InfoSec News

Those of you watching the malware universe have no doubt noticed the recent increase of malicious sites with .in domain names. The current set ofnames follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFKshows that a big chunk of these domains currently seems to point to 91.204.48.52 (AS24965) and 195.80.151.83 (AS50877). The former Netblock is in the Ukraine(where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965,AS50877),Zeustracker, Spamhaus (AS24965,AS50877) and many other sites that maintain filter lists of malicious hosts.
An URL block system that can do regular expressions comes in pretty handy for these - \d{4}\.in and \d{7}\.in takes care of the whole lot, likelywith minimal side effects, since (benign) all-numerical domain names under .in are quite rare. If you're into blocking entire network ranges,zapping 91.204.48.0/22 and 195.80.148.0/22 should nicely take care of this current as well as future badness (though with unknown side effects - wehave no idea whether your neighborhood Pizza shack happens to host its perfectly harmless web site amidst all the malware in one of these netblocks :) (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

GovInfoSecurity.com

10 Happenings Shaping Gov IT Security Infosec in 2010
GovInfoSecurity.com
Government IT security in 2010 didn't always progress the way many had expected. Lawmakers busily held hearings and drafted legislation to get a better ...

 
If you've ever had the urge to check someone else's e-mail, then you've got something in common with Leon Walker, a 33-year-old computer technician from Rochester Hills, Michigan. But be warned, it may lead to prison time.
 
A Mozilla database was exposed to the Internet, the Mozilla Foundation disclosed
 
LINDO Systems LINGO Multiple Insecure Library Loading Arbitrary Code Execution Vulnerabilities
 
Easy Portal 'id' Parameter SQL Injection Vulnerability
 
Mozilla has published a blog and sent out an e-mail notifying users of what seems to be a relatively minor security breach. User IDs and password hashes for users were available for public access briefly. Users who have not been active before April 2009, however, had their password hashes stored in MD5 hashes which could be retrieved via password cracking. This method of storing passwords has been retired by Mozilla which is why users who logged in after April 2009 are safe.
The problem would come in for those users who use the same password across multiple sites (particularly the same password to access the e-mail account they registered with).
As a quick tip, we all have dozens (at least) of low-impact sites we have passwords for: new sites, blogs, etc. The impact of those accounts being compromised is trivial, at best. However, if the same password is used (and that password is mapped to an e-mail address or username) it can be used to access other, more sensitive accounts. You could have a different password for each site, which quickly becomes impractical. Sites using centralized logins are few and far-between (say OpenID). A solution I've tried to use is to have an insecure password but salt it with some designation for the site I'm accessing. Say the insecure password is qwerty. I can add two characters designating what I'm accessing for each site. So qwertyFF (FF for Firefox) for addons.mozilla.org. This allows for different passwords at each site, but in a way that is easy to remember multiple passwords. Obviously, you won't want to user qwerty as the base for those passwords, but you get the idea.
--

John Bambenek

bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Russia's prime minister orders government agencies to move to open-source software by 2015.
 
SocialEngine Music Sharing Plugin Arbitrary File Upload Vulnerability
 
Coppermine Photo Gallery Multiple Cross Site Scripting Vulnerabilities
 
In addition to smartphones and tablets, attackers will use geolocation services on many social networks and mobile applications to deploy more targeted social engineering attacks.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Attackers are likely to target smartphones and tablets in the coming year.

Attackers will target Apple devices in 2011 as well as the growing list of smartphones and tablets being introduced to the workplace, according to a new report from McAfee.

The Santa Clara, Calif-based security firm issued its 2011 Threat Predictions report today, outlining the top threats its researchers identified for the coming year. The security vendor said Apple will no longer fly under the radar. The growing popularity of iPads and iPhones has increased Apple’s marketshare and made the Mac OS platform and Apple’s mobile iOS software a growing target.

“The popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and Trojans a common occurrence.”

Apple devices won’t be the only targets. The rising popularity of smartphones and tablet devices in the workplace will prompt attackers to target the devices to gain access to corporate data. Despite mobile malware being virtually non-existent, security researchers have seen malware target devices that have been jailbroken. McAfee said slow adoption of encryption on mobile devices and a fragile cellular infrastructure could put corporate data at a higher level of risk.

Social networking attacks will also become more extreme, according to McAfee researchers. URL-shortening services, which are used on Twitter and Facebook, combined with the high trust factor those social networks have, are making it easy for attackers to quickly spread phishing attacks and gain control of user accounts to spread malware and harvest sensitive data.

“The use of abbreviated URLs on sites like Twitter makes it easy for cybercriminals to mask and direct users to malicious websites. With more than 3,000 shortened URLs per minute being generated, McAfee Labs expects to see a growing number used for spam, scamming and other malicious purposes.”

In addition, the rising popularity of geolocation services used by social networks and mobile applications could make it easier for attackers to generate a highly targeted social engineering attack. The location services, which include Foursquare, Gowalla, Facebook Places and others can be used to track and plot a the location of users.

Geolocation certainly makes it easier to target individuals, but the growing use of Twitter has put some people at risk. At McAfee Focus 2010, Dave Marcus, director of security research and communications demonstrated several free, browser-based search platforms that can help an attacker chart a person’s location based on their Twitter posts. In a few short minutes, Marcus demonstrated how easy it was to identify several users and chart their route to work each morning, based on their Tweets.

“In just a few clicks, cybercriminals can see in real time who is tweeting, where they are located, what they are saying, what their interests are, and what operating systems and applications they are using.”

Other predictions include a growing number of malicious applications used in widely deployed media platforms, such as Google TV. While the applications may not be designed to steal data, they could leak personal information, including privacy and identity data, McAfee said. Like many smartphone applications, applications on media devices are not likely vetted for security and privacy. McAfee also said it expects botnet sophistication to increase with functionality to bypass security mechanisms and law enforcement monitoring.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
ING Direct's mobile banking and investing system went live in July on the iPhone and other devices, and its early success has reaffirmed the bank's decision not to build physical banks, its CIO said.
 
In part 2, the editorial team continues its discussion on some of the top IT security news stories of 2010 and some of the lessons learned.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The good news is that Comodo Internet Security Complete 2011 ($70 for one year and three PCs, as of 12/2/2010) blocked a full 25 out of 25 of real-world attacks in our hands-on testing of the product.
 
Simple, simple, simple. That's the marching order of F-Secure Internet Security 2011 ($60 for one year, three PCs, as of 12/2/2010), an antimalware utility that focuses on safeguarding the computers of novices and especially families.
 
Are you a casual computer user who wants a streamlined security software experience? Or are you a dyed-in-the-wool computer pro who wants access to every configuration option, security alert, and log- file entry?
 
Eset Smart Security 4 ($60 for one year, one PC; $70 for one year, three PCs, as of 12/2/2010) came at or near the back of the pack in most of our malware detection, blocking, and disinfecting tests.
 
A solid solution, Symantec's venerable Norton Internet Security ($70 for a one-year, three-PC license, as of 12/2/2010) continues to incrementally update and advance both its interface and detection rates.
 
Does slow and steady win the race?
 
Users looking for a free antimalware product to protect themselves have long enjoyed Avira, which is available in a no-cost version for personal use, but which subjects you to a single daily pop-up urging you to buy the full suite.
 
Let's start with the good news: Panda Internet Security 2011 ($60 for one year, one PC; $70 for one year, three PCs, as of 12/2/2010) has some of the best protection going. Its and 99.8 percent detection of samples of known malware was tops among the 13 applications we tested. It completely blocked 21 of 25 attacks in real-world malware blocking tests (that help determine how well it can block brand new malware), and partially blocked three more, which, while not a top score, is still a solid performance. It's also no slouch in fixing downed machines, removing 80 percent of active malware components.
 
It's no longer enough for antivirus software to scan files on your PC. You need someone looking over your shoulder and telling you whether it's safe to click that link; whether the popup for that software update is legitimate; and whether that download from your favorite social network is actually a tool created by organized criminals for stealing your personal information. You need an all-in-one Internet security suite capable of identifying, blocking, and cleaning up after a wide array of malware.
 
The malware threat landscape is ever-evolving, with thousands upon thousands of new pieces of malware each year, and with cybercriminals developing new attack methods. As such, security products--and our security testing methods--must evolve too.
 
As the one device you always have with you, it has to function at work, at home, and on the go. These five do it best
 
The iPad rules the tablet world right now, but an Android army has begun its attack. Soon to join the fray are even more tablets, equipped with the Windows, WebOS, and Sugar operating systems. Here's what to expect in the year ahead.
 
Libpurple MSN Short Packets Remote Denial of Service Vulnerability
 


Internet Storm Center Infocon Status