by Marcia Savage
A recent study by Clearswift indicates that companies aren’t doing enough to train their workers about Internet security.
The Web and email security company conducted a survey of some 2,000 office workers in the U.S. UK, Australia, Germany, and the Netherlands, and found that only 29% had received Internet policy training in the past 12 years. Half of the respondents said they’d never had a dedicated session on their company’s security policy while 38% had no security training at all (dedicated or otherwise).
The lack of training is lost on employees, according to the study: Only 27% think their company could do better at communicating its online security policy. In fact, 71% report that their company has an Internet policy and that most of their coworkers are aware of it.
“Given the speed of all the new social media threats, it seems a little lax,” Alyn Hockey, Clearswift’s director of product management, said of the lack of security training.
The study also showed that workers are applying their own rules to technology use. Forty-four percent reported storing work data on personal memory devices and 25% use personal accounts on social networks to comment about their job. Twenty percent said IT security breaches happen when workers are trying to get their jobs done more efficiently.
A temporary workaround to mitigate a zero-day vulnerability in Internet Explorer causes most Web pages to load improperly.
By Ron Condon, UK Bureau Chief
Researchers at Trend Micro Inc. are warning Internet Explorer users that a workaround, which can be deployed to block a new zero-day flaw in the browser, can break the functionality of most Web pages.
Microsoft warned last week that it is investigating a new vulnerability that affects all supported versions of Internet Explorer, and could lay it open to remote code execution. The company also said it is aware of targeted attacks that are already trying to exploit the vulnerability.
The IE flaw exists due to an invalid flag reference within Internet Explorer, which can be accessed after an object has been deleted under certain conditions. The company says that in a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Jonathan Leopando, a researcher with Trend Micro’s TrendLabs is warning that the temporary measures advocated by Microsoft to block the flaw will cause most Web pages to load improperly in IE.
“The mitigating steps force the use of a user-specified CSS style sheet (breaking site formatting) and disabling scripting (disabling many site features),” he wrote, adding that users should also check that Data Execution Prevention (DEP) is enabled, to reduce the potential effects of any exploits.
The best way to avoid the problem, he says, is to upgrade to the beta version of IE version 9, which is not affected.
In the TrendLabs blog, Leopando said Trend Micro researchers have acquired a sample of the exploit for the vulnerability and have analyzed the threat. The main page that delivers the exploit downloads a backdoor, which in turn downloads various encrypted files which, when decrypted, contain the commands that the backdoor will perform.
“This makes exploiting the vulnerability easier, which means that attacks that target will probably become more commonplace,” he wrote.
by Marcia Savage
Adobe issued an alert Thursday warning of a critical vulnerability in its Flash Player that is being exploited in attacks on its Reader software.
The flaw could allow an attacker to take control of a system, Adobe said.
The vulnerability affects Flash Player10.1.85.3 and earlier versions for all the major operating systems, and Flash Player 10.1.95.2 and earlier versions for Android. It also affects the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and Unix, and Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh
Adobe said there are reports of the vulnerability being exploited in the wild against Reader and Acrobat 9.x, but it isn’t aware of any attacks against Flash Player.
The company expects to provide a fix for Flash Player by Nov. 9 and an update for Reader and Acrobat during the week of Nov. 15.
Also on Thursday, Adobe released an update to fix a critical vulnerability in its Shockwave Player, which it warned about last week.
by Michael S. Mimoso
ipTrust, a start-up backed a couple of Internet Security Systems veterans, launched today and debuted its new botnet detection service and IP address reputation capabilities. The company, a subsidiary of Endgame Systems, also announced $29M in venture financing.
Chris Rouland, ISS CTO, and Dan Ingevaldson, former director of ISS’ XForce research team, said the company has been in hibernation for two years building security services for the federal government. During that time, they’ve been collecting data and maintaining state on millions of IP addresses looking for sites sending spam and malware, and recruiting for botnets. That data feeds the reputation engine at the heart of two products announced today: ipTrust Professional and ipTrust Web.
IpTrust Professional is a cloud-based API that enables integration with existing applications or services. Users can make queries in real time against their database to receive reputation scoring against any IP address on the Net, Ingevaldson said. Unlike other reputation engines that are primarily geolocation-based, this one can also take into account whether an IP address is infected with a Trojan or worm, or has been part of a botnet and sent spam before. User can then make the decision whether to deny access to or from that IP address.
“What we’re doing here is building an interface with this API into a massive data set,” Ingevaldson said. “We’ve collected 275 million pieces of information on IP addresses that we’re keeping state on. We’re collecting one terabyte of security event information weekly–and that’s going up all the time. We can scale to petabyte size. Our customers don’t have to download a petabyte of information, but our API allows them useful interfaces so they can make smarter decisions based on the information we provide them.”
IpTrust Web is a free infection notification service delivered in a software-as-a-service model. Users sign up online and provide a range of external IP addresses to be monitored. If an event occurs, an email notification is sent that contains a link to the ipTrust Web portal where the user gets rich metadata on the details, Ingevaldson said.
“The use cases more limited, but more focused,” Ingevaldson said. “That’s the opportunity here. We don’t intend to send an SMS with 10 million events. If your Blackberry goes off, you’ve got a Conficker infection, for example, with a link to our portal. It’s much more focused, much more refined and precise.”
by Carolyn Gibney
by Ron Condon, UK Bureau Chief
If you haven’t yet applied last month’s patches to Microsoft Office, it might be worth making it a priority.
Researchers at Trend Micro Inc. have spotted a new exploit that sits inside an RTF file. When the file is opened, it triggers a buffer overflow, which, in turn, causes Microsoft Word to crash. The malware then plants a Trojan on the machine, thereby allowing the attacker to execute his or her own commands on the affected system.
Trend Micro threat response engineer Karl Dominguez flags this as a serious concern because, in addition to the risk of email attachments, anyone receiving an RTF email message could immediately become infected. Microsoft Outlook uses Word to handle email messages, so the mere act of opening or viewing specially crafted messages in the reading pane could cause the exploit code to execute.
Microsoft has fixed the stack-based buffer overflow vulnerability in Microsoft Office that causes the problem. A patch, which can be found in the official Microsoft MS10-087 bulletin, was issued as part of November’s Patch Tuesday.
Trend Micro said it has detected the exploit RTF files as TROJ_ARTIEF.SM, which then drops in another malicious file called TROJ_INJECT.ART. Both affect systems running Windows 2000, Windows XP or Windows Server 2003.
by Robert Westervelt
Email addresses and passwords of more than 1.3 million registered users of Gawker Media websites have been made publicly available after a hacking group broke into the company’s servers last weekend.
Gawker websites include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot. Gawker is warning users to change their account password and consider changing passwords to other websites if they are used for multiple accounts. The registration information was required to leave comments on the websites.
”We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security—and of trust,” the company said on its website.
Gawker posted a detailed FAQ explaining the extent of the breach and how registered users can protect themselves. A group named “Gnosis” claimed credit for the attack and posted a file containing the passwords at several peer-to-peer networks. The stored passwords were encrypted.
“We are in the process of notifying those users who associated an e-mail address with their Gawker accounts,” the company said.
On Monday, Graham Cluley, senior technology consultant for UK-based security vendor Sophos, said the Gawker breach appears to be tied to a spam campaign on social networking site Twitter. Del Harvey, Twitter’s director of trust and safety, said the company reset passwords to compromised accounts. Those behind the spam campaign hijacked Twitter accounts that used the same Gawker password.
“We … deleted updates on accounts affected by acai spam; accounts were compromised in the Gawker properties hack,” Harvey posted Monday on Twitter.
by Marcia Savage
Trend Micro on Monday said it signed a deal to buy Mobile Armor, a provider of endpoint encryption technology. The St. Louis, Mo.-based company sells full-disk, file/folder, and removable media encryption products. Financial terms of the deal, which is expected to close Dec. 31, were not disclosed.
Trend Micro said Mobile Armor’s products will complement its existing DLP, email encryption and cloud encryption technologies.
Eva Chen, CEO of Trend Micro, said that Mobile Armor’s encryption line will boost Trend Micro’s data protection portfolio for the cloud computing era.
“This acquisition will expand our endpoint security market reach and will provide our customers with proven technology for encrypting data on laptops, tablet PCs, and smart phones. Mobile Armor’s solutions further our vision of protecting digital information wherever it resides and complements our recent announcement of Trend Micro SecureCloud for securing and controlling data in the cloud,” she said in a prepared statement.
Trend Micro competitor Symantec this fall detailed integration plans for PGP and GuardianEdge Technologies, two encryption companies it acquired in April for $370 million. Three years ago, McAfee acquired SafeBoot for full-disk encryption.
A newly detected drive-by attack encrypts media files and Microsoft Office documents and then demands payment to have the files decrypted.
By Ron Condon, UK Bureau Chief
One more reason for keeping your Adobe Systems software up to date. Sophos Ltd. security consultant Graham Cluley is reporting a new ransomware attack that hits computer users via a drive-by vulnerability on compromised websites.
Victims are suddenly presented with a message that their files have been encrypted and that they will need to pay $120 to regain access to them.
Early investigations indicate that the attacks are delivered using an Adobe PDF exploit, but that hasn’t been confirmed. The attacks affect a wide range of media files, such as .jpeg images and .mpeg audio files, as well as Microsoft Office files. Affected files have their names changed to include a new suffix called .ENCODED.
The attack, which Sophos has identified as Troj/Ransom-U, changes the user’s Windows desktop wallpaper to deliver the first part of the ransom message, which tells the user their files have been encrypted. It adds that they must act quickly to get their files decrypted, and must not tell anyone about the attack.
According to Cluley:
Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.
The actual ransom note, contained in a .txt file warns that the files will deleted if the ransom is not paid quickly. “We can help to solve this task for $120 via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring [sic] your message and nothing will be done,” it adds.
The user is asked to send the money and an email containing a fingerprint hex-string, which Sophos suggests is the encryption key used. Whether the decryption actually takes place after payment has not been tested.
by Carolyn Gibney
by Ron Condon, UK Bureau Chief
A timely reminder came from Daniel Wesemann today writing on the SANS Internet StormCenter blog about the need to make sure that Java is kept patched and up to date.
Oracle Corp. (which now owns Java, since buying Sun Microsystems last year) released a patch bundle for Java in October, which included a long list of security fixes, several for vulnerabilities that could allow drive-by exploits.
“And since Java is present on pretty much every Windows PC, and people don’t seem to do their Java updates quite as diligently as their Windows patches, there are a lot of vulnerable PCs out there,” says Wesemann.
He describes in detail one popular family of exploits doing the rounds at the moment, called “bpac”, which exploits the Hashmap vulnerability (CVE-2010-0840). A user only needs to browse an infected webpage, and the exploit pulls down a series of .exe files (in one case, up to 66 of them) that could be hard to clean up after the event.
Ironically, the attack would be stopped by a Java security fix issued in July, but, as Wesemann observes: “I guess the bad guys won’t start ‘burning’ their newest Java exploits while the old set is still going strong.”
His advice is short and sweet: “If you haven’t done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for.”
by Robert Westervelt
Security vendor offers bounty for bugs found in its firewall and Web filtering appliances.
Security vendor Barracuda Networks is jumping on board the bug bounty bandwagon, offering between $500 and $3,133.70 to bug hunters who find serious vulnerabilities in its products. Barracuda, which sells a variety of security appliances for antispam, antivirus, Web content filtering and Web application firewall capabilities, is the first security vendor to offer such a program for its own products.
Barracuda said flaws found in the Spam & Virus Firewall, Barracuda Web Filter, Barracuda Web Application Firewall and the Barracuda NG Firewall would be eligible for a reward.
Researchers reporting security bugs will collect a cash prize ranging from $500 to $3133.7, depending on the severity of the vulnerability as judged by the Barracuda Labs Bug Bounty Panel. Bounties can be donated to charity as requested by the bug reporter.
According to Barracuda: Vulnerabilities can be reported to BugBounty at barracuda.com with the following PGP key http://www.barracudalabs.com/bugbountypg…). The company set up a Web page explaining the bug bounty program.
Bug types that are in scope include those that compromise confidentiality, availability, integrity or authentication. For example: remote exploits, privilege escalation, cross site scripting, code execution, command injection.
Google extended its current bug bounty program for Chrome browser flaws this week, adding a reward for serious Web application flaws found in its Blogger, Orkut and YouTube websites. Barracuda offers the same payout structure as Google. Mozilla offers a similar program for bugs found in Firefox.
Google said it has had success with its Chrome browser bug bounty program, which it launched in February. The company said it has seen an increase in “high-quality” reports on bugs found in its Chromium browser.
The Four Minute Malware: Aurora, Stuxnet, and Beyond
And then on June 17, 2010 VirusBlokAda, a little infosec company in Belarus discovered a new piece of malware that exploited a heretofore unknown Windows ...