|
Internet Security News
Breaking news and updates in Internet security
Last Updated: September 6th, 2010 12:06:01 CDT -0500
Email Password Hackers Present Real Threat
The next time you have something really important to tell someone, consider whether a drive over to his or her house wouldn't be a nice way of spending a few minutes. One reporter has found that it's quite easy (and perhaps all too common) for people to buy email accounts' passwords from hackers.
 | | Email Password Hackers Present Real Threat |  |
Tom Jackman wrote in an article for the Washington Post, "[S]ervices as YourHackerz.com are still active and plentiful, with clever names like 'piratecrackers.com' and 'hackmail.net.' They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly."
Jackman found that prices for passwords range from around $30 to $100, which means that even the average ten-year-old can probably afford these hackers' services.
Plus, unless someone important is involved or things get rather serious, law enforcement isn't terribly likely to look into (or at least resolve) the matter, because accessing a computer without authorization is just a misdemeanor in most areas and tracking down a perpetrator can be difficult.
And it doesn't help, of course, that all of these facts have now been publicized in a widely-read newspaper.
So if you've got some nasty business rivals or psycho exes, at least try to play it safe by changing your password often for as long as you're in the person's sights. Then there's always the option of putting a few more miles on the odometer, too.
Dell Collaborates with Trend Micro
Small and medium businesses are constantly at risk of being targeted by cybercriminals, simply because they are smaller than large corporations. The bigger a company is, the more money they have to invest in higher-tech security systems and larger, more involved IT departments. For smaller companies, it is easy to focus on trying to expand business and let security sit on the back-burner. This is where the partnership between Dell and Trend Micro comes in. They have come up with an easy way for small and medium sized businesses to manage their security needs without breaking the bank.
 | | Dell Collaborates with Trend Micro | |
Trend Micro's Business Security Services include several desirable features to make the security portion of running a business much easier. First and foremost, is a set of web-based tools which make administration extremely easy. There is no need for a dedicated in-office server (or any company owned server at all), and the administration panel can be accessed from anywhere with an internet connection. There is also a remarkably low system performance impact, thanks to the fact that once a scan is complete, the results are processed in the "Smart Protection Network" run by Trend Micro. For companies with little or no IT staff on hand, the system comes pre-configured security parameters and runs automatically, so there is less worry about having something set up improperly. Both desktops and laptops are secured with this software, even if they are used outside the office. Anytime the computer is connected to the internet, it is being actively protected. This has the biggest impact on users who travel with their work, as many do.
This is a big step forward for one of the top PC suppliers in the world. The fact that this software can come pre-installed on systems shipped to its commercial clients means that they can offer security and piece of mind to a large group of people.
Apple and Adobe Both Roll Out Large Security Updates
Both Apple and Adobe have shipped out relatively large collections of security patches this past week, Apple fixing up OSX and Adobe locking down it's Shockwave player. Both sets of patches have been given a security rating of 'critical,' which means that there is the possibility of malicious code execution on an unprotected system.
 | | Apple And Adobe Both Roll Out Large Security Updates | |
Apple's update this week fixes code execution attacks when viewing maliciously crafted PDF or PNG files, or even just viewing a document with a maliciously crafted font installed. There is also the possibility for network administrators to abuse their positions by intercepting sensitive data through the use of an anonymous TLS/SSL connection, or to use a similarly named web address to impersonate a legitimate site and steal information that way. For instance, if they are in possession of the domain name www.example.com, they are able to impersonate www.example.com due to the lack of checking the final letter in the certificates. There are also updates for the newest versions of PHP and ClamAV which both claim to include necessary security updates. These updates can be applied via the "Software Update" option in OSX or downloaded from Apple's support site.
Adobe has updated their Shockwave Player to fix several security holes, including 16 memory corruption vulnerabilities which could lead to code execution. These vulnerabilities affect version 11.5.7.609 and earlier, and it is recommended that anyone running these versions immediately upgrade to the most recent version (11.5.8.612) of the software found on Adobe's website. The memory corruption vulnerabilities and four more issues are all labeled as 'critical' in the Severity Rating System. The other issues include two denial of service attacks, one of which could potentially lead to code execution. Also there is a pointer offset vulnerability and an integer overflow vulnerability which can grant one with malicious intent access to plant code in a user's memory.
HP to Acquire Fortify
Earlier this week, HP announced that it will soon be adding Fortify to its list of recently acquired companies. This will be a huge advantage for HP in the security market.
 | | HP to Acquire Fortify | |
Fortify Software is a company that specializes in software security. Founded in 2003, it has continued to grow and supply Software Security Assurance (SSA) to government agencies and fortune 500 companies in many different industries. Their best known software suite, Fortify 360, is a tool that can root out security issues in software, as well as fix those issues and prevent future vulnerabilities. In February of this year, HP and Fortify released their most recent collaboration, "Hybrid 2.0" which goes to show that there has been no problems between these companies working together in the past.
Once the deal is finalized, Fortify will continue to run as a stand-alone company. Eventually though, they will be slowly integrated into HP's Software and Solutions business. This will allow HP to put a much larger focus on software security in every aspect of the application life cycle. "Businesses operate in a world of increasing security and compliance challenges, and the applications and services that they rely on are core to the problem and the solution," said Bill Veghte, the executive VP of the Software and Solutions branch, in the official HP statement on the acquisition. "With Fortify's leadership in static application security analysis combined with HP's expertise in dynamic application security analysis, organizations will have a best-in-class solution to improve the security of their applications and services."
This is not the only company HP has had its eye on. Just last month, HP finalized its purchase of Palm, Inc. This was meant to increase their connection to the rapidly growing mobile device market. This past April, HP bought 3Com for its computer network hardware capabilities. These companies were purchased for $1.2 billion and $2.7 billion dollars respectively. The details of the deal between HP and Fortify have not yet been disclosed.
Microsoft Issues Record Breaking Security Update
Patch Tuesday has come and gone, and with it came the biggest Microsoft Update ever seen since they began their monthly update cycle in 2003. The Windows Operating System as well as Internet Explorer, MS Office, MS Office for Mac, MS Works, Silverlight 2 and 3, the .NET Framework and Movie Maker are all affected.
 | | Microsoft Issues Record Breaking Security Update | |
There are 14 new security bulletins released this week, 8 of which are labeled as "critical" and the remaining 6 are labeled "important". These numbers do not include the link vulnerability patch that was released last week, although the Security Bulletin Summary does include that patch with the others. Microsoft is assuring people that of these new vulnerabilities, none have been seen exploited in the wild as of yet.
Of the 8 "critical" bulletins, 4 are listed as high-priority, meaning that they should receive immediate attention.
MS10-052 - This bulletin addresses a vulnerability in Microsoft's MPEG Layer-3 audio codecs. Remote code can be executed through specially crafted media files or streaming content from a website or web application.
MS10-055 - This bulletin addresses a vulnerability in the Cinepak Codec. Remote code can be executed through specially crafted media files or streaming content from a website or web application.
MS10-056 - This bulletin addresses 4 different vulnerabilities in MS Office. An attacker can gain privileges equal to that of the user if that user opens or previews a specially crafted RTF email message.
MS10-060 - This bulletin addresses 2 different vulnerabilities in the .NET Framework and Silverlight. Remote code can be executed when viewing a specially crafted web page in a browser which can run XAML Browser Applications or Silverlight Applications, or if the user runs a specially crafted .NET application.
More information on these 4 bulletins, as well as the other bulletins, can be found via the Microsoft Security Bulletin Summary for August 2010.
Microsoft Fixes Most Recent Vulnerability
Microsoft has released a non-standard update to the Windows Operating System. This unusual move was prompted by a slew of highly critical viruses taking advantage of a vulnerability in shortcut links.
 | | Microsoft Fixes Most Recent Vulnerability | |
On July 16, Microsoft Security Advisory (2286198) was published to Microsoft's website. It explains a problem with the way Windows handles .LNK and .PIF files, which are symbolic links to legitimate programs on a computer. Basically, when the link image was rendered, it allowed the malware embedded in the file access equal to that of the current user and executed malicious code with those abilities. Obviously, users who insist on running with administrative permissions were at a higher risk than those who log on with a regular account.
There are several viruses that have been exploiting this security hole. The first known use of this vulnerability was the Stuxnet worm, which spread via USB drives and stole information from computers running software from Siemens. Since then, there have been other viruses to exploit this same problem. Microsoft blogged about these viruses, including one particularly nasty one known as Sality.AT. Microsoft stated that Sality is "highly virulent," and works by infecting other files, copying itself to removable media, disabling security and finally downloading other malware onto the infected system.
Earlier this week, Microsoft released Microsoft Security Bulletin MS10-046, which is the patch to fix this particular vulnerability. This "out of band" patch came a full week before the regularly scheduled update, due to concern for customers' security. Everyone who has Automatic Updates turned on will already have the patch installed and their system is secured against this particular threat. The only people who need be concerned are those who check for updates manually and those who are still running Windows 2000 or XP Service Pack 2 or earlier, as they are no longer supported by Microsoft.
Google Pushing to Redefine 'Responsible Disclosure'
After all the debate about disclosing security vulnerabilities within software, Google is trying to reshape the process for fixing bugs. There has always been discussion on whether or not responsible disclosure was actually responsible or not, but it came to a head (at least from a media standpoint) last month with the Microsoft/Tavis Ormandy occurance.
 | | Google Pushing To Redefine 'Responsible Disclosure' | |
This post from the Google Online Security Blog discusses what Google would like to see changed in the current "responsible disclosure" model. Currently, when a security researcher finds a vulnerability in a piece of software, that researcher is supposed to inform the software vendor privately of the risk. The bug is not supposed to be released to the public until a fix is released.
According to Google's blog post, "The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect. We've seen an increase in vendors invoking the principles of "responsible" disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that time frame, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers. The important implication of referring to this process as "responsible" is that researchers who do not comply are seen as behaving improperly. However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time."
This does not seem like the best system to have in place for protection of the end user. Basically, this is saying that because security researchers are not allowed to release details of a bug to the public until there is a fix, there is no reason for the vendor to take action. It also takes notice of the fact that by using the term 'responsible' disclosure, it is barring anyone from breaking with the mold by labeling them as irresponsible.
Despite what it may seem like, Google is not trying to plunge us into a state of anarchy by proposing a full-disclosure method of dealing with bugs. They want to find a balance, where end users receive security updates in a timely manner, and software vendors have enough time to provide those fixes to the users. Their suggestion? A 60 day window between being informed of the vulnerability and having a fix available to to the public. In this situation, everybody wins.
Mozilla Rolls Out Security Update for Firefox
This week, Mozilla released a security update for their popular Firefox web browser. Firefox 3.6.7 fixes several security issues that were found in the 3.6.6 version. Over half of the vulnerabilities fixed were listed as "Critical," which is the highest danger level that Mozilla associates with security issues.
 | | Mozilla Rolls Out Security Update For Firefox | |
Of the 14 vulnerabilities listed on the Firefox update site, eight are listed as critical. Mozilla defines a critical issue as a "vulnerability [that] can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." Basically, a hacker can run their code on your computer to access your information and install malware on your system. For instance, they list an issue with PNG issues. If you browse a site with a maliciously crafted image on it without clicking on anything, you can get a computer virus.
The way that most of these vulnerabilities are able to execute code on your machine are to take advantage of pointers to unallocated memory. These pointers are caused by array overflows or de-allocating objects with multiple pointers pointing to it. By using these dangling pointers, they are able to put their code into sections of memory that your computer doesn't realize are being used, and therefore doesn't know to protect. Once the malicious code is in memory, it is easy to execute.
The best way to protect yourself is to make sure that your browser is always up to date with the most current software. In Firefox, this is as easy as clicking the "Check for updates..." link in the Help menu, or by going to mozilla.com and clicking the big green button in the middle of the screen. This will update your browser to ensure that you have the best protection for your web browsing pleasure.
Windows XP Security Patch
This week, Microsoft released a new security patch for issues affecting the XP and Server 2003 operating systems. The vulnerabilities were all related to remote code execution, though only the XP patches were listed as critical by the Microsoft Security Bulletin.
 | | Windows XP Security Patch | |
On June 5, Tavis Ormandy, a Google security researcher discovered a zero-day vulnerability in Windows Help that he reported to Microsoft. When Microsoft and Ormandy could not agree on the terms of creating a fix, he published the vulnerability four days later, creating a huge media storm. There were people on both sides, some arguing that Ormandy acted irresponsibly by spoon feeding a security exploit to hackers who would use it to cause harm. Others argued that without full disclosure, Microsoft would not have taken this threat seriously and wouldn't act towards fixing the issue.
Whether or not Ormandy was right in his actions, the outcome speaks in his favor. This past Tuesday, Microsoft released Microsoft Security Bulletin MS10-042, which addresses these vulnerabilities. This is an amazingly quick turnaround. The normal time frame for "responsible disclosure" is to allow the software manufacturer a 60 day window to fix the problem before public release. To have a fix only five weeks after the bug was brought to Microsoft's attention makes a strong argument for the proponents of full disclosure.
On the other hand, since the release of this particular bug, Microsoft has reported over 10,000 computers have been affected by hackers using this security hole. This is a significant amount of people being affected by a previously unpublished issue. The fact that it was unpublished does not necessarily mean that it was unknown to the people who could exploit it. It is unlikely that Ormandy was the only person that would ever discover this problem. Thanks to his actions, we now have a solution to what could have become a serious problem for more than just the 10,000 people who were unfortunately targeted.
iTunes Store to Receive Security Makeover
Apple is in the news this week about the new security measures it will be implementing in the wildly popular iTunes store. Granted, this is not a major security upgrade, but it does help to prevent the kind of security holes that have been recently exposed.
 | | iTunes Store To Receive Security Makeover | |
This all began when a Vietnamese app developer named Thuat Nguyen's apps covered 42 of the top 50 apps in the app store. This raised a few red flags, especially after people commented on the apps that they never purchased them. After some investigating, Apple determined that Nguyen had obtained account information from 400 accounts with stored credit card information and had used them to purchase his apps from the App Store. He then used these accounts to purchase his apps, driving up sales and his revenue.
In order to combat this type of security breach, iTunes will now require an extra step be taken by its customers. On accounts with saved credit card information, customers will need to enter their CCV code from the back of their card more frequently. That's it. Admittedly, this is not a full security overhaul, but the truth is that that would be unnecessary. The "hacked" accounts are more than likely victims of fishing attacks, as Apple has stated that their servers were unaffected by any kind of security breach.
Overall, the damage caused by this problem was minimal (assuming you are not one of the 400 accounts that were targeted). 400 accounts out of 150 million comes to roughly 0.0003% of accounts worldwide. This coupled with the fact that Nguyen and his apps have been banned from the App Store makes this a fairly open and shut case. For anyone who was affected by this fraud, Apple recommends that you contact your credit issuing agency about canceling your card and issuing a charge back for unauthorized transactions.
|
