Cyber Security Week In Review: June 27th

June 27, 2009 by ADMIN

Share |

From The Internet Security Alliance and Information Security Resources

June 22, Computerworld - Exploits of unpatched Windows bug will jump, says Symantec. An exploit of a still-unpatched vulnerability in Microsoft Windows XP and Server 2003 has been added to a multi-strike attack toolkit, Symantec said recently, a move that may mean attacks will increase soon. According to Symantec, an in-the-wild exploit of the DirectShow bug, which Microsoft acknowledged a month ago, has been added to at least one Web-based attack kit. “This will likely lead to wide-spread use in a short time,” said a researcher with Symantec’s security response group, in an entry posted to the company’s blog on June 19. Microsoft has not yet issued a fix for the DirectShow bug, which affects Windows 2000, XP and Server 2003, but not the newer Windows Vista or Server 2008. The flaw also does not affect the not-yet-released Windows 7. However, attacks leveraging the bug have been tracked since May, when Microsoft issued a security advisory and confirmed it had evidence of “limited, active attacks.” Unlike other recent exploits of Microsoft zero-days, vulnerabilities that have not been patched by the time attack code surfaces, the DirectShow attacks are not targeting specific individuals or organizations. “This is not a targeted attack, but is one of limited distribution,” a senior research manager with Symantec, said in a telephone interview. What caught researchers’ attention, added the manager, was that the DirectShow exploit piggybacked on a run-of-the-mill phishing attack. It is becoming more common that a phishing site, in this case a bogus log-in page for Microsoft’s Windows Live software, also hosts malware that tries to hijack PCs.

June 21, Information Security Resources - Secrets Stolen, Fortunes Lost: Part I. There is a compelling lesson in this fact. A decade ago, such stories rarely made it onto the news wire or into the courts. Today, they are commonplace. Unfortunately, the awareness and defenses required to thwart such damaging activities, although economical and effective, are far from commonplace. Our hope is to change that.

June 22, ZDNet – Mozilla tackles XSS vulnerabilities with new technology. Mozilla’s security engineers are working on new technology that promises to mitigate a large class of Web application vulnerabilities, especially the cross-site scripting (XSS) plague against modern Web browsers. The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate. It can also help mitigate clickjacking and packet sniffing attacks. Website administrators specify which domains the browser should treat as valid sources of script. The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes. Sites that never want to have JavaScript included in their pages can choose to globally disallow script. To combat clickjacking, which allows clicks on one Web page to actually apply to clicks on another page that is invisible to the end user, Mozilla said Content Security Policy allows a site to specify which sites may embed a resource. The open-source group said Content Security Policy will be fully backward compatible and will not affect sites or browsers which do not support it.

June 22, Information Security Resources - Security Information Event Management. Banking, Telecommunications, Power and Energy - anyone and everyone is under internal audit and regulator scrutiny to implement a Security Information Event Management system. But most Security Information Event Management implementations are rushed and placed only to shut up the auditors and to go on as usual. Since it’s a compliance requirement, the Security Information Event Management salespeople very rarely address whether the customer makes proper use of the solution, and whether this solution brings benefits to the company.

June 22, CNET News – New Facebook blog: We can hack into your profile. FBHive, a new blog devoted to the discussion of all things Facebook, has debuted with the revelation that its creators have discovered a hack that can expose some crucial profile data. It will not expose an individual’s personal photos or wall posts. But, FBHive says, it can bring up all the “basic information” that a user has entered into their profile, even if a user has elected to keep that information private. This is the section that includes location, gender, relationship status, relationships (significant other, parents, siblings), political views, religious views, birthday, and hometown. That is enough to be a problem in the identity theft department, as it could easily expose frequent password hints like dates of birth and mothers’ maiden names. FBHive has not shared the details of the newly discovered hack; more disconcertingly, it said Facebook has done nothing since it alerted the social network to the issue earlier this month.

June 22, Information Security Resources - The Cyber Shot Twittered Around the World. Unlike Russia, who to this day has successfully denied participation in cyber attacks on Estonia, Lithuanian, and Georgia; or China who vehemently denies their massive cyber espionage activities, the US has pretty much lent its support to a communication vehicle that is writing a new chapter in the history of cyber warfare.

June 23, Red Condor – Red Condor’s Spam Trip Wire detects new virus. Red Condor’s Spam Trip Wire feature instantly detected and blocked a new email virus campaign designed to scare email users with bogus legal action for activities including illegal music downloads. The virus campaign detected on June 22 calls attention to users’ supposed recent activity at sites commonly used to share and download copyrighted movies, music and software. The email content threatens recipients with legal action and includes a link to a “log report” that is actually a virus executable. Red Condor created a filtering rule and distributed the added security to its security appliance and hosted service customers around the world.

June 23, Information Security Resources - (Never) Always Set Up QA Before Production. And then the code is then deployed into production, which then fails spectacularly. Now the problem isn’t that the QA schedule is slipping. Now the problem is that a potentially mission-critical service is down, and we have a potential Sev 1 outage, requiring the best Ops, QA and Development people to figure out how to restore service.

June 23, Information Security Resources - Enhancing Value Propositions with IT Security. Rather than struggle with existing processes and culture, security professionals must strive to design solutions that leverage these elements… If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions. By speaking the language of business they can get the attention of those in control of the budget.

June 24, US-CERT – Adobe Releases Update for Shockwave Player. Adobe has released Shockwave Player 11.5.0.600 to address a vulnerability. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. US-CERT encourages users and administrators to review Adobe security bulletin APSB09-08 and update to Shockwave Player 11.5.0.600 to help mitigate the risks.

June 24, Washington Post - Gates Creates Cyber-Defense Command. Defense Secretary Robert M. Gates issued an order yesterday establishing a command that will defend military networks against computer attacks and develop offensive cyber-weapons, but he also directed that the structure be ready to help safeguard civilian systems. In a memo to senior military leaders, Gates said he will recommend that President Obama designate that the new command be led by the director of the National Security Agency, the world’s largest electronic intelligence-gathering agency. The current NSA director, Lt. Gen. Keith B. Alexander, is expected to be awarded a fourth star and to lead the cyber-command. Gates or his deputy had been expected to announce the command in a speech a week ago. Analysts said making the announcement by memo is in keeping with the Pentagon’s effort to tamp down concerns that the Defense Department and the NSA will dominate efforts to protect the nation’s computer networks. The command will be set up as part of the U.S. Strategic Command, which is responsible for commanding operations in nuclear and computer warfare. Gates directed that the command be launched by this October and be fully operational by October 2010. In a speech last week, Deputy Defense Secretary William Lynn stressed that the command’s mission would be to defend military networks. However, he said, “it would be inefficient — indeed, irresponsible — to not somehow leverage the unrivaled technical expertise and talent that resides at the National Security Agency” to protect the federal civilian networks, as long as it is done in a way that protects civil liberties.

June 24, Information Security Resources - PCI SSC Seeks Input on Security Standards. During phase two of the lifecycle process, between July 1 and November 1, 2009, merchants, processors, financial institutions and other key stakeholders have the opportunity to provide detailed and actionable feedback in an effort to revise future editions of the Council’s standards to improve payment data security.

June 24, VNUNet.com – Google clamps down on ‘malvertising.’ Google has made several enhancements to its anti-malvertising site to help its ad network customers prevent attempts to distribute malware through advertising. The web giant launched an initial custom search engine at the beginning of the year, which is designed to allow ad networks to perform quick background checks on prospective advertisers to minimize the risk of malware. “It checks a variety of independent, third party sites that track possible attempts to distribute malware through advertising,” said a statement on the site. “Its search results should not be considered the last word on a prospective customer but one potential source of helpful information. If a party you’re researching comes up in a search result here, we recommend you take a closer look at the party in question before rendering judgment.” Now the Anti-Malvertising.com site has been enhanced with additional educational materials relevant to “all web publishers, ad operations teams and Internet users”, according to Google. Among the recommendations for publishers is that they always perform comprehensive QA on creatives and that they avoid ad networks without strong anti-malware measures in place. Also on the site are incident response tactics for small to medium sized publishers, including sample scripts for customer service and notifying ad networks and other third parties in the event of malware being discovered.

June 25, Information Security Resources - Can Your iPhone Really Be Made Secure? Anyone in the security field will tell you that information security is affected and addressed at multiple layers within a solution. As part of the evaluation process for an enterprise business solution, particularly one that enables the transport of potentially sensitive data outside the corporate network, a risk analysis should be conducted.

June 25, PC World – Hacked high-profile Twitter accounts still spreading malicious links. Phishing scams involving hijacked accounts continue to sweep through the popular microblogging site Twitter. In January, hackers commandeered the accounts of several high-profile members and distributed malicious links and spam messages. On June 23, scammers used the profile of a former Apple Fellow, with over 100,000 followers, to post a link to a site that claimed to offer a non-existent sex tape. According to PC World, a University of Alabama at Birmingham computer forensic scientist believes that over 1,600 people have already followed the link to a fake porn site that links to a Trojan horse program. This software affects both Macs and PCs, and, if downloaded, essentially turns a users computer into a zombie that can be controlled from afar, enabling a hacker to extract valuable personal information. The scheme also leeched off the compromised accounts of a political blogger, a rising musician, and a gay news site, some of which still have the malicious link available on their Twitter pages.

June 25, Information Security Resources - State Entities Targeting Intellectual Property. Why do nation states engage in economic espionage and intellectual property theft? Primarily, to acquire technology to advance a military program, or to advance the economic competitiveness of the nation’s industrial base, or simply to ensure that the major companies and contributors to the nation’s GDP continue to make that contribution.

June 26, US-CERT – Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths. US-CERT is aware of public reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths of Michael Jackson and Farrah Fawcett. These email messages may attempt to gain user information through phishing attacks or by recording email addresses if the user replies to the message. Additionally, email messages may contain malicious code or may contain a link to a seemingly legitimate website containing malicious code.

US-CERT would like to remind users to remain cautious when receiving unsolicited email. Users are encouraged to take the following measures to protect themselves from these types of attacks:

* Do not follow unsolicited web links received in email messages.
* Install and maintain up-to-date antivirus software.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

June 26, Information Security Resources - Sensitive Data and the Pharmacy Industry. There is a surfeit of Information today, and although we have come up with ways and means to store them for eternity, we are still not able to ensure their security. Information is valuable only as long as it remains protected, and once in the hands of people who are likely to misuse it, it turns into a recipe for disaster.

June 26, Information Security Resources - On Communications Sector Cyber Security. Government needs to work with industry on establishing standards and practices that appreciate the evolving nature of multi-media communication technologies such as VoIP to help assure that this and other modern platforms are properly secured. For organizations that are focused on the threat, and even more urgently for those who have not yet come to the realization, there needs to be serious education across all sectors about the threat.

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.