British police have made the first European arrests connected to the spread of a data Relevant Products/Services-thieving virus thought to have infected tens of thousands of computers worldwide, Scotland Yard said Wednesday.
The electronic crimes unit of London's police force said a man and a woman, both 20, were arrested in the English city of Manchester on Nov. 3 on suspicion of helping infect computers with programs sometimes known as "Zbot" or "ZeuS."
One expert described the viruses as the "most notorious pieces of malware of recent times."
"This is one of the most frequent families of worms that we encounter," said Graham Cluley, a technology consultant with British security Relevant Products/Services firm Sophos PLC. "The ferocity with which it's been spammed out on occasions has really hit our radar."
Cluley said the Zbot family of viruses first came to his attention in 2007. Since then it has periodically swept across the Internet, stealing personal information from computers across the world and feeding it back to cyber-criminals. The viruses are commonly known as Trojan Horses or Trojans because they sneak onto computers and attack them from the inside, harvesting millions of lines of data -- including banking information, credit card numbers and social networking passwords.
The viruses spread by sending e-mails or other messages from infected computers, impersonating banks, tax officials, credit card companies or even friends and enticing potential victims to click on a link that downloads the Trojan.
Police said given the amount of information stolen "the potential financial gains to the culprits and losses to individuals and institutions are very substantial."
Cluley said it was impossible to know how much money had been lost to the viruses, adding that attacks were ongoing -- including two big waves in the past week alone.
Police said the Manchester pair were arrested on suspicion of breaking Britain's fraud and computer laws. It said the arrests were the first in Europe -- and among the first worldwide -- to combat the spread of Zbot but did not provide further details.
The pair, who have since been released on bail, were not identified.
Friday, November 20, 2009
Wednesday, November 18, 2009
Security for Your PC - Lock-and-Load
While most people know about the dangers of suspicious Web sites and unknown email attachments, what about physical security Relevant Products/Services? Leaving your computer unsecured or unattended could be the biggest mistake you ever make, according to Christina Hansen, a product specialist for CableOrganizer.com.
"In this day and age, many of us are 'running errands' on our computers," she says. "And even though shopping, banking, doing taxes, and accessing medical records online have become everyday activities, we need to give them special consideration because our personal information, and very identities, are at stake."
But it's not just people who need to be concerned: Companies are at risk too. "The hard drives of company computers can contain a lot of personal or proprietary information, from employee Social Security numbers to classified information dealing with product or technology development," says Hansen. She adds that the loss of such information can present a major liability risk to companies, whether it's from an old PC in a storage closet or a laptop carried by a traveling executive.
Securing computers against theft or unauthorized access doesn't have to be hard. "It's really not difficult, or necessarily expensive, for companies to secure on-premises computers against theft," says Hansen. "The key is to invest in products that have been specifically designed as theft deterrents."
Hansen explains that desktops and laptops in high-traffic workplaces can be secured in security cabinets, such as those manufactured by Black Box Network Services. And back-office server Relevant Products/Services installations can be secured with floor enclosure server racks, which can be configured to prevent access to secure hardware while permitting access to other components.
Security should also be a concern when traveling, Hansen says. "Whether you're working outside the office or surfing the web on your laptop in a public place, it's important to protect your computer when it's outside its 'natural environment,'" she says. "Laptops can easily be stolen if left unattended, and there's always the risk of prying eyes getting a look at on-screen personal information when you least expect it."
For travel, Hansen recommends products such as Kensington's MicroSaver lock and alarm, which can secure a notebook to tables, desks, or other furniture. For those who are worried about unauthorized access, Silex's USB fingerprint reader locks passwords and personal files behind a biometric barrier. For privacy, 3M sells a removable filter that blacks out the screen for anyone trying to sneak a peek from the side.
Proper security just makes sense, says Hansen. "Employees have the right to know that their personal information is being vigorously protected by their employers," she says. "Information theft in the workplace is a double-edged sword; it not only has the potential to destroy an employee's personal life but also carries potential legal ramifications for companies who aren't careful enough and lose information through their own breaches in security and technology."
"In this day and age, many of us are 'running errands' on our computers," she says. "And even though shopping, banking, doing taxes, and accessing medical records online have become everyday activities, we need to give them special consideration because our personal information, and very identities, are at stake."
But it's not just people who need to be concerned: Companies are at risk too. "The hard drives of company computers can contain a lot of personal or proprietary information, from employee Social Security numbers to classified information dealing with product or technology development," says Hansen. She adds that the loss of such information can present a major liability risk to companies, whether it's from an old PC in a storage closet or a laptop carried by a traveling executive.
Securing computers against theft or unauthorized access doesn't have to be hard. "It's really not difficult, or necessarily expensive, for companies to secure on-premises computers against theft," says Hansen. "The key is to invest in products that have been specifically designed as theft deterrents."
Hansen explains that desktops and laptops in high-traffic workplaces can be secured in security cabinets, such as those manufactured by Black Box Network Services. And back-office server Relevant Products/Services installations can be secured with floor enclosure server racks, which can be configured to prevent access to secure hardware while permitting access to other components.
Security should also be a concern when traveling, Hansen says. "Whether you're working outside the office or surfing the web on your laptop in a public place, it's important to protect your computer when it's outside its 'natural environment,'" she says. "Laptops can easily be stolen if left unattended, and there's always the risk of prying eyes getting a look at on-screen personal information when you least expect it."
For travel, Hansen recommends products such as Kensington's MicroSaver lock and alarm, which can secure a notebook to tables, desks, or other furniture. For those who are worried about unauthorized access, Silex's USB fingerprint reader locks passwords and personal files behind a biometric barrier. For privacy, 3M sells a removable filter that blacks out the screen for anyone trying to sneak a peek from the side.
Proper security just makes sense, says Hansen. "Employees have the right to know that their personal information is being vigorously protected by their employers," she says. "Information theft in the workplace is a double-edged sword; it not only has the potential to destroy an employee's personal life but also carries potential legal ramifications for companies who aren't careful enough and lose information through their own breaches in security and technology."
Tuesday, November 17, 2009
Apple Improves Security of Safari
This week was very busy for Apple because of the seven released patches.
The first security update, released on Monday, refers to Mac OS X Leopard and Snow Leopard. The second update, issued on Wednesday, goes to a new version of Safari Web browser, available for Mac, PC, and iPhone operating systems. The newest update deals with a lot of security threats, such as remote code execution, system crashing and information disclosure bugs, Apple explained in its advisory. Both the Mac OS X and Windows versions of Safari need to be updated to version 4.0.4.
The freshly released Safari 4.0.4 stops up what seems to be like moderate-to-severe security issues. Differently from rivals Internet Explorer, Firefox, and Chrome, Apple doesn’t rate the severity of its security flaws. Malicious XML, FTP and ColorSync profiles embedded in images and in the WebKit engine, the open-source foundation of Safari, could be created to crash or exploit Windows and Mac versions of Safari on the opened Web sites.
Using shortcut menu options within a maliciously crafted Web site could have led to unsuspected network security threats, such as local information disclosure and arbitrary code execution, when other maliciously written websites are visited. Only Windows versions of Safari are prone to the embedded image color profile deceit, while an exploit that could enable email to distantly access audio and video content when loading a remote image impacts Macs only.
Of the seven flaws that Safari 4.0.4 blocks, six affect the little-used Windows version of the browser, six influence Mac OS X 10.4, aka Tiger, however, only three apply to Mac OS X 10.5 and 10.6, Leopard and Snow Leopard, respectively. Although in contrast to the operating system security update released on Monday, which didn’t provide patches for Mac OS X 10.4, Wednesday’s upgrade involves users, who run Safari on that 2005 operating system. Apple traditionally stops deliver security updates for its oldest still-supported OS several months after the issue of a new edition, but evidently will further support Safari on Tiger.
Safari 4.0.4 for Windows or Mac can be downloaded from Apple’s website. Active users of the Safari browser can get the new version by running Software Update on the Mac or the bundled Apple Software Update on Windows. Safari 4.0.4 also enhances JavaScript performance. If SunSpider JavaScript Benchmark is run, Safari 4.0.4 is 1.08 times as fast version 4.0.3 overall, with considerable growths in many tests. The final and most important thing to note is that Safari 4.0.4 does not damage ClickToFlash. The last security update Safari received was in mid-August, when Apple fixed six security issues, four of them critical.
The first security update, released on Monday, refers to Mac OS X Leopard and Snow Leopard. The second update, issued on Wednesday, goes to a new version of Safari Web browser, available for Mac, PC, and iPhone operating systems. The newest update deals with a lot of security threats, such as remote code execution, system crashing and information disclosure bugs, Apple explained in its advisory. Both the Mac OS X and Windows versions of Safari need to be updated to version 4.0.4.
The freshly released Safari 4.0.4 stops up what seems to be like moderate-to-severe security issues. Differently from rivals Internet Explorer, Firefox, and Chrome, Apple doesn’t rate the severity of its security flaws. Malicious XML, FTP and ColorSync profiles embedded in images and in the WebKit engine, the open-source foundation of Safari, could be created to crash or exploit Windows and Mac versions of Safari on the opened Web sites.
Using shortcut menu options within a maliciously crafted Web site could have led to unsuspected network security threats, such as local information disclosure and arbitrary code execution, when other maliciously written websites are visited. Only Windows versions of Safari are prone to the embedded image color profile deceit, while an exploit that could enable email to distantly access audio and video content when loading a remote image impacts Macs only.
Of the seven flaws that Safari 4.0.4 blocks, six affect the little-used Windows version of the browser, six influence Mac OS X 10.4, aka Tiger, however, only three apply to Mac OS X 10.5 and 10.6, Leopard and Snow Leopard, respectively. Although in contrast to the operating system security update released on Monday, which didn’t provide patches for Mac OS X 10.4, Wednesday’s upgrade involves users, who run Safari on that 2005 operating system. Apple traditionally stops deliver security updates for its oldest still-supported OS several months after the issue of a new edition, but evidently will further support Safari on Tiger.
Safari 4.0.4 for Windows or Mac can be downloaded from Apple’s website. Active users of the Safari browser can get the new version by running Software Update on the Mac or the bundled Apple Software Update on Windows. Safari 4.0.4 also enhances JavaScript performance. If SunSpider JavaScript Benchmark is run, Safari 4.0.4 is 1.08 times as fast version 4.0.3 overall, with considerable growths in many tests. The final and most important thing to note is that Safari 4.0.4 does not damage ClickToFlash. The last security update Safari received was in mid-August, when Apple fixed six security issues, four of them critical.
Monday, November 16, 2009
Free Windows 7 Utilities
Windows 7 comes with more handy utilities than any previous version of Windows. Disk imaging, automated backup, and sticky notes are just a few. But no Windows system has ever been complete without a passel of utilities that make life with your PC easier, and Windows 7 is no different.
The fact is, although Windows 7 offers a lot, it's still lacking in some important areas: file zipping, encryption, and antivirus, to name a few. The good news: There are some outstanding free utilities on the market that have been tested with Windows 7. Here are a few.
Task Switcher
Microsoft Relevant Products/Services has tried to make task switching simpler and more elegant with each new version of Windows. First there was Alt-Tab. Then, in Vista, Flip3D was introduced -- activated by pressing Windows Key-Tab.
But the programmers who developed the free Switcher (http://insentient.net) have outdone all of Microsoft's efforts with a utility that takes the guesswork and finger strain out of task switching once and for all. Once installed, Switcher is activated with the key combination of the Windows key and the letter S on the keyboard. Once pressed, you can release the keys.
Switcher takes a snapshot of all running applications and shows them, along with their contents, as different-sized thumbnails on your computer screen.
Switching to a particular application is a simple matter of surveying what you have open and clicking the program you'd like to use.
Switcher gives you a good amount of control over how the thumbnails are displayed, too. And if you have so many applications open that finding the one you want is still a bit of a chore, you can simply start typing the name of an application, at which point you'll realize that there's a Switcher search box in the upper right-hand corner of the screen. Type "Word," for instance, and only those instances of Word that are running will be displayed, making it very easy to select the one you're looking for.
Encryption
The Enterprise and Ultimate editions of Windows 7 come with BitLocker for encrypting USB drives and external volumes so that your data is secure as it travels with you. But if you don't use Enterprise or Ultimate, what should you do? One answer is TrueCrypt (http://www.truecrypt.org), and open-source disk encryption application that works with Windows 7 and previous versions of Windows.
Like BitLocker, TrueCrypt can secure an entire volume, such as an external hard drive or a USB flash drive. But it can also encrypt the partition or drive on which Windows itself is installed, requiring pre-boot authorization in order for Windows to run. Security like that not even BitLocker can offer. Like all open-source software, TrueCrypt come at no charge.
Hotkey/Macro Tool
There's nothing that you can do with a mouse that you can't do twice as fast with the keyboard -- or with a keyboard shortcut. Microsoft knows this, which is why it built in more keyboard shortcuts into Windows 7 than in any previous version of the operating system.
But it didn't go far enough. What Windows has always lacked was a built-in, system-wide utility for creating your own keyboard shortcuts -- ones that can do everything from launch multiple applications to carry out a lengthy series of keystrokes. That's where Hotkeyz (http://www.skynergy.com/hotkeyz.html) comes in.
It's currently the best free shortcut creation tool on the market, allowing you assign virtually any combination of keys to tasks large and small. Open the Control Panel by pressing Windows Key-C. Open Word by pressing Windows Key-W. Open a whole set of commonly used applications by pressing a key combination of your choice. All of this and more is possible with the free Hotkezy.
Unzipping
Windows 7 comes with a built-in ability to read files compressed using the industry-standard Zip format. Double-click a zipped file, and you'll see its contents as though the files within were in a standard Windows folder.
What Windows 7 lacks, however, is any kind of utility to create Zip archives. That's where the free, open-source 7-Zip (http://www.7-zip.org) comes in. 7-Zip supports all of the major compression formats in use today, including Zip and Tar. It optionally integrates itself into your Windows Explorer application so that its functions are just a right mouse-click away.
And its compression ratios -- the amount that standard files can be squashed down into the smaller format -- often exceed those boasted by commercial packages. The best thing you can say about 7Zip is that it does most of what the commercial compression packages do, and it's free.
Antivirus
Windows still doesn't ship with antivirus or antispyware, but Microsoft's new Security Essentials (http://www.microsoft.com/Security_Essentials) antivirus application is just a simple download away. It's effective, unobtrusive, and free to a verified user of Windows 7. Unless you're sold on the antivirus solution from a third-party provider, there's little reason not to consider installing Security Essentials right away.
Synchronization
You have more than one computer, which probably means you have more than one copy of some important files. Which ones are the most recent? That's a question that file synchronization tools were designed to answer. There's no decent synchronization utility built in to Windows 7, but it's easy to augment the operating system with Microsoft's own LiveSync (https://sync.live.com).
Download the free LiveSync on each computer that contains files you wish to keep in sync. Right-click the LiveSync icon in your system tray, choose More, and click the check box labeled "Allow remote access to this computer." LiveSync will work its magic by synchronizing files over the Internet.
Then set up the folders you wish to keep in sync by right-clicking the LiveSync icon and selecting Sync Web site. That will take you to a Web site on which you can select the computer you want to sync, as well as the folders. Repeat the process on each computer you wish to keep in sync.
The fact is, although Windows 7 offers a lot, it's still lacking in some important areas: file zipping, encryption, and antivirus, to name a few. The good news: There are some outstanding free utilities on the market that have been tested with Windows 7. Here are a few.
Task Switcher
Microsoft Relevant Products/Services has tried to make task switching simpler and more elegant with each new version of Windows. First there was Alt-Tab. Then, in Vista, Flip3D was introduced -- activated by pressing Windows Key-Tab.
But the programmers who developed the free Switcher (http://insentient.net) have outdone all of Microsoft's efforts with a utility that takes the guesswork and finger strain out of task switching once and for all. Once installed, Switcher is activated with the key combination of the Windows key and the letter S on the keyboard. Once pressed, you can release the keys.
Switcher takes a snapshot of all running applications and shows them, along with their contents, as different-sized thumbnails on your computer screen.
Switching to a particular application is a simple matter of surveying what you have open and clicking the program you'd like to use.
Switcher gives you a good amount of control over how the thumbnails are displayed, too. And if you have so many applications open that finding the one you want is still a bit of a chore, you can simply start typing the name of an application, at which point you'll realize that there's a Switcher search box in the upper right-hand corner of the screen. Type "Word," for instance, and only those instances of Word that are running will be displayed, making it very easy to select the one you're looking for.
Encryption
The Enterprise and Ultimate editions of Windows 7 come with BitLocker for encrypting USB drives and external volumes so that your data is secure as it travels with you. But if you don't use Enterprise or Ultimate, what should you do? One answer is TrueCrypt (http://www.truecrypt.org), and open-source disk encryption application that works with Windows 7 and previous versions of Windows.
Like BitLocker, TrueCrypt can secure an entire volume, such as an external hard drive or a USB flash drive. But it can also encrypt the partition or drive on which Windows itself is installed, requiring pre-boot authorization in order for Windows to run. Security like that not even BitLocker can offer. Like all open-source software, TrueCrypt come at no charge.
Hotkey/Macro Tool
There's nothing that you can do with a mouse that you can't do twice as fast with the keyboard -- or with a keyboard shortcut. Microsoft knows this, which is why it built in more keyboard shortcuts into Windows 7 than in any previous version of the operating system.
But it didn't go far enough. What Windows has always lacked was a built-in, system-wide utility for creating your own keyboard shortcuts -- ones that can do everything from launch multiple applications to carry out a lengthy series of keystrokes. That's where Hotkeyz (http://www.skynergy.com/hotkeyz.html) comes in.
It's currently the best free shortcut creation tool on the market, allowing you assign virtually any combination of keys to tasks large and small. Open the Control Panel by pressing Windows Key-C. Open Word by pressing Windows Key-W. Open a whole set of commonly used applications by pressing a key combination of your choice. All of this and more is possible with the free Hotkezy.
Unzipping
Windows 7 comes with a built-in ability to read files compressed using the industry-standard Zip format. Double-click a zipped file, and you'll see its contents as though the files within were in a standard Windows folder.
What Windows 7 lacks, however, is any kind of utility to create Zip archives. That's where the free, open-source 7-Zip (http://www.7-zip.org) comes in. 7-Zip supports all of the major compression formats in use today, including Zip and Tar. It optionally integrates itself into your Windows Explorer application so that its functions are just a right mouse-click away.
And its compression ratios -- the amount that standard files can be squashed down into the smaller format -- often exceed those boasted by commercial packages. The best thing you can say about 7Zip is that it does most of what the commercial compression packages do, and it's free.
Antivirus
Windows still doesn't ship with antivirus or antispyware, but Microsoft's new Security Essentials (http://www.microsoft.com/Security_Essentials) antivirus application is just a simple download away. It's effective, unobtrusive, and free to a verified user of Windows 7. Unless you're sold on the antivirus solution from a third-party provider, there's little reason not to consider installing Security Essentials right away.
Synchronization
You have more than one computer, which probably means you have more than one copy of some important files. Which ones are the most recent? That's a question that file synchronization tools were designed to answer. There's no decent synchronization utility built in to Windows 7, but it's easy to augment the operating system with Microsoft's own LiveSync (https://sync.live.com).
Download the free LiveSync on each computer that contains files you wish to keep in sync. Right-click the LiveSync icon in your system tray, choose More, and click the check box labeled "Allow remote access to this computer." LiveSync will work its magic by synchronizing files over the Internet.
Then set up the folders you wish to keep in sync by right-clicking the LiveSync icon and selecting Sync Web site. That will take you to a Web site on which you can select the computer you want to sync, as well as the folders. Repeat the process on each computer you wish to keep in sync.
Friday, November 13, 2009
Facebook Blended Threat
Email security Relevant Products/Services experts at Red Condor have identified a second email threat in as many days posing as a message from Facebook administrators. Unlike the first threat identified October 27, 2009, today's email is a blended threat that includes both a phishing scam and a notorious "banking Trojan" virus. A link within the spam email takes users to a spoofed Facebook login page requesting the user's Facebook account information. After entering their credentials, users are then prompted to download "updatetool.exe" which is a Zbot Trojan variant. At the time Red Condor detected the threat, only one-third of anti-virus engines had detected it.
According to Red Condor's security experts the spoofed Facebook login page is fairly sophisticated and uses www.facebook.com in the sub-domain portion of the malicious URL. As a result, people with small screen resolution or small browser windows/address bars size might think they are actually on Facebook's login page. The Trojan associated with this threat installs a sophisticated "banking Trojan" that is known to scour the infected hard-drive for personal banking information and various login credentials, as well as perform key logging and other nefarious activities.
In media reports from yesterday and today, security researchers uncovered a separate Facebook spoof email with downloadable files that included the Trojan virus Bredolab. This email threat was masked as the "Facebook Password Reset Confirmation." The threat identified today by Red Condor refers instead to implementing a new login system that will affect all Facebook users.
"Given the comfort level that millions of users have with Facebook, we want to make sure that everyone knows that there are multiple spoofed Facebook emails hitting inboxes, and that the blended threat email we are warning about is different than the one many media outlets have already reported," stated Dr. Tom Steding, chief executive officer of Red Condor. "Facebook has become phenomenally popular, which makes it a prime target for spammers and cybercriminals. Unprotected email users need to be increasingly aware of the variety of threats that will come to their inboxes posing as legitimate messages. This blended email threat is an interesting twist that seems to have baffled a number of AV engines."
The virus scam was detected by Red Condor's proprietary Spam Trigger (formerly Spam Trip Wire) technology. Spam Trigger identifies spam and virus campaigns before they penetrate users' networks. Suspicious campaigns are put on probation until a filter rule can be written to capture messages from the campaign. During the probationary period, messages from the suspicious campaigns are quarantined.
About Red Condor
Red Condor is revolutionizing spam fighting with its next generation technology. Red Condor's highly accurate email filter, hybrid architecture Vx Technology, and fully managed appliances lead to a dramatic reduction in the cost of owning a premium spam filter. With solutions for small businesses, as well as ISPs with millions of email inboxes, Red Condor has a cost-effective, timesaving solution that is rapidly gaining market share. The system's design has built-in zero tolerance for lost email, and a near zero false positive rate while achieving long-term spam block rates greater than 99%. Red Condor Archive is a secure message archiving service with lifetime retention and unlimited storage. The company's next-generation technology is backed by a 24x7 customer Relevant Products/Services care center staffed by email security experts at Red Condor's headquarters. For more information, visit www.redcondor.com.
According to Red Condor's security experts the spoofed Facebook login page is fairly sophisticated and uses www.facebook.com in the sub-domain portion of the malicious URL. As a result, people with small screen resolution or small browser windows/address bars size might think they are actually on Facebook's login page. The Trojan associated with this threat installs a sophisticated "banking Trojan" that is known to scour the infected hard-drive for personal banking information and various login credentials, as well as perform key logging and other nefarious activities.
In media reports from yesterday and today, security researchers uncovered a separate Facebook spoof email with downloadable files that included the Trojan virus Bredolab. This email threat was masked as the "Facebook Password Reset Confirmation." The threat identified today by Red Condor refers instead to implementing a new login system that will affect all Facebook users.
"Given the comfort level that millions of users have with Facebook, we want to make sure that everyone knows that there are multiple spoofed Facebook emails hitting inboxes, and that the blended threat email we are warning about is different than the one many media outlets have already reported," stated Dr. Tom Steding, chief executive officer of Red Condor. "Facebook has become phenomenally popular, which makes it a prime target for spammers and cybercriminals. Unprotected email users need to be increasingly aware of the variety of threats that will come to their inboxes posing as legitimate messages. This blended email threat is an interesting twist that seems to have baffled a number of AV engines."
The virus scam was detected by Red Condor's proprietary Spam Trigger (formerly Spam Trip Wire) technology. Spam Trigger identifies spam and virus campaigns before they penetrate users' networks. Suspicious campaigns are put on probation until a filter rule can be written to capture messages from the campaign. During the probationary period, messages from the suspicious campaigns are quarantined.
About Red Condor
Red Condor is revolutionizing spam fighting with its next generation technology. Red Condor's highly accurate email filter, hybrid architecture Vx Technology, and fully managed appliances lead to a dramatic reduction in the cost of owning a premium spam filter. With solutions for small businesses, as well as ISPs with millions of email inboxes, Red Condor has a cost-effective, timesaving solution that is rapidly gaining market share. The system's design has built-in zero tolerance for lost email, and a near zero false positive rate while achieving long-term spam block rates greater than 99%. Red Condor Archive is a secure message archiving service with lifetime retention and unlimited storage. The company's next-generation technology is backed by a 24x7 customer Relevant Products/Services care center staffed by email security experts at Red Condor's headquarters. For more information, visit www.redcondor.com.
First Windows 7 Exploit Appears To Evade SDL Process
Windows 7 escaped the monthly patching process earlier this week, but it didn't escape the notice of hackers. What some security Relevant Products/Services researchers are calling the first zero-day exploit in Windows 7 has been identified and Microsoft Relevant Products/Services is investigating the issue.
Security researcher Laurent Gaffié called Microsoft on the carpet for its Secure Development Lifecycle (SDL) process on Wednesday. Gaffié also published proof-of-concept exploit code that he says will crash both Windows 7 and Windows Server 2008 R2.
"This bug is a real proof that SDL #FAIL," Gaffié wrote in his blog post. "The bug is so noob, it should have been spotted two years ago by the SDL if the SDL had ever existed."
The SMB Flaw
At the core of the vulnerability is the SMB (Server Message Block) protocol, the foundation of Windows file sharing. According to Gaffié, the bug triggers an infinite loop on SMB and can be triggered remotely via Internet Explorer. Gaffié notified Microsoft on Nov. 8 before releasing his proof of exploit on Nov. 11.
When Microsoft released Windows 7 to manufacturing, rumors were rampant about a showstopper bug that could threaten the success of the all-important Vista successor. At that time, technology researchers claimed to have found a bug in the new operating system that causes a massive memory leak and could cause the company to delay the final release. But Microsoft was not able to reproduce the crash.
Other than that, security issues have been nonexistent -- until now. Although Microsoft did have issues with the SMB in the past, security researchers have noted that the SMB vulnerability was difficult to exploit with default firewall Relevant Products/Services conditions. There is a workaround: Blocking ports 135, 139 and 445 on the router or firewall to prevent outside SMB traffic from getting into a system.
Bragging Against Microsoft
Chet Wisniewski, a senior security adviser at Sophos, isn't surprised to see an exploit in Windows 7 so soon after its release. That, he said, is because the Windows code was finalized very early this summer.
"Attackers have had plenty of time to look for holes," Wisniewski said. "This particular flaw was not too difficult to discover, leading the attacker to brag about how stupid it was for Microsoft to have missed it."
At this point, there's no grave danger for Windows 7 users. As Gaffié noted in his disclosure, exploiting the vulnerability can crash a host. That translates to rebooting the computer. Wisniewski noted that the zero-day vulnerability is not in worm form as of yet, and only applies to Windows 7 and Windows 2008 R2. That means it's simply a denial of service at this point.
Will Microsoft issue an out-of-cycle patch? Not unless someone tries to use this to cause a lot of people to complain, Wisniewski said. "The only real way to use it is to spam out a UNC path and trick users into connecting to it," he explained. "It is unlikely, being that no data is lost, and it requires the user to take an action to be affected."
Wisniewski said the author's aggression toward Microsoft is interesting, but aside from that this is simply another everyday denial-of-service vulnerability in Windows.
Security researcher Laurent Gaffié called Microsoft on the carpet for its Secure Development Lifecycle (SDL) process on Wednesday. Gaffié also published proof-of-concept exploit code that he says will crash both Windows 7 and Windows Server 2008 R2.
"This bug is a real proof that SDL #FAIL," Gaffié wrote in his blog post. "The bug is so noob, it should have been spotted two years ago by the SDL if the SDL had ever existed."
The SMB Flaw
At the core of the vulnerability is the SMB (Server Message Block) protocol, the foundation of Windows file sharing. According to Gaffié, the bug triggers an infinite loop on SMB and can be triggered remotely via Internet Explorer. Gaffié notified Microsoft on Nov. 8 before releasing his proof of exploit on Nov. 11.
When Microsoft released Windows 7 to manufacturing, rumors were rampant about a showstopper bug that could threaten the success of the all-important Vista successor. At that time, technology researchers claimed to have found a bug in the new operating system that causes a massive memory leak and could cause the company to delay the final release. But Microsoft was not able to reproduce the crash.
Other than that, security issues have been nonexistent -- until now. Although Microsoft did have issues with the SMB in the past, security researchers have noted that the SMB vulnerability was difficult to exploit with default firewall Relevant Products/Services conditions. There is a workaround: Blocking ports 135, 139 and 445 on the router or firewall to prevent outside SMB traffic from getting into a system.
Bragging Against Microsoft
Chet Wisniewski, a senior security adviser at Sophos, isn't surprised to see an exploit in Windows 7 so soon after its release. That, he said, is because the Windows code was finalized very early this summer.
"Attackers have had plenty of time to look for holes," Wisniewski said. "This particular flaw was not too difficult to discover, leading the attacker to brag about how stupid it was for Microsoft to have missed it."
At this point, there's no grave danger for Windows 7 users. As Gaffié noted in his disclosure, exploiting the vulnerability can crash a host. That translates to rebooting the computer. Wisniewski noted that the zero-day vulnerability is not in worm form as of yet, and only applies to Windows 7 and Windows 2008 R2. That means it's simply a denial of service at this point.
Will Microsoft issue an out-of-cycle patch? Not unless someone tries to use this to cause a lot of people to complain, Wisniewski said. "The only real way to use it is to spam out a UNC path and trick users into connecting to it," he explained. "It is unlikely, being that no data is lost, and it requires the user to take an action to be affected."
Wisniewski said the author's aggression toward Microsoft is interesting, but aside from that this is simply another everyday denial-of-service vulnerability in Windows.
Thursday, November 12, 2009
Patch Tuesday Fixes Serious Threats
After a record-breaking October, IT administrators are welcoming a relatively light Patch Tuesday this month. But security Relevant Products/Services researchers said there are serious issues that need to be addressed quickly.
Of the six patches Microsoft Relevant Products/Services released Tuesday, three are critical. The three critical fixes focus on bugs in several versions of Windows, but Windows 7 is apparently immune. There are also three updates rated important that IT administrators need to deploy.
MS09-065, a bug in the Windows kernel, is this month's most serious issue, according to Andrew Storms, director of security operations at nCircle. That's because the vulnerability allows for remote code execution, and the attack code can be embedded inside Microsoft Office files or be hosted on web sites.
"Simply browsing an infected web site will compromise unsuspecting users -- not great for all the holiday shoppers looking to get a jump on their shopping," Storms said. "The novelty value of this bug is likely to attract many researchers. A lot of people will try to be the first to publicly post exploit code."
Interesting Vista Bugs
There are three vulnerabilities this month that target a listening service, noted Tyler Reguly, a senior security engineer at nCircle. While none of them are likely to be considered great candidates for exploit, he said, they are worth noting as they all primarily affect the enterprise Relevant Products/Services Relevant Products/Services.
"It is unlikely that the home user will be running a license-logging server Relevant Products/Services or have Active Directory up and running," Reguly said. "While Web Services on Devices affects Vista and Server 2008, the attack vector requires that you be on the local subnet, meaning the home user is unlikely to see any real risk."
As a researcher, Reguly found MS09-063 to be the most interesting bug. The bug affects the Web Services on Devices API, a product only introduced in Vista. The bug appears to have already been fixed and released with Windows 7 RTM.
"The Web Services on Devices API attack interests me greatly, as it's remote code execution on a listening service," Reguly said. "I'm rather excited to dig deeper into this one and find out how it works."
Noteworthy Server Patches
There are also fixes for Microsoft Excel and Microsoft Word in Tuesday's release. MS09-067 addresses eight vulnerabilities in which none are publicly known for Microsoft Excel. MS09-068 affects Microsoft Word and addresses one vulnerability that is not publicly known. In order for a malicious hacker to exploit these vulnerabilities, users would have to open a specially crafted Excel/Word document.
Jason Miller, data and security team leader for Shavlik Technologies, pointed to MS09-064 as an interesting vulnerability. If this was released six years ago, he said, it would be rated extremely critical. This bulletin addresses a vulnerability that only affects Windows 2000, specifically the License Logging Server.
"An attacker can send a specially crafted packet to the target system that can result in remote code execution on the target system. As Windows 2000 is an aging technology, this may not affect too many organizations," Miller said. "It is important to note any computer running Windows 2000 today is typically a server. This could make this bulletin extremely critical, as it could be a primary device on your network."
Finally, MS09-066 addresses a vulnerability in Active Directory. A successful exploit can result in denial of service on the system. However, Miller said this vulnerability will be difficult to exploit because all operating systems other than Windows 2000 require valid credentials to send a specially crafted packet.
"If an attacker already had valid credentials, they would do more damage than a denial-of-service attack on a server. For Windows 2000 servers, like MS09-064, these machines should be patched immediately," Miller said. "A specially crafted packet sent to a Windows 2000 machine can result in an unresponsive machine that requires an unscheduled reboot."
Of the six patches Microsoft Relevant Products/Services released Tuesday, three are critical. The three critical fixes focus on bugs in several versions of Windows, but Windows 7 is apparently immune. There are also three updates rated important that IT administrators need to deploy.
MS09-065, a bug in the Windows kernel, is this month's most serious issue, according to Andrew Storms, director of security operations at nCircle. That's because the vulnerability allows for remote code execution, and the attack code can be embedded inside Microsoft Office files or be hosted on web sites.
"Simply browsing an infected web site will compromise unsuspecting users -- not great for all the holiday shoppers looking to get a jump on their shopping," Storms said. "The novelty value of this bug is likely to attract many researchers. A lot of people will try to be the first to publicly post exploit code."
Interesting Vista Bugs
There are three vulnerabilities this month that target a listening service, noted Tyler Reguly, a senior security engineer at nCircle. While none of them are likely to be considered great candidates for exploit, he said, they are worth noting as they all primarily affect the enterprise Relevant Products/Services Relevant Products/Services.
"It is unlikely that the home user will be running a license-logging server Relevant Products/Services or have Active Directory up and running," Reguly said. "While Web Services on Devices affects Vista and Server 2008, the attack vector requires that you be on the local subnet, meaning the home user is unlikely to see any real risk."
As a researcher, Reguly found MS09-063 to be the most interesting bug. The bug affects the Web Services on Devices API, a product only introduced in Vista. The bug appears to have already been fixed and released with Windows 7 RTM.
"The Web Services on Devices API attack interests me greatly, as it's remote code execution on a listening service," Reguly said. "I'm rather excited to dig deeper into this one and find out how it works."
Noteworthy Server Patches
There are also fixes for Microsoft Excel and Microsoft Word in Tuesday's release. MS09-067 addresses eight vulnerabilities in which none are publicly known for Microsoft Excel. MS09-068 affects Microsoft Word and addresses one vulnerability that is not publicly known. In order for a malicious hacker to exploit these vulnerabilities, users would have to open a specially crafted Excel/Word document.
Jason Miller, data and security team leader for Shavlik Technologies, pointed to MS09-064 as an interesting vulnerability. If this was released six years ago, he said, it would be rated extremely critical. This bulletin addresses a vulnerability that only affects Windows 2000, specifically the License Logging Server.
"An attacker can send a specially crafted packet to the target system that can result in remote code execution on the target system. As Windows 2000 is an aging technology, this may not affect too many organizations," Miller said. "It is important to note any computer running Windows 2000 today is typically a server. This could make this bulletin extremely critical, as it could be a primary device on your network."
Finally, MS09-066 addresses a vulnerability in Active Directory. A successful exploit can result in denial of service on the system. However, Miller said this vulnerability will be difficult to exploit because all operating systems other than Windows 2000 require valid credentials to send a specially crafted packet.
"If an attacker already had valid credentials, they would do more damage than a denial-of-service attack on a server. For Windows 2000 servers, like MS09-064, these machines should be patched immediately," Miller said. "A specially crafted packet sent to a Windows 2000 machine can result in an unresponsive machine that requires an unscheduled reboot."
Wednesday, November 11, 2009
Facebook Hijacking
The takeover of administration rights to a large number of Facebook groups by an organization that calls itself Control Your Info is just one example of the many security Relevant Products/Services issues facing social-networking sites in general and Facebook in particular, according to experts.
Indeed, this nontechnical exploit can be called a benign example of what is at risk if better controls aren't put in place. Control Your Info hijacked almost 300 groups by simply taking over unadministered groups. Dave Amsler, the cofounder and CIO of Foreground Security, said the illegitimate administrators have access to profile information, e-mail addresses and other data that members have provided. He pointed out that credit-card numbers aren't involved.
Hijacker Message
Control Your Info posted this message at those groups:
"Hello, we hereby announce that we have officially hijacked your Facebook group.
"This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic]."
The group didn't respond to a request for an interview sent to the e-mail address at its web site.
Facebook's press-relations department e-mailed a statement which read in part that "there has been no hacking and there is no confidential information at risk.�The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to private user information and group members can leave a group at any time."
Bigger Problems
The situation is evidence of significant vulnerabilities in Facebook, Amsler said. "The social-networking sites -- Facebook being the most important -- have major security issues," he added. "No one is bothering to secure anything."
He said the company seemed unconcerned when contacted. "We've reported major findings to them and their response is, 'Yeah, we know about it. There is not a whole lot we can do about it.'"
Amsler added that he agrees with the stated aims of Control Your Info -- to call attention to what critics say is an insecure Facebook environment -- but thinks the group acted unethically in hijacking groups. Still, he believes that Facebook probably will make the relatively easy, nontechnical changes necessary to prevent the hijackings.
Facebook defended its practices. "Security is a top priority for Facebook, and we devote significant resources to helping our users protect their accounts and information," according to a spokesperson. "Any assertion to the contrary is false. We think this focus on security is a major reason Facebook was recently named one of the top 10 most trusted companies in an independent survey conducted by TRUSTe and the Ponemon Institute."
Don't Forget Koobface
That doesn't mean Facebook is home free. Ivan Macalintal, a researcher for Trend Micro, said he has been following Koobface, a worm that is unrelated to the Control Your Info situation. While Koobface is aimed at all social-networking sites, perhaps its name -- an anagram of Facebook -- reveals its true target.
It's impossible to say precisely what Koobface does, since it is a delivery mechanism. The actual payload it carries could do such things as steal information or install rouge antivirus programs.
The openness of social-networking sites is running headlong into the need to make sure the sites are safe. "This is just the tip of the iceberg. With social-networking sites, there are much bigger fish to fry," Amsler said. "Facebook, My Space and YouTube have not been performing for the users. There are major vulnerabilities found on those sites, to the point where anybody can have their information completely compromised."
Indeed, this nontechnical exploit can be called a benign example of what is at risk if better controls aren't put in place. Control Your Info hijacked almost 300 groups by simply taking over unadministered groups. Dave Amsler, the cofounder and CIO of Foreground Security, said the illegitimate administrators have access to profile information, e-mail addresses and other data that members have provided. He pointed out that credit-card numbers aren't involved.
Hijacker Message
Control Your Info posted this message at those groups:
"Hello, we hereby announce that we have officially hijacked your Facebook group.
"This means we control a certain part of the information about you on Facebook. If we wanted we could make you appear in a bad way which could damage your image severly [sic]."
The group didn't respond to a request for an interview sent to the e-mail address at its web site.
Facebook's press-relations department e-mailed a statement which read in part that "there has been no hacking and there is no confidential information at risk.�The groups in question have been abandoned by their previous owners, which means any group member has the option to make themselves an administrator in order to continue communication to the group. Group administrators have no access to private user information and group members can leave a group at any time."
Bigger Problems
The situation is evidence of significant vulnerabilities in Facebook, Amsler said. "The social-networking sites -- Facebook being the most important -- have major security issues," he added. "No one is bothering to secure anything."
He said the company seemed unconcerned when contacted. "We've reported major findings to them and their response is, 'Yeah, we know about it. There is not a whole lot we can do about it.'"
Amsler added that he agrees with the stated aims of Control Your Info -- to call attention to what critics say is an insecure Facebook environment -- but thinks the group acted unethically in hijacking groups. Still, he believes that Facebook probably will make the relatively easy, nontechnical changes necessary to prevent the hijackings.
Facebook defended its practices. "Security is a top priority for Facebook, and we devote significant resources to helping our users protect their accounts and information," according to a spokesperson. "Any assertion to the contrary is false. We think this focus on security is a major reason Facebook was recently named one of the top 10 most trusted companies in an independent survey conducted by TRUSTe and the Ponemon Institute."
Don't Forget Koobface
That doesn't mean Facebook is home free. Ivan Macalintal, a researcher for Trend Micro, said he has been following Koobface, a worm that is unrelated to the Control Your Info situation. While Koobface is aimed at all social-networking sites, perhaps its name -- an anagram of Facebook -- reveals its true target.
It's impossible to say precisely what Koobface does, since it is a delivery mechanism. The actual payload it carries could do such things as steal information or install rouge antivirus programs.
The openness of social-networking sites is running headlong into the need to make sure the sites are safe. "This is just the tip of the iceberg. With social-networking sites, there are much bigger fish to fry," Amsler said. "Facebook, My Space and YouTube have not been performing for the users. There are major vulnerabilities found on those sites, to the point where anybody can have their information completely compromised."
Subscribe to:
Posts (Atom)
Posts
