Information Security News
Opera recently suffered a compromisse to one of the servers it uses to distribute software updates. You probably read about the fact, that as part of this compromisse an expired certificate was used to sign malicious software. This software was then distributed using Opera's update servers. Users checking for updates during the time the malicious software was live automatically downloaded and installed the software using Opera's automatic update feature.
We can talk a lot about what may or may not have been done by Opera to prevent this from happening. At least, they detected the problem quickly, but then again, it took them a few weeks to notify users. But not too many of you are probably distributing major software packages. However, we all rely in some ways on automatic updates, and hope that vendors deliver "clean" (even if not bug free) software.
So what can you do to detect and clean up malicious software that was installed directly from a trusted vendor?
A very long time ago, before we hashed passwords, this was one of the favorite once used by our users and somewhat indicates the attitude of many of our readers. Is paranoia still paranoia if they are actually out there to get you? In real live, this usually doesn't get you far. Features like auto-updates, and trusting digital signatures, are necessary to survive with non existing patch windows. You should however always think "defense in depth". There may be other controls to make sure the software behaves as expected. For example, if software "calls out" to other sites. Sadly, for a web browser, outbound connections are expected and hard to verfiy.
At this point in time, the malware distributed via the Opera update is widely recognized. However, if your system was infected, Anti-Malware is likely no longer functioning as designed. The attacker had a couple weeks to download and install additional components. One trick that may still work is an offline malware scan using a bootable CD. This method however doesn't scale well and is time consuming even for individual PCs. As a compromisse, you may want to scan the suspicous drive over the network by mounting it to a known clean system
Many whitelisting systems will not flag software if it comes with a valid signature. Also, in this case, you may have added an exception thinking that the update to Opera was legitimate as it came from a legitimate Opera server and was signed.
This is probably the best way to avoid modifications made by the malware to the host. But properly configuring network based controlls (Firewall, Intrusion Detection or Prevention Systems) is tricky. You are likely still relying on signatures, and the signature may come too late in this case after the malware installed additional tools that no longer match the original signature. But a well tunes IDS is probably your best bet to detect this.
HIPS comes in many forms, but I am thinking here of behavioral tools that detect processes escalating privileges and accessing files they shouldn't access (or establishing network connections). This may work here, if the malware doesn't manage to disable these tools.
My summary: Start with the host. If it is patched and well protected (Anti Malware / Whitelists ...), then chances are smaller that the malware will disable these features. The chance isn't 0, but smaller. Secondly, make sure your network defenses are in order and provide meaningful alerts that suplement hostbased detection.
Any other ideas I missed?
A researcher says he has uncovered a security weakness that can easily trick people into executing malicious code when they use the Microsoft Internet Explorer and Google Chrome browsers to visit booby-trapped websites.
The attack was recently presented at the Hack in the Box security conference by independent security researcher Rosario Valotta. It exploits weaknesses in the way browsers notify users when they execute operating-system-level commands, such as printing or saving. He said the attack works against Windows 7 and Windows 8 users running IE versions 9 and 10 when they enter either one or two characters while visiting a malicious website. Windows 8 machines running Chrome can be forced to execute malicious code when users click on a single HTML button on a malicious page, such as "Play" for a video or a Facebook "Like." Windows provides some protection against this social engineering attack, but Valotta said attackers can often bypass those defenses.
When a user visits the attack website, it opens a pop-under window that in most cases will remain invisible. The hidden window immediately begins downloading a malicious executable file without notifying the user or requiring any kind of permission. When the website is visited using IE, the file can be executed when English-speaking Windows 7 users type "r" and when Windows 8 users enter the tab key followed by the r key. The keystrokes, which can be invoked by asking the visitor to solve a CAPTCHA puzzle used to filter out bots, send a Windows command to the pop-under window instructing it to run the recently downloaded file. Clicking a booby-trapped HTML button while visiting the page in Chrome similarly executes the malicious file.
An update has been released for the SSL vulnerability reported in Ruby. From the site: "All Ruby versions are affected". The Ruby update also contains a patch for a DOS vulnerability; check out the details here.(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Why is physical security at least as important as technical security? As a colleague and friend once explained some years ago “physical security trumps all”. If we lose the physical security of a device, we have truly lost ownership. We often talk about systems and applications being owned by bad actors, and the l33t skillz employed to gain these prizes. We cannot lose sight of the fact that a smash and grab is still an effective way to gain access to your data. Some of the top security firms operating today will often demonstrate the weakness by actually physically penetrating the office/datacenter/DCO, returning with images of the days headlines next to your assets.
A friend of the ISC, Sean, pointed out an instance while I was reading an old example of physical security facilitating the compromise, or possible compromise, of data. A prison facility under construction in Iowa lost physical control of a laptop that had the blueprints of the prison, which is slated to house Iowa’s worst offenders. The other example was a story related to tapping of fiber optic cables. The tapping of fiber optic cables is not trivial, but one thing has to occur before the tapping can happen: Physical access to the cable.
Summary: When the CIO comes to you and says “physical security of the enterprise is now in your house”, be prepared.
by sienna amelia
Interesting, each windows 8 mobile developer should concentrate on these things while developing an app, and he should be more concern abouth the security issues. Does an app developer required to know where and how to market an developed app, as we know about windows phone store, do any of the app developers any other ways. Share with me.
Posted by InfoSec News on Jun 27http://www.zdnet.com/firm-facebook-bug-worse-than-reported-non-users-also-affected-7000017318/
Posted by InfoSec News on Jun 27http://www.knoxnews.com/news/2013/jun/26/frank-munger-y-12-security-failures-overshadow/
Posted by InfoSec News on Jun 27http://www.itworld.com/security/362522/buy-matthew-broderick-s-old-movie-computer-possibly-impress-ally-sheedy
Posted by InfoSec News on Jun 27http://www.washingtontimes.com/news/2013/jun/26/hackers-post-us-troops-personal-details-collateral/
Posted by InfoSec News on Jun 27http://www.healthcareitnews.com/news/breach-blues-british-columbia-lab