Posts belonging to Category Security News

Sophos Security Threat Report Mid-2010

By Graham Cluley at

Sophos has today published the mid-year update to its 2010 Security Threat Report, revealing the latest trends and findings from the world of cybercrime.

Read the official press release here.

I’m doing my bit to promote the report’s findings, having been transported into the oasis of cool known as the Soho Hotel in London, a short hop and a skip from media companies such as Momentum Films, 20th Century Fox and Paul McCartney’s MPL Communications.

Sadly my glamorous career doesn’t extend as far as making a cameo performance in a Bruce Willis disaster movie or playing the piccolo on Macca’s next album – instead, I’m esconsed in a comfy chair discussing SEO poisoning, fake anti-virus, and state-sponsored cybercrime.

Here are some of the topics we explore in the latest report:

As was mentioned in today’s press release about the report, when we look back over the last six months it’s clear that state-sponsored cybercrime has become a particularly hot topic.

For the rest of the threat report, visit Graham Cluley’s blog at

A Patch Management Strategy for Your Network

Ed Fisher

Author Profile – Ed Fisher writes for GFI Software

In Ed’s own words, “I’m that guy. You know the one. When things are broken, I fix them. When they don’t make sense, I explain them. When nothing is getting done, I do it. When a void occurs, I fill it. When there is silence on the call, I state the necessary. An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) I’ve been getting my geek on full-time since 1993, and have worked with information technology in some capacity since 1986. I’ve worked on global scale environments for Doosan, Ingersoll Rand, Microsoft(blue,) EDS/Bank of America, an international financial services firm, and as a consultant for numerous companies and various city, state, and federal government agencies.”

Intro The care and feeding of your network includes the regular patching of all your servers and workstations. Whether Microsoft, Unix, Linux, or Mac, all computers need patches. Patches address bugs, fix compatibility or usability issues, and help defend against attacks and malware. Patch management is an ongoing responsibility for all systems administrators, and is easy to do with just a few guidelines.

Keeping up with patches The biggest challenge of patching is keeping up with the patches themselves. Vendor mailing lists including Microsoft Security bulletins, the SANS Institute mailings, and security bulletins from your vendors are all designed to keep you informed of security issues and new patch releases. Subscribe your IT Team’s distribution list to these, and review them each week during the team meeting to keep everyone informed and ensure that nothing is missed. See the end of this article for links to other security mailing lists.

Don’t forget applications Everyone thinks about operating systems, but just as important are patches for applications. Many applications interact with websites directly or through downloaded content, and are frequently exploited. Media players, antivirus software, document readers, and all others must be kept up to date. Maintaining and enforcing a list of approved software in your network, and subscribing to the vendors’ mailing lists will help you keep track of what patches need to be deployed and to which systems.

Testing patches While patches are intended to fix issues, occasionally they may introduce new ones through incompatibilities or other problems. Before deploying patches to production, it is critical that you test them on a representative group of workstations and servers in the environment. Enlist members of the helpdesk and personnel from other business units to help test with early deployments. Should a problem exist with a patch, you will detect it before it can affect the entire business.

Deploying patches The goals for patching should include 100% compliance, timely patching of all systems, and verification. Ensure management understands the importance of patching and supports it fully. Establish maintenance windows to deploy patches and reboot systems when necessary. Many patches are released to address publicly disclosed vulnerabilities; others may point to the existence of vulnerable code. Delays in applying patches increase your risks from malware and attacks, and also the chance that bugs in the unpatched code could lead to system instabilities and downtime. When choosing a patch management system, choose one that can push to systems on a timed basis, verify that the patch installed correctly, and generate reports across all systems. This provides great metrics for management, and helps ensure that no system was missed.

Reverting patches Even with testing, it may be necessary to uninstall a patch. Reporting on all patches deployed to a system, and all systems that received a particular patch are both critical, and having a system that can uninstall patches as well install them is a good safeguard against problems.

Wrap up Patching both operating systems and applications is a regular part of network maintenance. Having the right tools and procedures in place, and support from management, contribute towards making patch management a success.

For more, visit Ed’s post at Stumbleupon

HIPAA encryption: meeting today’s regulations

Sang Lee, senior security analyst, AlertBootJune 30, 2010

If you work with an organization that must adhere to the Health Insurance Portability and Accountability (HIPAA), you know by now that encryption is now a de facto primary aspect of HIPAA compliance after the passing of the HITECH Act.

There are a couple of reasons for this increased focus on encryption.

Sang Lee

First, the U.S. Department of the Health and Human Services (HHS) issued guidance wherein “unsecure protected health information (PHI)” is essentially any PHI that is not encrypted or destroyed. Under this definition, it doesn’t matter how many chains, walls, doors, biometric gizmos and guards with lethal weapons you have at your service. As long as PHI is not encrypted, it is considered unsecured.

A second and more compelling reason why encryption is now a requirement is the introduction of HITECH‘s breach notification initiative, which requires HIPAA-covered entities to send notification letters if there is a breach of unsecured PHI. However, as HHS pointed out, the use of encryption grants safe harbor in the event of a breach because encrypted PHI is not unsecured PHI.

Oddly enough, in the same breath, HHS also notes that “covered entities and business associates are not required to follow the guidance.” However, cleaning up the mess behind a breach notification can cost millions of dollars, so one would have to be supremely confident — or reckless — in not taking advantage of the encryption safe harbor. With such mixed signals, though, it is not hard to see why encryption is called ade facto requirement.

For more information, read Sang Lee’s full post at SC Magazine

AppRiver Threat Landscape

AppRiver Threat Landscape: Quarter 1 and 2, 2010

By N DePofi June 29th 2010

AppRiver, the Gulf Breeze Florida based web security and email company, has issued a new report titled “AppRiver notes: Threat & Spamscape report Special 6-Month Edition: June 2010,” briefly covering online threats the company has monitored over the last six months.

Highlights of the report include the one-year anniversary of the Conflicker worm, phishing and spear phishing attacks based on natural disasters, carbon credits, lawsuits, the IRS and the FIFA World Cup.  The report includes a breakdown showing the origin of the 26 billion spam emails blocked by AppRiver in the first half of 2010, and the source region of both spam and malicious email messages, with the United States topping the spam chart at 2.5 billion spam emails, and Europe topping the Malware chart with 44.7%.

Virus activity has also been heavy for the six months reported, with AppRiver noting that more than 45 million virus messages had been blocked in the thirty days prior to the reports publication, or more than one out of every ten emails scanned.

In March, AppRiver blocked over five thousand emails purporting to contain information regarding a lawsuit with a link to a file named complaint.rtf, the link led to another file called complaint_docs.pdf, which actually contained a  Trojan.Dropper.

Scams masquerading as IRS messages utilized tokens to customize emails based on the recipient contained a link to a page with a download link to an .exe file. The file actually installed ZeuS, a phish-kit that is used to steal banking information.

” The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.” (Peter Coogan “Zeus, King of the Underground Crimeware Toolkits” August 25th, 2009)

Other attacks that used ZeuS in the first half of 2010 included FaceBook, MySpace, UPS, DHL, the Royal Mail in the UK, and the Canada Post. ZeuS was prolific enough that US-CERT released a bulletin on March 17th, 2010.

One variation of an older attack style, named the ‘419 scam’ after Article 419 of the Nigerian Criminal Code (Advanced Fee Fraud), also known as the Nigerian Prince scam, started in January 2010 and targed FIFA World Cup fans.  These attacks claim that the recipient has won the Online Web Lottery held in South Africa in support of the World Cup, with a prize of one million dollars. The email contained a link to what looked to be an online gaming site, though most of the links were merely images, the ‘live help’ link led to a form asking for personal details. These details could be used to aid criminals in stealing the user’s identity.

Battling the Information Security Paradox

Tuesday, June 22, 2010

Contributed By:

Anthony M. Freed

Anthony M Freed

Information security is still not garnering appropriate attention from the executive level at some of the largest companies in the world, many of whom are engaged in business activity considered critical to the nation’s infrastructure.

According to an article in InformationWeek, “more than half of Fortune 1000 companies lack a full-time chief information security officer, only 38% have a chief security officer, and just 20% have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business,” as quoted from Cylab’s Governance of Enterprise Security study for 2010.

With the seemingly exponential increase in threats that range from criminal enterprise to mischievous script-kiddies, combined with insider threats amplified by a struggling economy and an increase in regulatory compliance demands, one has to wonder why information security is not being given proper credence.

“According to the report’s author, Jody Westby, who’s CEO of Global Cyber Risk and a distinguished fellow at CyLab, “the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data.”

Yes, but a willing detachment from the complex legal issues, highly technical and often jargon-laden nuts and bolts of data security initiatives is probably only one of many causes of boardroom malaise.

Some of the blame also rests with the Information Security Paradox, in which the performance of security efforts is often inversely proportional to the health of the budget for such endeavors.

That is to say, the better job one does preventing major information security events from occurring, the harder it is for one to justify a budget, let alone an increase to said budget.

It is not that the boardroom does not understand risk – they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology.

For the full article, visit InfosecIsland

Does the Internet Need a ‘Kill Switch’?

A proposed bill could effectively give the president an Internet “kill switch.”

Senator Joseph Lieberman has proposed the Protecting Cyberspace as a National Asset Act (PCNAA), a bill that would give the president the power to control or even shut down the Internet in emergency situations. Citing the need for cybersecurity, Lieberman said in a press release that the U.S.’s “economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”

The bill requires that U.S.-based companies such as Google and Yahoo, as well as broadband providers and software firms, comply with any and all measures that the government sees fit in an emergency.

Technology trade association, TechAmerica, has already expressed worry at the level of control the bill would grant the president if passed — levels that could have “unintended consequences.” Other countries are also decrying the bill, fearing the impact on their own security if the U.S. were to shut down essential parts of the Internet. (via CNET)

Read more:

Windows XP zero-day under attack; Use Microsoft’s “fix-it” workaround

By Ryan Naraine | June 15, 2010, 11:49am PDT

Just five days after Google researcher Tavis Ormandy released details of a critical vulnerability affecting Windows XP and Windows Server 2003, malware authors have struck, exploiting the flaw to plant malware on Windows machines.

The attacks, described by Microsoft as “limited,” are being distributed on rigged Web sites (drive-by downloads).

“Windows Server 2003 customers are not currently at risk from the Win Help issue based on the attack samples we have analyzed,” according to Microsoft’s security response center.

The attacks, which are only targeting Windows XP computers with the HCP protocol enabled, follows the controversial public disclosure of the flaw by Ormandy, a high-profile Google researcher.

The issue, which exists in the Microsoft Windows Help and Support Center, is caused by improper sanitization of hcp:// URIs. It allows a remote, unauthenticated attacker to execute arbitrary commands.

Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.

In an e-mail message announcing the zero-day discovery, Ormandy said protocol handlers are a popular source of vulnerabilities and argued that “hcp://” itself has been the target of attacks multiple times in the past. This prompted his decision to go public without the availability of a patch:

Ormandy said he spent the five days “negotiating” for Microsoft to get a fix ready in 60 days but when that failed, he decided to go public because he was convinced that malicious hackers may be looking into these kinds of security holes.

For instructions on fixing the Windows XP Vulnerability, visit ZDnet

Apple’s Worst Security Breach: 114,000 iPad Owners Exposed

Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking.

The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised.

It doesn’t stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed. We contacted Apple for comment but have yet to hear back. We also reached out to AT&T for comment. A call to Rahm Emanuel’s office at the White House has not been returned.

Read Further …

Windows, Mac, or Linux: It’s Not the OS, It’s the User

Some operating systems may be safer than others, but naïve users pose the biggest security risk to today’s businesses.

By Jeff Bertolucci, PC World – June 02, 2010 09:43 AM ET

Who’s got the safest operating system? Apple, Google, Microsoft? According to one security expert, what really matters is who’s using the OS.

“Microsoft doesn’t have a monopoly on all the technical vulnerabilities that are out there,” Zulfikar Ramzan, technical director of Symantec Security Response, said Tuesday in a phone interview with PCWorld.

Today’s online criminals are far more likely to target user behavior rather than a technical flaw in the OS. “It’s a lot easier to do that,” said Zulfikar. “You don’t need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content.”

This trend has been rising rapidly over the past two years. Currently, only about 3 percent of the malicious software that Symantec encounters exploits a technical vulnerability. The other 97 percent of malware is either “piggybacking on that 3 percent,” or more likely trying to trick a user through some type of “social engineering” scheme, according to Zulfikar.

For more, read

Rockefeller’s Cybersecurity Act of 2010: A Very Bad Bill

May 4, 2010 – 12:43 pm  Richard Stiennon Bio | Email

Stiennon has been a white hat hacker for PricewaterhouseCoopers, VP Security Research at Gartner, and an executive at Webroot Software and Fortinet, Inc. He is founder and Chief Research Analyst at IT-Harvest.

There are a bunch of cybersecurity bills trickling through Congress right now; some of them several years in the making. Senator Rockefeller’s Cybersecurity Act of 2010(S.773) is deemed the most likely to get voted on by the Senate as it was just unanimously passed through the Senate Committee that he chairs, Commerce Science and Transportation.

It is time for the security industry to take a close look at this $1.82 billion bill as it contains some pretty drastic measures that are going to be very disruptive, and I believe detrimental.

The preamble, labeled “Findings” sets the stage with the dramatic language we have become familiar with:

As a fundamental principle, cyberspace is a

vital asset for the nation and the United States

should protect it using all instruments of national

power, in order to ensure national security, public

safety, economic prosperity, and the delivery of critical services to the American public.

Even though there is a definitions section, “cyberspace” is never defined in S. 773. And, setting aside the dangling participle, this is a rather broad declaration. All instruments of national power?

For the rest of this post, visit