Archives for July 2010

Apple fixes Safari auto-fill vulnerability

It looks like Apple was working on a fix for the Safari auto-fill vulnerability after all. According to MacRumors, “As noted in the security documentation accompanying today’s release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user’s Address Book information, including name, company affiliation, city/state/country, and email address.”

The Robin Sage saga – social engineering at its finest

The Robin Sage story broke in early July and I am late in getting to it. I was going to skip it, but it’s such a good story, I wanted to note it. The Dark Reading version is quite detailed.

The key though is straightforward – people accepted invitations from someone they did not know. It’s that simple. This is a type of “inside-out,” social engineering attack vector which has become the primary method of cyber criminals. Why bother with the traditional “outside-in” attack on network device or endpoint software vulnerabilities when all you need to do is lure the victim to a malware-laden web page.

Running a Robin Sage type of “experiment” in your organization should be part of your security awareness training program.

Fraud related to virtual goods sales increases to 1.9%

The Wall St. Journal is reporting that fraud related to the sale of virtual goods, primarily in online games, increased to 1.9% in 2009. This compares to 1.1% for physical goods. These numbers are coming from CyberSource Corp., a subsidiary of Visa, which provides payment management services including fraud detection related to the sale of digital goods. (We at Cymbel have no relationship with CyberSource or the other vendors like PayPal mentioned in the article.)

While interesting, these numbers are not surprising. As the article states, many of the precautions that can be used in the physical world, like checking the shipping address against the address on the credit card, are not available in the world of purely digital goods.

So for those selling digital goods, selecting a payment processing provider should be just as much about its fraud detection capabilities as processing fees.

Apple leads in software vulnerabilities

More news from Secunia via ars technica. Apple has surpassed Oracle as the software company leader in security vulnerabilities. Microsoft is third. You can read the details here.

Also of note in the Secunia report, in the world of Windows, third party application vulnerabilities far exceed those found in Windows itself. And unfortunately, many third party applications do not have as well developed automated patch updating services as Microsoft.

Adobe Reader improved security coming

ars technica reported that, “Microsoft has been helping Adobe develop a sandbox similar to the Protected View in Office 2010.” Considering that Adobe Reader is #5 on Secunia’s list of third party products ranked by number of vulnerabilities, this is welcome news. More on Protected View in Office 2010 here.

The question is, why wouldn’t you want all your applications sandboxed this way?

How does Microsoft’s sandboxing technology compare to Suse Linux Enterprise Desktop‘s AppArmor?

Safari privacy vulnerability – Apple unresponsive

Jeremiah Grossman posted information on a very serious Safari privacy vulnerability which Apple has not yet patched. Here is a the lead paragraph of Jeremiah’s post:

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

Jeremiah says he notified Apple on June 17th. Other than what appears to be an automated email reply, there has been no response. Since Apple had not responded in a meaningful way, Jeremiah decided to go public, as the 83+ million Safari v4 and v5 users have a right to know so they can change the Autofill configuration to protect themselves.

Fake YouTube page used to infect soccer fans

Zscaler discusses yet another example of blackhats drawing unsuspecting fans to fake web pages containing malware. This time it’s a fake YouTube page designed to attract soccer fans during the World Cup.

I call this type of attack, “inside-out,” in the sense that the attacker draws an insider out to a web-page to initiate the attack rather than using the traditional “outside-in” direct attack method of finding and exploiting a network or application vulnerability. While traditional vulnerability assessments are still important, they do not provide the complete picture of your risks.

This is why we recommend a Next Generation Firewall or a Secure Web Gateway which offers protection from this type of social engineering attack.

American Airlines hard drive stolen

SC Magazine is reporting that a hard drive containing the personal information of 79,000 current and former American Airlines employees was stolen. Not to worry though, the disk was encrypted. What? It wasn’t? Apparently not. “The affected individuals have been notified and offered one year of free credit monitoring services.”

My recommendation, don’t wait for a notification, spend the $100 per year yourself for credit monitoring.

Advanced Persistent Threats and Ponemon

Last week the Ponemon Institute announced the results of a survey they did,funded by Netwitness, entitled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States.

I agree with the concerns expressed by Richard Bejtlich in his blog post, Ponemon Institute Misses the Mark, regarding the use of the term “advanced threat” and “Advanced Persistent Threat” (APT). In reality the Ponemon research used the term “advanced threat” to include almost anything including APT. I agree with Richard that Ponemon seems to be creating confusion rather than clarity.

I certainly have no argument with the value of a full packet capture product in the investigation of APTs. Full disclosure, Cymbel is a partner with a competitive full packet capture product manufacturer, Solera Networks. However, I am sensitive to marketing FUD, to which unfortunately our industry is prone. I wrote about the meaning of Advanced Persistent Threats in my personal blog last February. It’s bad enough without conflating it with other serious security threats. Here is the final paragraph of that post:

In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second, the focus is on stealing intellectual property rather than money to advance the adversary’s strategic technical, economic, political, and military goals.

Six database breaches during H1/2010 point to needed controls

Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:

  1. Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
    • Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
  2. University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
    • CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
    • CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
  3. WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
    • CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
    • CC#7 – Application Software Security, Subcontrol #2 – Automated code analysis
    • CC#7 – Application Software Security, Subcontrol #3 – Automated remote web vulnerability scanner
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  4. Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  5. Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
    • CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
    • CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
    • CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
  6. Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication