Friday, May 8, 2009

Around The Horn vol.1,96

Firefox, Chrome users more up to date than Safari and Opera

By jacqui@arstechnica.com (Jacqui Cheng) on vulnerability

Those who use Firefox and Chrome are inherently more up-to-date—and therefore more secure—than those who run Safari and Opera, according to researchers from the Swiss Federal Institute of Technology (ETH Zurich) and Google Switzerland. But it's not the browsers themselves that magically make people stay updated—it's their built-in mechanisms that automatically update when new versions are available. These mechanisms are keeping a large majority of their users secure, even if power users and admins might get antsy over their loss of update control.

Swiss Federal Institute of Technology researcher Stefan Frei and Thomas Duebendorfer of Google released a paper with their findings this week called "Why Silent Updates Boost Security" (PDF). In it, they note that only about 45 percent of Internet users were using the most secure browser version when visiting Google's Web servers. This, of course, is bad news—as many Ars readers know, Web browsers are increasingly used to target vulnerable users with viruses, malware, adware, and more.

Google Chrome Update Addresses 2 Security Flaws

By Robert A. on IndustryNews

CVE-2009-1441: Input validation error in the browser process. A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able...

Women more affected by ID fraud, study finds

By Elinor Mills

Women are more affected by identity fraud then men are, according to a new survey that also found that it takes women longer to restore their identities but they also tend to change their behavior afterward.

In a survey of 808 U.S. households, half of which reported fraud, 28 ...

Google issues, then reissues Chrome security fix

By Stephen Shankland

Google fixed security holes with a new release of its stable version of Chrome--then released a replacement shortly afterward to prevent a batch of crashes that turned up as well.

Chrome 1.0.154.64 emerged Tuesday and was intended to fix one critical security problem and one high-severity one. ...

Originally posted at Webware

Report: Hackers broke into FAA air traffic control systems

By Elinor Mills

Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to an Inspector General report sent to the FAA this week.

In February, hackers compromised an FAA public-facing computer and used it to gain access to personally ...

Microsoft to issue patch for critical PowerPoint hole

By Elinor Mills

Microsoft will issue a patch on Tuesday to fix a critical vulnerability in PowerPoint that could be the same hole that has been exploited in limited and targeted attacks.

The vulnerability affects Microsoft Office 2000, 2003, 2007 and XP, as well as PowerPoint Viewer and Microsoft Office Compatibility Pack for ...

Phished Facebook accounts pass along malware

By Elinor Mills

At least one Facebook account that was hijacked in phishing attacks last week was used to send out spam directing people to a malware site, according to the social-networking company.

Some Facebook users reported receiving messages on Thursday that said "look at mygener.im" and contained a link ...

Q&A: FBI agent looks back on time posing as a cybercriminal

By Elinor Mills

In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.

FBI...

Need to launch a missile? Buy a second hand hard drive.

By Rik Ferguson on data loss

I had a phone call last night from BBC Radio Wales, asking me to contribute to a section they were running on their Good Morning Walesshow. They wanted to talk about a very interesting report that is about to be released by researchers from BT and the University of Glamorgan.   The study is the fourth annual [...]

Explosion Of BlackBerry Trading In Nigeria - Data Theft

By Darknet on data thefft

The number of Crackberry Blackberry users is increasing exponentially - especially since they released the much sexier Bold and the latest touch-screen Storm. The latest revelation is that used BlackBerries are being traded, not by the value of the phone but by the value of the data contained on the phone! It just shows most companies still [...]

FBController - The Ultimate Utility to Control Facebook Accounts

By Darknet on hijack facebook

Just to put a downer on all the script kiddies, this utility WILL NOT hack/crack Facebook passwords or accounts. You need to feed it biscuits (cookies) before you can do anything. You can get the target’s cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, Scroogle search or however you like. Once you have the cookies you can...

Startup Takes New Spin On Online Fraud Detection

Pramana's HumanPresent technology spun off from research at Georgia Tech

Attackers Go Old School with Phony Search

In Virus and Spyware

Malware distributors are taking a page out of history and flocking back to fake search engine attacks, researchers contend.

April Threats - Big "C" Ran Wild, Trojans Multiplied

In Virus and Spyware

You-know-who was still tops in Arpil, but a host of other attacks flocked not too far behind, and largely unnoticed.

Hacker demands $10M ransom for data

The FBI and state authorities are investigating a case in which a hacker wants $10 million for the return of sensitive information, according to media reports.

Virginia Dept. of Health: Prescriptions database breached but not deleted

The Virginia agency in charge of an online medical-prescription database acknowledged a potential data breach of it may have occurred by refuted the notion that the entire contents were wiped out by an attacker claiming to hold the contents for $10 million ransom.

Audit finds 700 big vulnerabilities in air traffic systems

A government audit has found more than 760 high-risk vulnerabilities in Web applications used to support Air Traffic Control (ATC) operations around the country.

Microsoft to patch PowerPoint zero-day bug on Tuesday

Microsoft today said it will deliver just one security update next week, a fix for PowerPoint that's probably the patch for a month-old bug that developers admitted they missed during stress testing.

Microsoft renames anti-piracy tech in Windows 7

Microsoft has renamed its anti-piracy technology and, starting with Windows 7, will downplay the components that enraged users in the past, a company manager said Thursday.

Web site offline as police, FBI investigate extortion bid

A week after a hacker claimed to have broken into a patient database and encrypted millions of prescription records at a Virginia health agency, its Web site remains offline except for a static Web page offering contact information.

Meet Francis, a failed phishe

The subject line alone was enough to unmask this criminal mastermind: "This message it is confidential." This message it is really not from the IRS.

Security breach cost Heartland $12.6 million so far

Heartland Payment Systems intends to deploy end-to-end encryption with its merchants to protect its payment processing system from cybercriminals.

Despite pledge, researchers release VBootkit 2.0 code

Indian security researchers have released proof-of-concept code that can be used to take over a computer running Microsoft's upcoming Windows 7 operating system, despite earlier promising not to make the code public for fear it could be misused.

U.S. gov't: 'Top obligation' is to U.S. workers

U.S. Department of Homeland Security Secretary Janet Napolitano told a congressional committee that ensuring American workers have jobs is a "top obligation," and that her agency was stepping up its enforcement of the H-1B program.

Study: U.S. air traffic control vulnerable to cyberattack

U.S. air traffic control systems are at high risk of attack due to their links to insecure Web applications run by aviation authorities around the country, according to a U.S. Department of Transportation audit.

Image spam returns with a vengeance

Spammers have turned back the clock and are recycling a years-old tactic by planting their messages in images, a security researcher warned Wednesday.

Microsoft to patch 'critical' PowerPoint hole
Zero-day relief expected

Microsoft plans to patch a hole in its PowerPoint presentation program, the company said in an advanced bulletin that was notable because it contained only a single update.…

Data-sniffing attack costs Heartland $12.6m
Credit card processor promises end-to-end encryption

Electronic payments processor Heartland Payment Systems said Thursday it has allocated $12.6m to cover a security breach that exposed sensitive card holder data crossing its network.…

US braces for 'bio-Katrina'
Security appointee talks tough

President Obama has nominated a tough-talking bioterrorism expert to lead the primary research and development arm of the US Department of Homeland Security (DHS).…

Microsoft teams up with US gov on double 'ard XP
More secure config open to all. Ish

Microsoft has teamed with the US government to refine a locked-down, more secure configuration of Windows XP.…

Symantec hit by massive goodwill impairment
Okay-ish financial numbers otherwise

Symantec announced moderately satisfying but recession-hit numbers for the full fiscal 2009 year, with the final quarter showing a revenue drop. A massive goodwill impairment charge of $7.4bn blew an enormous, non-cash hole into net income numbers for the full year and its final quarter.…

Google buffs Chrome with security update
Silent patch fixes bug brace

Google has pushed out an update for its Chrome browser that lances two vulnerabilities, one of which it defines as critical.…

Missile data, medical records found on discarded hard disks
Study finds all manner of stuff on eBay

A third (34 per cent) of discarded hard disk drives still contain confidential data, according to a new study which unearthed copies of hospital records and sensitive military information on eBayed kit.…

US air traffic faces 'serious harm' from cyber attackers
When. Not if

The United States' air traffic control system is vulnerable to serious cyber attack, according to a watchdog report that detailed several recent security breaches that could have been used to sabotage mission-critical networks.…

A packet challenge and how I solved it, (Thu, May 7th)

Yesterday morning (EDT in the US), our friend Chris Christianson twittered the following: 4500 00 ...(more)...

Botnet hijacking reveals 70GB of stolen data, (Thu, May 7th)

Thanks to our reader Crill today. He gave us a heads up on an interesting research project rec ...(more)...

Malicious Content on the Web, (Thu, May 7th)

Today must be a full moon day! We have had several reports of strange malicious content on oth ...(more)...

Heartland breach cost $12.6 million, CEO says

By Robert Westervelt

In a conference call with investors, Heartland Payment Systems CEO Bob Carr said the breach directly contributed to the company's $2.5 million loss for the quarter.

Microsoft to patch critical PowerPoint zero day flaw

By Robert Westervelt

Attackers are actively targeting a remote code execution vulnerability in PowerPoint to take complete control of an affected system.

Organization aims to develop encryption standard for card data

By Marcia Savage

The initiative would create an industry standard for encrypting cardholder data at point-of-sale devices through to back-end processing systems.

Cisco Unified Communications Manager IP Phone Personal Address Book Vulnerability

Cisco Unified Communications Manager, formerly CallManager, contains a privilege escalation vulnerability in the IP Phone Personal Address Book (PAB) Synchronizer feature that may allow an attacker to gain complete administrative access to a vulnerable Cisco Unified Communications Manager system.

Garmin Communicator Plug-In Domain Locking Security Bypass

"The Garmin Communicator Plugin lets you connect your Garmin GPS with your favorite website. Once the plugin is installed, just connect your Garmin GPS device to your computer, and you're on your way. The Garmin Communicator can send and retrieve data from any supported website." Secunia Research has discovered a vulnerability in Garmin Communicator Plug-In, which can be exploited by malicious people to bypass certain security restrictions.

Microsoft Rebrands WGA Anti-Piracy Feature for Windows 7

Microsoft has tweaked and renamed its anti-piracy technology in Windows 7. Formerly known as Windows Genuine Advantage, the technology is now called Windows Activation Technologies.
- Microsoft has introduced changes to its anti-piracy features for its operating system in Windows 7, starting with a new name. Formerly known as Windows Genuine Advantage (WGA), the anti-piracy technology has been rebranded Windows Activation Technologies in Windows 7. But in addition to the name ch...

Researchers Release Bootkit Code Targeting Windows 7

Two security researchers open-source code that can be used to take control of versions of the Microsoft Windows 7 x64 operating system. The team decided to release the code despite initial reservations over security.
- Security researchers have made available for download the source code for a quot;bootkit quot; that allows hackers to take control of Microsoft's Windows 7 operating system. Dubbed Vbootkit 2.0, the software was first presented by researchers Vipin Kumar and Nitin Kumar at the Hack In The ...

Missile Defense Secrets Sold on eBay

Details of the Terminal High Altitude Area Defense system used to shoot down ballistic missiles using a hit-to-kill approach are found on a computer sold through eBay.
- Another day, another cyber-security concern. In today's episode, a used computer bought on eBay contained highly sensitive details of a key U.S. missile system designed by defense contractor Lockheed Martin. Among the data found on the legally purchased computer were details of test launch proce...

Microsoft Plans PowerPoint Fix for Patch Tuesday

Microsoft is prepping a critical security bulletin affecting Microsoft Office PowerPoint. The release follows a warning in early April that hackers were actively exploiting a PowerPoint vulnerability.
- Microsoft has only one fix on the menu for this month's Patch Tuesday: a security bulletin aimed at its PowerPoint software. According to the Microsoft security advisory, the bulletin covers a situation that could allow hackers to remotely execute code. The list of affected software includes e...

ZeusTracker and the Nuclear Option

In Web Fraud 2.0

One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct. Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords. Hüssy oversees Zeustracker, a Web site listing Internet servers that uses Zeus, a kit sold for about $700 on shadowy cyber criminal forums to harvest

Brief: Freeze turns phones into passwords

Freeze turns phones into passwords

Logs from the Cloud

By Richard Bejtlich

I received an email with the following notice today:
Amazon CloudFront Adds Access Logging Capability:
AWS today released access logs for Amazon CloudFront. Access logs are activity records that show you details about every request delivered through Amazon CloudFront. They contain a comprehensive set of information about requests for your content, including the object requested, the date and time of the request, the edge location serving the request, the client IP address, the referrer and the user agent. It’s easy to get started using access logs: you just specify the name of the Amazon S3 bucket you want to use to store the logs when you configure your Amazon CloudFront distribution. There are no fees for using the access logs, beyond normal Amazon S3 charges to write, store and retrieve the logs.

The Amazon Elastic MapReduce team has also built a sample application, CloudFront LogAnalyzer, that will analyze your Amazon CloudFront access logs. This tool lets you use the power of Amazon Elastic MapReduce to quickly turn Access Logs into the answers to the most commonly asked questions about your business. Additionally, several partners have also built solutions that help you analyze these access logs; you can find more information about these in the AWS Solutions Catalog.

Looking at the Developer Guide entry for Access Logs, we see the following sorts of data will be recorded:


The log files use the W3C extended log file format
(for more information, go to http://www.w3.org/TR/WD-logfile.html).

The files contain information for each record in the following order:

Date of the request (in UTC)
Time (when the server finished processing the request; in UTC)
Edge location that served the request
(a variable-length string with a minimum of 3 characters)
Bytes served
Client IP address (no hostname lookups occur)
HTTP access method
DNS name (either the CloudFront distribution name or your CNAME,
whichever the end user specified in the request)
URI stem (e.g., /images/daily-ad.jpg)
HTTP status code (e.g., 200)
Referrer
User agent



An entry might look like this:


#Version: 1.0
#Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status
cs(Referer) cs(User-Agent)

02/01/2009 01:13:11 FRA2 182 10.10.10.10 GET d2819bc28.cloudfront.net /view/my/file.html 200
www.displaymyfiles.com Mozilla/4.0%20(compatible;%20MSIE%205.0b1;%20Mac_PowerPC)

02/01/2009 01:13:12 LAX1 2390282 12.12.12.12 GET www.singalong.com /soundtrack/happy.mp3 304
www.unknownsingers.com Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1)



I think this is a good start, but I'll leave it to Cloudsecurity.org for expert commentary!



Thoughts on Cyber Command


By Richard Bejtlich



I've been blogging about various cyber command proposals for a few years, but right now there is some real movement at the combatant command level. Ellen Nakashima's article Cyber-Command May Help Protect Civilian Networks offers the latest details.


The Pentagon is considering whether to create a new cyber-command that would oversee government efforts to protect the military's computer networks and would also assist in protecting the civilian government networks, the head of the National Security Agency said yesterday [Tuesday].

The new command would be headquartered at Fort Meade, the NSA's director, Lt. Gen. Keith B. Alexander, told the House Armed Services terrorism subcommittee.


Alexander, who is a front-runner to assume control of the command if it is created, said its focus would be to better protect the U.S. military's computers by marrying the offensive and defensive capabilities of the military and the NSA.


Through the command, the NSA would also provide technical support to the Department of Homeland Security, which is in charge of protecting civilian networks and helps safeguard the energy grid and other critical infrastructure from cyber-attack, Alexander said.


He stressed that the NSA does not want to run or operate the civilian networks, but help Homeland Security improve its efforts...


As proposed by the Pentagon, the command would fall under the U.S. Strategic Command, which is tasked with defending against attacks on vital interests.



The highlighted sections reinforce number 2 of my Predictions for 2008 made in December 2007. A few months prior I argued that the US Needs Cyber NORAD.


The written testimonies are posted on the U.S. House of Representatives, House Armed Services Committee Web site.


The new Cyber Command will most likely be a subordinate unified command under US Strategic Command.


I'd like to briefly respond to Robert Graham's post Why Cyber Commands Fail. He says in part:


What the military wants is a hacker squad that they can give a specific objective, and have the hackers carry out that objective within a specific timeframe. For example, they might tell hackers to take out Iran's radar at midnight so that fighter jets can enter their airspace a few minutes later to bomb their nuclear plants. That's not going to work.


What you could do is tell hackers to go after Iran and do whatever they can to disrupt their nuclear developments. One hacker might find a way to shut down safety controls and cause a nuclear meltdown, another might jam the centrifuges, another might change the firmware on measuring equipment to incorrect measure the concentration of U238.


Or, you could give the hackers six months to infiltrate Iran's computers, then come back with a list of options. Maybe disabling the radar system will be one of them, maybe not. But that's not the sort of thing the military is tasked to do - that's more an intelligence operation the CIA would be doing..


China and Russia understand this. They don't directly employ hackers or tell the hackers to accomplish certain goals. They let the hackers have free range to do whatever they want. If the hackers come across something interesting, such as plans for the Joint Strike Fighter, the government buys it, but no government official ever told the hackers specifically to steal those plans...


So how can the United States get in on this sort of asymmetric warfare action?


The first thing is that you have to stoke some sort of nationalism in the way that Russia and China do. I'm not sure this is in our character (especially under the current president), however, so we'd probably have to find some alternative. Instead of pro-USA nationalism we could instead focus on human rights activism. The government could spend a lot of time talking to the press about the sorts of human rights abuses that go on in Russia and China. Get our own USA hackers thinking about human rights as their own causus belli.


The second thing they need to do is create a climate where our own hackers can operate. I would gladly hack into Iranian computers, but I'm not sure how this fits into US law...


This would be similar to the "letters of mark and reprisal" used by governments during the 1700s. In those days, national navies were too small to patrol the entire ocean. Therefore, governments licensed privateers to prey upon a hostile nation's shipping. The privateers kept half the booty, and gave the other half to their respective government. This is essentially what China and Russia have done.


A third thing our military would need to do is train our hackers in the target language. Foreign hackers usually learn English, but American hackers rarely learn foreign languages, especially Russian, Chinese, or Farsi (Iranian). If we want to encourage our hackers to go after those countries in the same way they come after us, we need to encourage them to learn those languages...


The fourth thing our military would need to do is fix their horrid purchasing processes...


Note that I think the individuals who run our military are very, very smart. I've met several generals and colonels who understand this. The problem is that while individuals are smart, the organization is dumb as a rock. The organization crushes precisely the sort of creative thinking need to have a successful "cyber" offensive capability.



Robert has a lot of good ideas here. In Air Force Cyber Panel I talked about a clash of models between the United States and places like China. On the one hand we have a military-industrial complex supported by a vast contracting force vs a country with a true "people's army," containing uniformed military, semi-military, and pure civilians who work with the others to achieve broadly common goals.


I don't think we will ever see any official support for the privateer concept. China doesn't even recognize their own people's involvement in hacking, since they frequently repeat the line that "China doesn't support hacking."


The major benefit I see from a Cyber Command is providing a career path and organizational support for military personnel. Until that exists many people who would want to be in the military doing cyber operations will reach a point where leaving their service is their best option.





Pentagon wants to beef up for cyber warfare (AP)


In politics



AP - Cyber espionage and attacks from well-funded nations or terror groups are the biggest threats to the military's computer networks, a top officer said Thursday.





Phished Facebook Accounts Become Spammer's Tool (PC World)


In technology



PC World - Cybercriminals who went after Facebook users with a number of phishing attacks last week have now turned around and begun sending spam messages from the Facebook accounts they cracked.





Hackers taking advantage of Windows 7: Microsoft (AFP)


In us



AFP - Microsoft said Thursday that cybercriminals are already hawking booby-trapped versions of just-released Windows 7 operating system software.





Swedish Hacker Indicted for Computer Break-Ins (NewsFactor)


In business



NewsFactor - A 21-year-old Swedish man named Philip Gabriel Pettersson, aka Stakkato, has been indicted by a federal grand jury in the Northern District of California on three counts of illegal intrusion and two counts of trade-secret theft, the U.S. Department of Justice announced Tuesday.



May 2009 Advance Notification


By MSRCTEAM



Summary of the May 2009 Advance Notification for the 5/12/2009 security bulletin release.



Today we are letting customers know that next week we will be releasing one security bulletin affecting Microsoft Office PowerPoint with an aggregate severity rating of critical. Customers should review the Advance Notification and prepare appropriately for deployment.



The update should not require a restart unless the updated files are in use at the time they are installed. Customers can also detect systems requiring the update using the Microsoft Baseline Security Analyzer. Note that since this is an Office related update, it will not be available via Windows Update but will be available through the Microsoft Update service.



We are also planning to release at least one high priority, non-security update and additional detections to the Microsoft Windows Malicious Software Removal Tool.



After the bulletin is released, look for additional information on both this blog and the Security Research and Defense blog.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, May 13, 2009, at 11:00 am PDT (UTC –7). Click HERE to register.



As always, this preliminary information is subject to change.



Thanks!



Jerry Bryant





Automatic Updates Are a Step Too Far


Analysis: Pushing security patches is a fast way to fix vulnerabilities, but Microsoft goes too far.





Fireworks Update Tackles Text-shifting Bug


Fireworks users who had to cope with assorted bugs--most notably one involving text shifting--can breathe a sigh of relief. Adobe has come out with an update for...



Study: US Air Traffic Control Vulnerable to Cyberattack


An audit has found that U.S air traffic controls systems are at high risk of attack due to their links to insecure Web applications run by aviation authorities.



Symantec Sees Slowdown in Security Sales


Citing a move toward shorter software contracts, Symantec posted a $249 million loss for its Q4 2009.



Windows 7 RC's Flaw Puts Users at Risk


By hiding extensions for known file types, hackers have a way to disguise malware by using those file types' extensions and icons.

No comments:

Post a Comment

My Blog List