|
Internet Security News
Breaking news and updates in Internet security
Last Updated: September 9th, 2010 09:42:04 CDT -0500
ICSA Labs Finds Flaws In New Security Products
It's sometimes fun to be an early adopter, as the long lines and waitlists for things like iPhones and the new Camaro have proven. But where security products are concerned, do yourself a favor and let other folks go first, since a fresh report indicates that it can take more than a single try to get things right.
 | | ICSA Labs Finds Flaws In New Security Products |  |
ICSA Labs, which is based in Pennsylvania and has been around for 20 years, tests and sometimes certifies products. Emphasis on "sometimes."
An ICSA Labs Product Assurance Report indicated that just 4 percent of security products attain certification following a first round of testing. Most have to try again between one and three times before making the cut.
And it's not guaranteed that a product will ever meet the necessary standards, either. According to ICSA Labs, only about 82 percent of products attain certification in the end, meaning about one-fifth of all applicants (and perhaps a much larger percentage of products) aren't up to snuff.
So leave the shakedown cruises to less cautious individuals. Just repeat "patience is a virtue" a few times and read reviews while you're waiting, and remember that things will be less likely to blow up in your face when you finally get onboard.
Nigeria Announces Early Results Of Anti-Scammer Initiative
No one's sure how many there are to go, but according to a Nigerian official, there are about 800 scam email addresses and 18 criminals that can be considered "down." Mrs. Farida Waziri, the chairperson of a government agency, announced that some shutdowns and arrests occurred thanks to an initiative called Project Eagle Claw.
 | | Nigeria Announces Early Results Of Anti-Scammer Initiative | |
Nigeria's Economic and Financial Crimes Commission is the force behind Project Eagle Claw, and with Microsoft's help, has just started ramping it up. Waziri explained in a statement, "We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails."
She then gave some very interesting details, continuing, "[U]pon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly."
Anything Nigeria can do to address the problem of scammers operating from within its borders will of course be good for the country's image. More than that, it might help honest Nigerians become part of the online world (since some entities have just taken to blocking troubled regions as a whole).
Then there will be the benefit to the rest of the world, with maybe millions of dollars not getting lost. For that reason, Project Eagle Claw is likely to gain a lot of fans.
MessageLabs Names Most- (And Least-) Spammed States
When considering where to live, it's wise to look up stats about an area's climate, the cost of living, and its proximity to other important stuff in your life. Symantec's MessageLabs recently supplied some information about your odds of getting spammed, too.
 | | MessageLabs Names Most- (And Least-) Spammed States | |
Somewhat surprisingly, the states you might imagine as being the "most wired" - California, New York, Washington - weren't at the top of the list. Instead, the state in which spam represents the highest percentage of all emails received is Idaho, with 93.8 percent.
In an email to SecurityProNews, a Symantec/MessageLabs representative then listed the other top states (in order) as Kentucky, New Jersey, Alabama, Illinois, Indiana, Massachusetts, Pennsylvania, Arizona, and Maryland.
The U.S. territory of Puerto Rico wound up on the opposite end of the list, followed by Montana, Alaska, Kansas, South Dakota, Tennessee, Vermont, Rhode Island, Wisconsin, and Florida.
We're not quite sure what to make of these findings; the states don't appear to be ordered according to Internet penetration rates, GDP per capita, overall population, physical size, or anything else. Still, if you're looking to move, now you have a better idea of how to decrease the odds of getting bombarded with spam at your new home.
Enormous Malware Archive Creates Stir
A Dutch company known as the Frame4 Group has created what's almost the computing equivalent of a Center for Disease Control lab. The Malware Distribution Project is, according to its own site, the "world's biggest private malware archive."
 | | Enormous Malware Archive Creates Stir | |
Don't jump to the conclusion that the project's run by a bunch of supervillains; the malware samples are supposed to be "offered for the purposes of analysis, testing and malware research."
Also, customers are screened, and a monthly access fee of about $1,235 should act to keep out some of the riffraff.
It actually seems possible that the Malware Distribution Project could be of great help to the security community. When you consider that medical researchers don't have to wander from house to house, asking people if they have cancer, every time they want to start a new experiment, certain practices start to seem a little outdated.
There is a potential for problems, though. One nightmare scenario relates to the Malware Distribution Project's figurative walls failing and everything getting out. Having all of that malware run amuck at once - particularly if security researchers' computers were the first things it'd come across - would be bad.
Then there's the possibility that some unpleasant person would gain access to the Malware Distribution Project's archive and just sort of go on a shopping spree. This way, some relatively stupid hacker might be able to get his (or her) hands on the most sophisticated viruses in existence.
As you might imagine, the Malware Distribution Project is definitely proving divisive.
Anyway, at last count, the repository contained a whopping 3,336,503 files.
UPDATE (10-13-09): Anthony Aykut, the Managing Director of Frame4 Security Services, got in touch with SecurityProNews this morning to pass along some information. In an email, he wrote, "[T]he malware is neither downloadable via the web site or accessible in any other way via the www; in fact, the (secure) servers where the malware is stored (or analyzed/processed) is not even connected to the outside world."
Aykut also stressed that nothing is sold to the public, and added, "Largely due to the security measure(s) mentioned above, and also based on to the fact that the storage media are protected by biometric devices, getting access to the MD:Pro archive is, well, pretty impossible."
Avsim Hacker (Maybe) Brought Before Cops
Perhaps people who like to spend their spare time in the cockpits of imaginary F-16s should be left alone. The man in charge of a flight simulator site that was attacked claims to have identified the hacker and forwarded information to the authorities.
 | | Avsim Hacker (Maybe) Brought Before Cops | |
Avsim is one of the best-known flight sim communities in existence. It's been around for a long time, too. Unfortunately, a hacker managed to wipe about a decade's worth of modification info and forum posts from the site's servers back in May.
Now, though, Tom Allensworth, the publisher and CEO of Avsim, has told the BBC, "We . . . have incontrovertible evidence of the individual that performed the hack. We have protected the forensic evidence and provided that evidence to the London police. We are committed to bringing justice to bear on this case."
Allensworth is confident in the outcome, too, adding, "We fully expect that the criminal complaint . . . will result in the perpetrator spending some time behind bars - under UK law." (Since Avsim's located in the US, this means he's not pushing for extradition or anything of that sort.)
Neither London's Metropolitan Police Service nor the accused individual (who hasn't been publicly named) has made any comment yet.
Email Password Hackers Present Real Threat
The next time you have something really important to tell someone, consider whether a drive over to his or her house wouldn't be a nice way of spending a few minutes. One reporter has found that it's quite easy (and perhaps all too common) for people to buy email accounts' passwords from hackers.
 | | Email Password Hackers Present Real Threat | |
Tom Jackman wrote in an article for the Washington Post, "[S]ervices as YourHackerz.com are still active and plentiful, with clever names like 'piratecrackers.com' and 'hackmail.net.' They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly."
Jackman found that prices for passwords range from around $30 to $100, which means that even the average ten-year-old can probably afford these hackers' services.
Plus, unless someone important is involved or things get rather serious, law enforcement isn't terribly likely to look into (or at least resolve) the matter, because accessing a computer without authorization is just a misdemeanor in most areas and tracking down a perpetrator can be difficult.
And it doesn't help, of course, that all of these facts have now been publicized in a widely-read newspaper.
So if you've got some nasty business rivals or psycho exes, at least try to play it safe by changing your password often for as long as you're in the person's sights. Then there's always the option of putting a few more miles on the odometer, too.
Internet Explorer 8 Vulnerability Exposed
A new vulnerability has been discovered in Internet Explorer that takes advantage of Cascading Style Sheets (CSS), in order to steal data from the browser.
 | | Internet Explorer 8 Vulnerability Exposed | |
This past Friday, Google security researcher Chris Evans posted on the Full Disclosure mailing list (see that post here) describing a CSS vulnerability he discovered. He also posted a harmless example of what that vulnerability could do. In the example, you go to a site in IE and click a button (which supposedly could be automated) and your twitter account will automatically send out a tweet. Barely two hours later, Microsoft tweeted that they were aware of a problem and would "investigate" the issue.
This CSS vulnerability is not exclusive to Internet Explorer. The other four major browsers are also affected: FireFox, Safari, Opera, and Chrome. The only difference is the vendors of those browsers have issued patches and plugged the holes that created the problem. As of yet, Internet Explorer is the only major browser that has yet to be fixed. Not that there hasn't been enough time to work on a patch. According to Evans in the posting mentioned above, "[t]here's evidence to suggest that Microsoft has been aware of this since at least 2008." Whether or not they have known about the vulnerability that long is irrelevant, considering that it has been fixed by everyone else.
This vulnerability takes advantage of CSS standards to steal browser data. According to those standards, cookies are sent from the browser when CSS is called, even if it is a cross-domain call. Combining this with a CSS injection attack using background-image:url(), the browser's cookies will be sent to the given url. These cookies can contain the keys needed to break into web applications such as Twitter accounts and webmail sites. Even worse, this happens even when javascript is disabled, making this a threat even to those who think they are relatively safe.
Dell Collaborates with Trend Micro
Small and medium businesses are constantly at risk of being targeted by cybercriminals, simply because they are smaller than large corporations. The bigger a company is, the more money they have to invest in higher-tech security systems and larger, more involved IT departments. For smaller companies, it is easy to focus on trying to expand business and let security sit on the back-burner. This is where the partnership between Dell and Trend Micro comes in. They have come up with an easy way for small and medium sized businesses to manage their security needs without breaking the bank.
 | | Dell Collaborates with Trend Micro | |
Trend Micro's Business Security Services include several desirable features to make the security portion of running a business much easier. First and foremost, is a set of web-based tools which make administration extremely easy. There is no need for a dedicated in-office server (or any company owned server at all), and the administration panel can be accessed from anywhere with an internet connection. There is also a remarkably low system performance impact, thanks to the fact that once a scan is complete, the results are processed in the "Smart Protection Network" run by Trend Micro. For companies with little or no IT staff on hand, the system comes pre-configured security parameters and runs automatically, so there is less worry about having something set up improperly. Both desktops and laptops are secured with this software, even if they are used outside the office. Anytime the computer is connected to the internet, it is being actively protected. This has the biggest impact on users who travel with their work, as many do.
This is a big step forward for one of the top PC suppliers in the world. The fact that this software can come pre-installed on systems shipped to its commercial clients means that they can offer security and piece of mind to a large group of people.
Apple and Adobe Both Roll Out Large Security Updates
Both Apple and Adobe have shipped out relatively large collections of security patches this past week, Apple fixing up OSX and Adobe locking down it's Shockwave player. Both sets of patches have been given a security rating of 'critical,' which means that there is the possibility of malicious code execution on an unprotected system.
 | | Apple And Adobe Both Roll Out Large Security Updates | |
Apple's update this week fixes code execution attacks when viewing maliciously crafted PDF or PNG files, or even just viewing a document with a maliciously crafted font installed. There is also the possibility for network administrators to abuse their positions by intercepting sensitive data through the use of an anonymous TLS/SSL connection, or to use a similarly named web address to impersonate a legitimate site and steal information that way. For instance, if they are in possession of the domain name www.example.com, they are able to impersonate www.example.com due to the lack of checking the final letter in the certificates. There are also updates for the newest versions of PHP and ClamAV which both claim to include necessary security updates. These updates can be applied via the "Software Update" option in OSX or downloaded from Apple's support site.
Adobe has updated their Shockwave Player to fix several security holes, including 16 memory corruption vulnerabilities which could lead to code execution. These vulnerabilities affect version 11.5.7.609 and earlier, and it is recommended that anyone running these versions immediately upgrade to the most recent version (11.5.8.612) of the software found on Adobe's website. The memory corruption vulnerabilities and four more issues are all labeled as 'critical' in the Severity Rating System. The other issues include two denial of service attacks, one of which could potentially lead to code execution. Also there is a pointer offset vulnerability and an integer overflow vulnerability which can grant one with malicious intent access to plant code in a user's memory.
HP to Acquire Fortify
Earlier this week, HP announced that it will soon be adding Fortify to its list of recently acquired companies. This will be a huge advantage for HP in the security market.
 | | HP to Acquire Fortify | |
Fortify Software is a company that specializes in software security. Founded in 2003, it has continued to grow and supply Software Security Assurance (SSA) to government agencies and fortune 500 companies in many different industries. Their best known software suite, Fortify 360, is a tool that can root out security issues in software, as well as fix those issues and prevent future vulnerabilities. In February of this year, HP and Fortify released their most recent collaboration, "Hybrid 2.0" which goes to show that there has been no problems between these companies working together in the past.
Once the deal is finalized, Fortify will continue to run as a stand-alone company. Eventually though, they will be slowly integrated into HP's Software and Solutions business. This will allow HP to put a much larger focus on software security in every aspect of the application life cycle. "Businesses operate in a world of increasing security and compliance challenges, and the applications and services that they rely on are core to the problem and the solution," said Bill Veghte, the executive VP of the Software and Solutions branch, in the official HP statement on the acquisition. "With Fortify's leadership in static application security analysis combined with HP's expertise in dynamic application security analysis, organizations will have a best-in-class solution to improve the security of their applications and services."
This is not the only company HP has had its eye on. Just last month, HP finalized its purchase of Palm, Inc. This was meant to increase their connection to the rapidly growing mobile device market. This past April, HP bought 3Com for its computer network hardware capabilities. These companies were purchased for $1.2 billion and $2.7 billion dollars respectively. The details of the deal between HP and Fortify have not yet been disclosed.
|
