Defense In Depth

Why Cybersecurity Should Focus on Failure

2011-03-04T15:05:00.000-08:00

When a computer crashes, our instinct is to reboot and not to question its root cause. But perhaps we should try to understand our failures before trying to forget them. Paul Kocher, president and chief scientist, of Cryptography Research, Inc. in San Francisco thinks that computer security industry’s understanding of failure is still in its infancy, and that security practitioners today should try to learn from other industries that have greatly improved their risk profiles and consumer’s trust over the years. For example, the aviation industry.

In the 1940s “there were about ten deaths per one hundred million passenger miles,” he said. That meant the average passenger would expect to die for every ten million plane miles flown. Today when air travel is much more common most people have flown at least a million or so air miles. In terms of 1940s aviation, most of us would have a 1 in 5 chance of being dead because of a plane crash. With that track record, the aviation industry might not have survived or be as robust as it is today.

Yet we tolerate similar failures and crashes within the computer industry every day.

Kocher said there’s been a thousand-fold improvement in aviation safety over the years because every time a plane crashes, the industry doesn’t say “Oops, that piece of metal broke.” Or “Too bad.” Or “the pilot made that dumb mistake because they didn’t deal with the engine failure properly.” Instead there’s a formal process that leads to exponential improvement in aviation safety.

Every aviation accident gets investigated, and often there is not one, but a number of root causes behind it. “It’s is essentially impossible that one error can bring down an airplane today,” he said, since three, four, or five failures usually compound on each other. With the mandatory use of black boxes, extensive field investigations, and expensive reconstructions, each aviation failure becomes less and less likely in the future.

“In computer security we’re going the other direction,” Kocher said, because the industry doesn’t take a professional, analytic view of failure. Some vendors will spend many months looking for problems that don’t exist. On the other hand, some vendors will only fix the bugs and do no more.

“In aviation industry there’s not an attempt to put gloss around aviation safety to try and convince consumers there’s no possibility of an airplane crash if you carry the magic wand in your hand,” he said. Instead there are individuals and companies that try to gather as much information. They perform a root cause analysis and try to learn as much as they can from each failure.

On the other hand, Kocher said, within computer security if you go to ten practitioners and ask what should you do to solve your particular data security problem, you’ll get ten difference answers. One or two of those solutions may work. Eight of the ten solutions may not.

He compared computer security to medicine in the 1820s “when you had snake oil being sold along with some things that worked well but we may not know why they work.” Even when solutions do work, we often don’t know enough about it to explain why they worked. After more than fifty years, we don’t yet understand the root causes of computer failure.

Kocher cites Moore’s Law, which states that the number of transistors placed on a chip will double every two years. Moore’s Law allows for the inexpensive installation of many additional layers of protection. That way if one piece fails the others will ensure that the overall security properties are met. Eventually if you build up enough barriers “it works but it is not very elegant,” he said. But “it’s like putting thirty layers of concrete bunker around your house, a wooden one, a steal one, etc., and then trying to make them interlock in various ways to keep your teenage daughter from leaving the house at night.”

Kocher said it’s important to understand the underlying motivations as well. Today the computer attacker has more incentive to learn about failures than the solutions vendors. The good guys collect their salaries whether or not a given solution worked. But the bad guys only get paid if they are successful.

This originally appeared on Forbes.com

Cybercriminals phone it in

2010-05-18T08:23:00.000-07:00

The mobile phone provides additional customer security for financial transactions. Either by voice or text, banks–in real time–may question account holders about large transfers of funds, potentially stopping fraud in process. While attending a recent public-private summit for the financial services industry, however, I heard of several ways that criminals are using the financial services’ own call centers to circumvent these security controls.

The criminals start by acquiring your account information, either by placing keystroke loggers on your desktop or by deploying sniffer programs on the network or by using traditional phishing campaigns, which entice you to volunteer personal data. The criminals then masquerade as the account holder in a call to the customer service representative (CSR) at the targeted financial service institution.

In the past fraud at the ATMs has been relatively out of reach; the criminal might get your account number but not the associated PIN. One call center scam involves calling the CSR to change the PIN on an ATM card. By providing the call center with a name, address, even the 9-digits of a social security number and the targeted account number, the criminal is able to reset a 4-to-6-digit ATM or Credit Card PIN. After burning the stolen account data onto a blank magnetic stripe card, the criminal is then able to use this new PIN at any ATM.

Another way cybercriminals are using the call center is to simply change the contact phone number on an existing account. Most of us may not be accustomed to having banks contact us over the phone, but when there’s a particularly large transaction pending that is atypical most institutions will call or text to confirm. Now the criminals are changing the contact number on record to their own. Then, when the bank calls to confirm, the criminals approve the transfer because the financial institution has called them and not you. But the financial institutions are aware of this scam and have now started calling both the new and the old phone numbers for confirmation.

The criminals, of course, are one step ahead.

In one case, documented by Kim Zetter over at Wired, a doctor’s home, office and cell numbers were jammed with repeated calls. Some were solicitations for sex websites, others pure silence. When customers complain to their telephone carrier , some telephone companies are now warned that there might be a financial crime associated with these calls.

All of these attacks expose weaknesses in the call center’s authentication of account holders. Financial institution call center customer service representatives often rely on the Automatic Number Identification (ANI), a phone number that appears with each incoming call. ANI is unrelated to CallerID, based on billing data, and thus can be captured by a CSR system even if the caller has blocked CallerID. Cybercriminals can and do manipulate ANI, making their call appear to be from anywhere, including the original registered contact phone number for a stolen account.

Challenge-response questions aren’t the answer either. Cybercrminals can search for and often find the answers to many common questions online. For example, the password to Sarah Palin’s Yahoo e-mail account was reset by someone guessing that she met her husband in high school.

Instead, institutions should use more than one type of call center authentication — ANI plus challenge-response questions where the questions are derived from past financial interactions with the customers (“Where was your last ATM transaction?”). Better yet, a mutually agreed upon password. Additionally institutions should automatically enroll account holders a package of security-based e-mail, text, and voice alerts including, but not limited to, changes to the physical address, the addition of a new person to an existing account, changes made to the contact phone number, and changes made to the PIN on an account.

In theory the average account holder should never see these alerts. But when they do hopefully they’ll realize that they’ll need to react and stop the fraud in real time.

Originally published in Forbes.com

The Dangers in Following the Crowd

2010-04-29T08:31:00.000-07:00

When Benjamin Jun received a winter catalog in the mail from Nike with a personal URL on the cover, he didn’t realize the wealth of information that would soon be available to him online. Jun, Vice President of technology at Cryptography Research, said that once online he was able to access a database showing what those he knew had purchased at various Nike stores. The site (and the entire winter campaign) is now down, but social media mashups such as this raise serious questions about companies that combine various databases–often without our direct consent.

This week Facebook has come under scrutiny for its new social media network. While logged into Facebook a simultaneous visit to one of Facebook’s partner sites will reveal what your Facebook friends think of content on that site. The application also allows you to be interactive with your Facebook friends on the partner site, extending your social media experience.

However, the application also allows third parties to collect data about you and your friends, making public (in some cases) data that you may have marked as “friends only” within the privacy settings on the Facebook side. More ominously Facebook is allowing its partner sites to store this demographic and marketing information indefinitely.

On Monday, four senators –including Charles Schumer of New York, Michael Bennet of Colorado, Mark Begich of Alaska and Al Franken of Minnesota—wrote to Facebook CEO Mark Zuckerberg with several privacy concerns, including asking why is it so difficult for customers to opt out of this new networking platform? Indeed, there are multiple settings within Facebook that must be tweaked in order to restrict private information.

Facebook has responded that it takes privacy serious, though it offered no specifics. Facebook, to its credit, has launched a new safety page, designed to better educate its users around sharing passwords and other factors, but it does nothing to mitigate the potential privacy and security risks inherent within Facebook’s proposed privacy policy changes.

The true dangers lie beneath the surface, beyond the mere marketing information of likes and dislikes.

In his talk last month at the 2010 RSA Conference, Jun spoke about the underlying assumptions being made by the site designers (not just at Nike and Facebook or their partners) who are incorporating mashup strategies–assumptions that might not be true. For example, the process of authorization for credentials on a social networking site is very different from the process of obtaining credentials on an e-commerce or online banking site. Site developers might be tempted to accept the APIs from a popular social media site as a way to increase revenue. Jun says the application designers should instead avoid or at least carefully consider the information being passed to them from another source.

To prevent unintended access, Jun advocates the creation of a “session manager,” one more hoop in the security chain. While it’s always controversial to propose slowing down the consumer experience, the session manager would receive credentials from a third-party site, vet the data, then prompt for additional authentication if necessary.

Simply passing credentials from one site to another without reevaluating is dangerous, said Jun. He cites, in particular, the three R’s of application development: redirects, renegotiation and reconnections. It is within these that gaps of trust among different systems that could allow bad actors access to sensitive data without proper authentication. Jun says in the case of the Nike solicitation for authentication there was only a unique URL on the cover of the catalog. Anyone reading the mailing could have gone online as him.

I for one do not need to know what news stories my friends are reading right now—let them surprise me later in a real (not virtual) conversation. Nor do I need to see what my friends are buying from an e-commerce site; really, I’m probably the last person to go online, learn that someone I know bought a pair of blue running shorts, size medium, and say “Hey, order me a pair also!” Just because the crowd is doing something doesn’t mean I’m going to do it.

But for many, social networking is a way of life, a connection to others. For them, let’s get the security right. With online data leakage occurring in new and surprising ways these days, why take the chance of sharing databases without providing additional back-end controls?

Originally published in Forbes.com

Be Careful Who You Know

2010-03-23T08:34:00.000-07:00

Beyond date of birth, what other personal information are we giving away on social network sites? In a talk a few weeks ago at the 2010 RSA Conference, security researcher Nitesh Dhanjani explored some non-traditional ways social networking could be used to profile individuals. He says just by studying your social networking presence one can identify, for example, pending business deals.

Dhanjani , who says his exploration is just a hobby, says he created a LinkedIN account for friend who didn’t yet have an account—we’ll call him “Jack”— then invited a mutual friend to join Jack’s LinkedIn network. Within a short time, Jack acquired over 80 connections. What’s surprising here, says Dhanjani, isn’t that people linked to this fraudulent LinkedIn profile, but what information he as an impostor was able to glean about Jack’s sphere of influence and business.

For example a competitor cybersquatting as Jack could now see Jack’s clients. And, if Jack’s company was about to be acquired (and that information was not yet public), an outsider might further see a recent influx of new connections from several people at a rival organization. The lesson here is to establish a presence on the major social networks, if only to stake claim to your name and reputation.

Even legitimate social networks can be hacked: someone could friend you just to get access to someone else you know. A law enforcement officer could be seeking information on a person of interest who happens to be part of your social network. According to the Electronic Freedom Foundation, social networks are being used by federal investigators, and last week the privacy organization released a 38-page PDF training course (obtained through the Federal Freedom of Information Act) that the EFF said was used for conducting investigations via social networks. While federal agents can’t legally pretend to be someone else, they can request to be your friend and thus see all your posts, as well as those of others in your network. The EFF has been studying the privacy issues associated with this new form of surveillance. Often we accept people into our social networks by extension of trust, i.e. a friend of a friend, so a good rule of thumb might be to question how well you really know a person before accepting a new friend request.

But one doesn’t have to join a social network to define your social network.

In his RSA presentation Dhanjani also demonstrated how outsiders can use publicly available social network information to define spheres of influence around a targeted individual. Popular social networks display the top 8 friends for a person as means of identifying exactly which John Smith you’re currently looking at. By comparing the 8 friends on MySpace with the sample 8 friends on FaceBook, Dhanjani says he can map who are the critical contacts for the targeted individual. And by going one step further, by looking at the friends of those friends, one can further map who has the most influence with a targeted individual, their “posse” if you will, and do so without joining the network. A hacker using social engineering could then contact the targeted individual and say “Jane said I should contact you about Alice.”

Some may see all this as nothing new. Kevin Mitnick pioneered social engineering years ago. But now the means to profile someone is much more convenient. Be careful who you know and what you post online. You never know who might be listening.

Orginally published in Forbes.com

Device Fingerprinting to Fight Real-time Transaction Fraud

2010-03-16T08:58:00.000-07:00

On Tuesday ThreatMetrix unveiled its new cloud-based transactional fraud network. Using its global database of device fingerprints—unique details about the PC, mobile phone or other Internet connecting device–the company says it can detect fraudulent transactions without the need for acquiring personally identifiable information. By correlating incoming TCP/IP information with its database, for example, the company was recently able to identify and stop one malware-infected computer from making an online transaction.

ThreatMetrix, a Los Altos, California-based company, has been working on its fraud network for four or five years, says Alisdair Faulkner, chief product officer at the company. What’s different from other transaction-based fraud networks is that ThreatMetrix uses device fingerprinting not necessarily transaction details for its fraud detection, providing a new set of tools for organizations to verify new accounts, authorize payments and transactions, and authorize user logins. Faulkner describes the new network as “fraud middleware” in that it is designed to complement and integrate with existing fraud solutions.

It is very different solution from the approach taken by other transactional fraud networks such as ID Analytics, a San Diego, California-based company that uses data mining of consumer purchases to address identity fraud. By collecting transaction data, ID Analytics says it can profile a customer’s typical purchasing behavior and flag an abnormal transaction as a possible fraudulent transaction. Unlike the credit bureaus which look at static elements of a person’s profile (SSNs or open accounts) transactional fraud networks look at the live transaction data instead.

What ThreatMetix brings to the table is a proprietary device fingerprinting methodology that is able to probe beyond mere cookies and browser data to identify the machine being used for online access.

Clearly there is a need for such alternative analysis. Cybercrminals have shown increasing technical sophistication year after year. Being able to mask one’s hardware identity seems mere child-splay today–unless one has the sophisticated tools to analyze the output from a compromised machine.

By cataloging devices internationally, ThreatMetrix says it can see through a typical TCP/IP proxy and learn that a machine pretending to be a Windows XP machine located within the United States is in reality a Linux machine located in Vietnam. This could be a machine set to emulate a legitimate user. Or it could indicate a possible man-in-the-middle attack as well, where a third party is eavesdropping on a user’s online session.

ThreatMetrix has also seen one device log into multiple financial services accounts within seconds of each other as well as numerous devices attempting to log into the same online account. This could indicate the use of a botnet, a rogue network of compromised PCs.

Despite the new avenues for fraud taken by cybercriminals today it’s nice to the see the security industry thinking outside the box and offering innovative solutions.

Orginally published in Forbes.com

With ISP offline, criminal malware infections drop dramatically

2010-03-10T09:40:00.000-08:00

On Wednesday, RSA alerted its customers to a substantial decrease within the last twenty four hours in Trojan horse activity on the Internet as the result of a key Internet host going offline. Criminal enterprises use such hosts as a common point of contact. On the front end, it is the Internet address that thousands of infected computers worldwide point to in order to download the latest version of malware. On the back end, the bad guys connect through such a common network to mask their true locations. Removing the network breaks the connection between the infected PC and the criminal enterprise. Additionally, Cisco reports that there was a flood of last minute malware activity prior to the shut down which could have been the criminals seeking to change IP addresses.

The facility, known as AS Troyak (Russian slang for “Trojan”) is believed to be the source of several major strains of Trojans currently active on the Internet. AS Troyak is home to Rock Phish gang’s JabberZeus drop server, Gozi Trojan servers, among other lesser known Trojans. Zeus is a new class of banking Trojan that uses stealth in ACH transfers to defraud its victims.

A dramatic example of the impact of the loss of AS Troyak can be found on the site Zeus Tracker (this site uses a generic certificate so your browser may need to add site as an exception), which reported a substantial drop in Zeus infections on Tuesday evening.

Source: Zeus Tracker http://www.abuse.ch/

In the past bullet-proof hosting facilities have used AS Troyak. Bullet-proof hosting means the owners are likely to be involved in some criminal activity themselves and thus ignore requests by law enforcement to shut down any illegal activity on the server. That isn’t to say all of AS Troyak’s clients are engaged in illegal activity, only that those that are likely to find safe haven with these facilities.

facilities.

According to RSA the range of IP addresses affected by the AS Troyak shutdown include:

91.200.164.0/22

91.201.196.0/22

193.104.27.0/24

193.104.94.0/24

193.104.176.0/24

The exact cause of AS Troyak’s demise is not known, nor does the team at RSA think it is likely to be long-lived. The server could, for instance, be moving to a new physical location, or the shutdown could be the result of a technical failure. Or the party operating it may have decided not to continue with the service. It is also possible, though unlikely, that a coordinated effort by law enforcement and/or the security community may have shuttered AS Troyak.

“While the excitement is likely to be rather short-lived,” said Sean Brady, product marketing manager for RSA’s IPV Team, “seeing a wholesale throttling of a significant volume of online fraudulent activity provides a valuable glimpse at how to perform large-scale crime prevention efforts. It’s akin to the traditional methods of taking on organized crime – if you can go after the money, or in this case, the infrastructure, you can do more damage to the organization’s activity than going after individuals or individual resources.”

Microsoft to have 1 Critical and 2 Important patches for March

2009-03-05T11:35:00.000-08:00

In it's advance notification, Microsoft today said that it intends to issue three security bulletins on Patch Tuesday, March 10, 2009.

The most serious of vulnerability is within Windows and could lead to remote code execution if exploited. This patch will be given Microsoft's most severe rating of Critical.

Two other patches expected on Tuesday also affect Windows, however Microsoft ranks these as Important. The vulnerabilities here could lead to spoofing.

I'm flattered, but ...fake ZDNet review leads to malware

2009-02-19T08:30:00.000-08:00

Malware writers have been using bogus antivirus products to infect computers--such rogue programs are not new. But Lawrence Abrams, owner of BleepingComputer.com notified me this morning that one new rogue is posting a fake review written by one "Robert Vamosi."

This particular rogue is called Anti-Virus-1, and it takes over a computer's HOSTS file so that it redirects users to bogus reviews site, such as this one supposedly posted on ZDNet.com (screenshot courtesy of Bleepingcomputer.com)

You can see a larger version here.

And here's the CNET review I also didn't write.

Note, I have never given any product a 9.5 in all my years reviewing antivirus programs. Also, look at the URL: a1.reviews.zdnet.com -- this is not the URL format for a ZDNet review.

The forums at Bleepingcomputer.com have more on this particular rogue.

Microsoft plans 4 bulletins for Patch Tuesday

2009-02-05T13:16:00.001-08:00

Microsoft today released it's advance notification for next week's Patch Tuesday. There are two critical patches (one each for IE and Microsoft Exchange Server) and two important patches (one each for SQL and Viso). Complete details can be found here.

Coordinated ATM attack nets $9 million

2009-02-04T10:11:00.000-08:00

Up to 130 ATM machines in 49 cities worldwide were used in a coordinated attack on RBS Worldpay, a global payments services company. Within a 30 minute period on November 8th, 2008, the company lost an estimated $9 million dollars due to fraudulent ATM transactions.

While the company first disclosed the loss in November, the ambitious scale of the attack has only recently come to light. John Deutzman of Fox News in New York first reported the background on the attack on Monday.

According to the Fox investigation and statements from the FBI, someone gained access to the RBS Worldpay system. RBS issues payment cards which can be used like debit cards in any ATM worldwide. Whoever gained access to the RBS system was able to clone these cards and may have been able to obtain personal information about the account holders.

RBS officials told Fox they have sent out letters to anyone who might have been affected and are offering one-year credit protection for any one whose Social Security number may have been exposed.

There's a twist, however. Since ATM machines have a limit on how much you can withdraw in any one day, these cards had that limit lifted, allowing the "cashers," the individuals who walked up to the ATM, to withdraw very large quantities of cash. Authorities speculate that only 100 cloned card accounts were used at ATMs located in Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.

In the US, the FBI has circulated photos of the individuals withdrawing cash at the time of that attack. The hope is that one of these individuals will identify who hired them and move authorities closer to finding those responsible.

iWork 2009 Trojan building a botnet

2009-01-23T14:55:00.000-08:00

This week security researchers reported that pirated copies of iWork 2009 may contain a Trojan horse. Experts note that with Mac OS X threats, you have to be fooled into installing them. In this case, the chance to own iWork 2009 on the cheap is the potential draw. Most antivirus programs for the Mac are capable of stopping this threat.

But hasn't been widely reported is what happens after a machine is infected.

Jose Nazario of Arbor Networks today posted an interesting blog on the iWork Trojan. He found that it's creating a botnet (of course).

Earlier this week I speculated that the Downadup/Conficker worm might be doing the same.

Nazario says, like other botnets, it keeps trying until it connects to the command and control server. "It also grabs a list of seed P2P peers from the file itself by decrypting the running file (thwarting static analysis) and managing the known peers as you would expect. It generates a port to listen on as needed (although it’s not quite clear to me how it would handle being behind a NAT device)…. What’s more is that there is an embedded Lua interpreter, giving a very sophisticated command language some additional structure."

What is this new botnet been up to? So far, Nazario reports it has been creating distributed denial of service (DDoS) attacks.

Internet Explorer 8 RC 1

2009-01-22T22:28:00.000-08:00

A week ago I sat down with Dean Hachamovitch, General Manger of the IE team at Microsoft and we talked about Internet Explorer 8 RC 1. In the video below, he outlines what he believes are the compelling reason to use Internet Explorer 8.

The first reason he mentioned was this is now a stable platform. Developers, he said, should build for IE8 RC 1 knowing that their sites won't have to change when the final release arrives this summer.

The second reason, he said, is that IE 8 won't crash, or crash as often. Dean and his team looked at the Beta 2 data and made a series of improvements. Of course, IE 8 includes "in tab crashing," meaning the other IE tabs will remain up and running if one page suffers a problem. Unlike Firefox, which has session restore and can restore the browser and all its tabs after a crash, the IE browser keeps running and only the one tab displaying that problematic page will crash and restore. Pretty cool, eh?

Microsoft accomplished this by isolating the code for each tab, more or less treating each as a mini browser, something that Firefox does not do. To prove his point, Dean showed me a video that crashed a tab. What was very cool was that the streaming video continued in the background while the tab restored itself so that when the page came up, the video continued where it had left off.

There's also compatibility within IE 8. If a page doesn't render right in IE 8, you have the option of displaying it in IE 7. Weird, but it makes sense.

There are some changes in In Private, Microsoft's "porn browsing mode" where the history won't be stored for sites visited. What I saw involved a visual change in the browser so the user can't be fooled into In Private mode without noticing something's changed.

Finally, Dean suggests looking for some surprises hidden within the Favorites bar.

Throughout our conversation Dean hinted that Microsoft would like to see organizations build on the Internet Explorer platform custom applications for their employees or customers to use. This sounds a lot like the idea behind Google releasing Chrome as an environment for its Google Gadgets. Perhaps Microsoft is heading in the same direction.

Apple issues 8 critical QuickTime security updates

2009-01-21T10:18:00.000-08:00

Today Apple issued a security update for QuickTime 7.6. The update addresses flaws in both the Mac OS X and Windows XP and Vista implementations of the media viewer.

Specifically, the update fixes flaws CVE-2009-0001 through CVE-2009-0007.

The eight vulnerabilities within QuickTime can all be exploited to cause an unexpected application termination (denial of service) or arbitrary code execution on affect PCs, and therefore this patch should be taken seriously.

Heartland data breach could be the largest in US history

2009-01-20T09:49:00.000-08:00

Details are emerging on what could well become that largest data breach in US History.

Heartland, a company that processes payments for more than 250,000 businesses, is saying today that up to one million customers may have had their credit information stolen, a number easily eclipsing the 47 million customers potentially at risk of credit fraud from the TJX data breach a few years ago. Heartland has since called U.S. Secret Service and hired two breach forensics teams to investigate.

The breach was discovered late last year as fraud activity from Visa and MasterCard cards began to spike; the affected cards at all been used at establishments serviced by Heartland's credit card processing centers.

Robert Baldwin, Heartland's president and chief financial officer, told the Washington Post that 40 percent of transactions the company processes come from small to mid-sized restaurants across the country. He declined to name a specific restaurant.

Brian Krebs at Washingtonpost.com has the details, as does ComputerWorld.

Is the Downadup/Conficker worm building a new botnet?

2009-01-19T09:28:00.000-08:00

There's a new Internet worm spreading that may be comparable to Melissa, Sasser, and Blaster in terms of the number of machines infected.

The worm, Downadup (also known as Win32.Conficker.B or simply "Conficker"), exploits a specially crafted RPC request vulnerability found in unpatched versions of the Windows Server service. Microsoft issued a rare out-of-cycle patch, MS08-67, for this flaw on Oct. 23, 2008.

However, estimates of up to nine million Downadup infections within the last week alone suggest that many systems worldwide haven't been patched. Thus the greatest danger from Downadup is to businesses that have not updated their desktops and servers on a regular basis. Home computers protected by a firewall are less at risk, although an infected laptop from work could nonetheless infect a home network. Microsoft has rated the MS08-067 patch Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

According to the SAN Internet Storm Center Downadup uses multiple vectors to infect PCs.

1) Computers without the October 2008 patch can be attacked remotely and taken over.

2) Downadup can also "brute force" or guess Administrator passwords on local networks and then spread through ADMIN$ shares.

3) Finally, Downadup can create a special autorun.inf file and include its DLL on an infected removable device, such as a USB or external hard drive.

Once executed, Downadup disables a number of system services, including Windows Security Center, Windows Defender, Windows Automatic Update, and Windows Error Reporting. Downadup then generates a list of possible domains, selects one, and then attempts to connect to a malicious server to download additional malware onto the infected computer.

Given all the secrecy just to download additional malware, I'm thinking this is a botnet-creating worm.

Although Microsoft added Downadup detection to its January 2009 Malicious Software Removal Tool (MSRT), an anti-malware utility distributed to Windows machines via the Windows Update process, experts recommend that users apply the MS08-068 patch from last October if you haven't already done so. Additionally, users may also want to disable Autorun so that an infected USB drive or removable media device won't infect your PC, however, disabling Autorun in Windows involves editing the System Registry and should only be done by experienced personnel.

Microsoft SMB patch addresses 3 flaws

2009-01-13T11:03:00.000-08:00

Today Microsoft issued a patch that resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol, a protocol used for sharing files, printers, serial ports, and other communications.

MS09-001 is rated by Microsoft as critical, its highest rating, for users running Windows 2000, XP, and Server 2003, and moderate, its second highest rating, for users running Windows Vista and Server 2008. It replaces the SMB patch MS08-063 issued last October. Installation of the patch will require a system restart.

Microsoft says although there are three flaws address, they are unlikely to produce exploitable code because the first two (CVE-2008-4834 and CVE-2008-4835) only allow for one fixed value (zero) to be written and controlling what data is overwritten will also be difficult. The third vulnerability (CVE-2008-4114) affects all Windows systems and allows for a Denial of Service attack.

The patch today is the only one for Microsoft's January 2009 Patch Tuesday release. The patch may be obtained from Windows Updates or via the bulletin itself.

HBGary announces FastDump Pro for physical memory investigations

2009-01-13T10:24:00.000-08:00

HBGary, a computer security firm in Scramento, California, today announced FastDump Pro, the first memory acquisition software to offer 32- and 64-bit support for all supported versions of Windows with more than 4 gigabytes of RAM. FastDump Pro allows organizations and investigators to preserve and analyze physical memory snapshots of 32- and 64-bit editions of Windows.

“Based on feedback from Fortune 100 and government customers, computer intrusions into physical memory were one of the top security concerns in 2008," said Greg Hoglund, CEO of HBGary, Inc in a press release. "Some malware is not visible anywhere on the computer but in physical memory."

FastDump was first released as free download in April 2008 for 32-bit systems. The company reports that since its release, several Fortune 100 corporations and 20 of the top 30 government agencies have downloaded the product. The product announced today will be free to HBGary customers with Responder licenses or purchased separately at $100.

Trend Micro and Cisco to monitor all the network aware gadgets in your home

2009-01-13T09:35:00.000-08:00

Trend Micro and Cisco today announced a partnership service that offers a way to protect all Internet connected gadgets at home. Called the Home Network Defender, the service uses Linksys routers to monitor the security any IP-enabled device connected to the home network.

Already there have been viruses reported in digital picture frames and if these are connected remotely to the home computer network, they could spread infections in the future. Not only that, smartphones, Apple TV, and even Ninetndo Wii could become vectors.

The service includes many familiar tools, including antivirus software, parental controls, Trend Micro’s Smart Protection Network, Web threat protection, safe Web surfing and various network activity reports.

Basically it performs as a centralized management consol for all devices attached to the home network. For example if a teenager has an iPhone that is connected to the home network, a parent can using the Home Network Defender system could see a report of the sites that the child has connected to. In turn, the Home Network Defender will also protect the iPhone from any malicious activity.

The Home Network Defender service be launched at the end of January.

One critical patch for Patch Tuesday

2009-01-08T11:02:00.000-08:00

Next Microsoft Patch Tuesday, January 13,2009, Microsoft will have only one patch. The patch affects Windows and the vulnerability (or vulnerabilities) could be used for remote code execution.

Microsoft says the patch will be critical, the highest rating, for Windows 2000, XP, and Server 2003 users, and moderate, the second highest rating, for Windows Vista and Server 2008 users.

Report: Data breaches up in 2008

2009-01-05T09:07:00.000-08:00

In a report out today from the ID Theft Resource Center (ITRC), the number of data breaches increased 46% in 2008 over the previous year.

Of the five categories monitored by ITRC, only Educational and Military showed a decrease in the last year. Up were Business (reporting the most with 36% of the breaches), Health, Financial services (reporting the least at only 11%).

To prevent data loss, the ITRC issued the following guidelines:

Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:
1. Minimize personal with access to personal identifying information.
2. Require all mobile data storage devices that contain identifying information encrypt sensitive data.
3. Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport.
4. When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper.
5. Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed.
6. Verify that your server and/or any PC with sensitive information is secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates.
7. Train employees on safe information handling until it becomes second nature.

For more information, see the ITRC 2008 Breach List

Emergency IE patch due today

2008-12-17T05:43:00.000-08:00

On Wednesday, Microsoft will issue an emergency, out-of-cycle security bulletin for a critical flaw affecting all versions of Internet Explorer.

The bulletin is in response to a growing threat. Since the first week in December, the AZN Trojan has been exploiting a known flaw in IE. Visitors to infected Web sites could become infected with a Trojan horse that can download malware onto a user's system.

Microsoft normally issues patches on the second Tuesday of each month, "Patch Tuesday." But out-of-cycle patches are not without precedent. Recent examples include the flaw in how Windows handles remote procedure calls (RPC) in October,the Windows Animated Cursor Remote Code Execution Vulnerability in April 2007, a vulnerability in Vector Markup Language in September 2006, and a vulnerability in the Graphics Rendering Engine in January 2006.

The patch will be automatically distributed to Windows users with Automatic Updates enabled. The patch is also available via Microsoft Update or the individual bulletin for MS08-078 (available after 11 a.m.Pacific Wednesday).

Scams top predictions for ID theft in 2009

2008-12-16T05:50:00.000-08:00

Real estate scams and credit card scams will top the ways ID thieves will attempt to steal personal information in 2009, warned the ID Theft Resource Center (ITRC) on Tuesday in its annual predictions for the upcoming year.

The center's Linda Foley said in a statement that as people find themselves strapped for cash and falling behind, they may become prey for opportunistic scam artists proposing relief. She recommends talking with your bank or mortgage company before talking to strangers. "Your home, while fully paid for, could even be entangled in a second mortgage without your knowledge."

With credit card scams, thieves might advertise the ability to get a new card even despite poor credit or lack of a Social Security number. The center warns of companies seeking to consolidate debts or renegotiate your interest rates. Again, talk to your credit card company or bank, not strangers.

Additionally the center warns of continued "targeted" attempts to steal person information. Thieves are using sophisticated means to mine personal data, including "skimming" credit cards by making duplicates of them at point of sale stations or using fake hardware at ATM machines.

Is there hope? The center points to the Red Flag Compliance Laws that will take effect in July 2009. These are a set of regulations that will help financial organizations audit their security programs. However, it is up to the organizations themselves to enforce the regulations.