twitter was being hit Thursday by a new round of phishing attacks.

Federal CIOs Still Face Cloud Computing Hurdles

U.S. government agencies are interested in cloud computing, but some hurdles exist, IT managers say.

No comments:

Post a Comment

My Blog List