Windows DLL exploits boom – how to thwart them

On August 23, 2010 Microsoft issued Security Advisory 2269637, warning about a new method of attack based on the standard way Windows finds a DLL called by a program when the program does not specifically define the location. InfoWorld’s Woody Leonhard, among others had an article about this on August 24 – Heads Up: A whole new class of zero-day Windows vulnerabilities looms.

In a matter of days, hackers were publishing attacks against many Windows apps including FireFox, Chrome, Word, and Photoshop. See Windows DLL exploits boom (August 26).

This is just one example of the speed with which zero-day attacks can proliferate. This is a particularly bad situation because just one Windows vulnerability is being used to create a large number of zero-day attacks across a wide range of applications. We recommend organizations deploy FireEye to counter these zero-day attacks.

From an end user perspective, on August 27, Woody Leonhard published a helpful article, How to thwart the new DLL attacks. To summarize, Woody has two excellent recommendations for users:

First, never double-click on a file that’s in a potentially compromised location. Drag it to your desktop, then open it.

Second, make Windows show you filename extensions and hidden files.

Enhanced by Zemanta

MPLS WAN Encryption – It’s time

Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.

Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.

If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.

In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.

To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.

Enhanced by Zemanta

Is there a need for mobile anti-malware

With the increasing popularity of mobile devices like iPhones and Android-based phones, we are beginning to see targeted malware, raising the question, do we need anti-malware for our mobile devices? ReadWriteWeb Enterprise was prompted to write an article on this topic as a result of the Android game Tap Snake which was reported to be spyware.

It appears the mobile anti-malware market is fairly immature:

I took to the opportunity to test a few of the anti-malware apps available on the market: antivirus free from droidSecurity, Lookout, Symantec‘s Norton Mobile Security for Android beta, and Smobile. I was also going to try SmrtGuard, but I couldn’t get the app to activate before Tap Snake was removed from Android Market. Of those four apps, only one detected Tap Snake as a potential threat.

The article goes on to say that tightly controlling what apps can be loaded onto mobile devices may all enterprises need at this time.

Enhanced by Zemanta

Russian cyber crime – the life and times of BadB

Earlier this week, the NYTimes wrote an article on the life and times of BadB, Vladislav Horohorin, a Russian cyber criminal recently arrested while on a trip to France.

He is expected to appear soon before a French court that will decide on his potential extradition to the United States, where Mr. Horohorin could face up to 12 years in prison and a fine of $500,000 if he is convicted on charges of fraud and identity theft. For at least nine months, however, he lived openly in Moscow as one of the world’s most wanted computer criminals.

It appears that BadB operated openly in Russia despite the fact that he was indicted in the United States in November 2009. He was arrested only because he traveled to a country which respects the rule of law and does not have an adversarial relationship with the U.S.

Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals’ expertise or for allowing their networks of virus-infected computers to be used for political purposes — to crash dissident Web sites, perhaps.

Definitely worth reading the whole article.

Enhanced by Zemanta

Only one way to block ‘Flash cookies’

While browsers now give you total control of standard “cookies,” Flash cookies are another matter. Woody Leonhard at Infoworld writes about the only way to control Flash cookies in his article, Block ‘Flash Cookies’ to thwart zombies. Hint: you have to go to the Adobe Flash Player Settings Manager site.

OpenDNS – Simplifying the Lives of Web Users

David Pogue at the New York Times wrote a very good article about OpenDNS, Simplifying the Lives of Web Users. The article also provides a well written explanation of DNS – Domain Name Service.

I did not realize that one of the benefits of OpenDNS is phishing protection:

PHISHING PROTECTION Phishing is the Internet scheme where you get a fake e-mail note from your bank about a problem with your account. When you click the link to correct the problem, you get a fake Web site, designed to look just like your bank’s — and by logging in, you unwittingly supply your name and password to the bad guys.

OpenDNS intercepts and blocks your efforts to visit the fake sites. It works like a charm.

Another layer of phishing protection alone makes OpenDNS worthwhile. Improved performance, availability, shortcuts, typo corrections, and parental controls are other benefits Pogue discusses.

Automated Clearing House (ACH) fraud increasing

CSOOnline has a good article on ACH (Automated Clearing House) fraud:

Fraud involving the Automated Clearing House (ACH) Network, which is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals, is becoming an increasingly popular way for hackers to siphon money out of the bank accounts of unsuspecting victims.

Fraudsters only need two pieces of information to pull off ACH fraud; a checking account number and a bank routing number. They typically obtain the information with a targeted phishing email that tricks the victim into running malicious software which then allows criminals to install keylogging software and steal bank account passwords.

In order to reduce the risk of this type of exploit, we recommend using a bootable, secure “Trusted Client” on an encrypted USB stick from Becrypt.

A framework to replace PCI?

There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

  • Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
  • Work from a prioritized baseline of information security measures and controls
  • Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
  • Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.

Marketers “spying” on Internet users

The Wall St. Journal (via The New School of Information Security blog) has a very nice interactive tool, What They Know, for exploring the tracking files used by the 50 most popular U.S. websites and WSJ.com.

Is this spying? To what degree can you “opt out” of these tracking files? It’s not easy for the average web user, but doable. On the other hand, content publishers have a right to monetize their content via advertising and other indirect methods considering they cannot get people to pay directly.

Intel, McAfee, and vPro

How many people remember Intel’s vPro? Do you know if your PC supports vPro? Do you care? It was announced by Intel at least six years ago.

As Intel says on its vPro home page:

Notebook and desktop PCs with Intel® vPro™ technology enable IT to take advantage of hardware-assisted security and manageability capabilities that enhance their ability to maintain, manage, and protect their business PCs. And with the latest IT management consoles from Independent Software Vendors (ISVs) with native Intel vPro technology support, IT can now take advantage of enhanced features to manage notebooks over a wired or corporate wireless network- or even outside the corporate firewall through a wired LAN connection.

PCs with Intel vPro technology integrate robust hardware-based security and enhanced maintenance and management capabilities that work seamlessly with ISV consoles. Because these capabilities are built into the hardware, Intel vPro technology provides IT with the industry’s first solution for OS-absent manageability and down-the-wire security even when the PC is off, the OS is unresponsive, or software agents are disabled.

While vPro looks intriguing, it does not appear to me that ISVs really embraced it. Perhaps one of the reasons for Intel acquiring McAfee was it felt it had to force the issue. The Microsoft approach of “loose” integration was not working and Intel decided to place a bet on the Apple strategy of “tight” integration.