Java JRE, Adobe Acrobat and Flash; the triumvirate of malware evil

Subject: General Tech | October 5, 2011 - 12:19 PM |
Tagged: fud, security, microsoft, windows

An interesting study that Slashdot has linked to today breaks down three months of infection data and crunched the numbers to see how the infections made it onto systems and which systems are the most vulnerable.  Fully two thirds of the infections happened to users browsing with Internet Explorer, but you must keep in mind IE's market share.  At this time last year half of all users browsed the internet with some version of IE and while that has fallen to around 40% this year it is still the most commonly used browser and will therefore have a greater representation in the sample of PC s tested.  As long as you keep that in mind, you can then move onto disparaging the average IE user ... especially if it is still IE6.

As well, you can see that Vista has something to be proud of.  Even with the lack of PCs using the OS it has almost as many infections as WinXP machines.  As to the programs most likely to be used as an attack ... Java JRE sits at 37% with Acrobat just behind at 32%, leaving the much maligned Flash responsible for only 16%. 

net-security_research.jpg

"Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Still hope for SSL, the web ain't dead yet

Subject: General Tech | September 26, 2011 - 01:20 PM |
Tagged: fud, security, SSL

SSL and secure data transfer are wounded, but not dying quite yet if you use an elderly encryption protocol called RC4 or ARC4.  Current AES is suggested as the preferred way of encrypting data transfers, but the BEAST (Browser Exploit Against SSL/TLS) attack is capable of defeating AES encryption.  Unfortunately there are attack methods which are able to defeat RC4, specifically as it is implemented for WPA and WES in wireless networks.  Google informed The Register that they have been using RC4, although clients that attempt to connect which don't support that encryption method are offered the vulnerable AES method.  Google also pointed out the latest developer version of Chrome protects against the BEAST attack but don't mention when the main version of Chrome will protect users.

Broken_Key_Extractor.jpg

"The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings "for years."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Sort of secure socket layer

Subject: General Tech | September 20, 2011 - 12:02 PM |
Tagged: fud, SSL, tls, security

The good news about the discovery that the encryption procedure behind Secure Socket Layer and Transport Layer Security has been compromised is that the newest versions of both SSL and TLS are still safe and they have been available for a while now.  The bad news is that not only do only a tiny handful of websites utilize TLS 1.1/1.2 and SSL 3.0, most browsers don't even support the updated protocols.  Oddly Internet Explorer and Internet Information Services both support the newer protocols, though they are not enabled by default; the only one that does have TLS 1.2 enabled by default is Opera.  

You don't have to immediately switch browsers, in order for your secure connection to be compromised the attacker first has to compromise your browser or machine in order to get JavaScript code to run in your browser before they can start the decryption process.  It is not the quickest peice of programming either ... yet.  In the proof of concept that The Register references a 1000-2000 character long cookie will take about a half hour to crack, which is most likely longer than the average connection to your PayPal account will last, which is the site they used as an example.   Of course if you throw a dozen Tesla cards at it and it will probably decrypt the packets at a much quicker pace.

nSSL.gif

"Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Oh joy the BIOS level trojan is finally here

Subject: General Tech | September 13, 2011 - 01:00 PM |
Tagged: security, fud, bios, trojan, bmw

You do not want BMW; it is a Trojan that uses your master boot record and your BIOS to ensure that it remains on your system so even after a format and reinstall of Windows it will still be infecting you.  It originally infects winlogon.exe on Windows XP and Server 2003, and to wininit.exe on Windows 7 and Vista but once it is on it installs and uses HOOK.ROM at the BIOS level to check to see if it has been uninstalled and if so it will reinstall itself.  The Register points out that in this case the enormous variety of BIOS setups is a good thing as it ensures that any BIOS level virus will always be limited in scope even if it is a vulnerability shared by a single BIOS type.

biohazard.png

"SECURITY RESEARCHERS at Chinese antivirus firm 360 have identified a piece of malware that installs rogue code into the BIOS of targeted computers.

Dubbed BMW by 360 and Mebromi by other security vendors, the threat has separate components for the operating system, the master boot record (MBR) and the system BIOS."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Nothing new to see here but Firesheep may be news to some

Subject: General Tech | September 12, 2011 - 11:56 AM |
Tagged: firesheep, security, fud, https

About a year ago you may have read about FireSheep, a FireFox add-on which takes advantage of the unencrypted nature of many packets being sent to social networks to allow others to access your accounts.  It is specifically used on wireless connections, in what is called a man in the middle attack, as you surf using an unencrypted connection the laptop running Firesheep captures your data before it even hits your account.  That extension is still around and causing havoc, making the news recently with the revelation that packets sent via Google have a unique session ID sent in plain text which can be used to identify a Google acount and then access the search history of the acccount.   Check out The Register for more on this topic and consider HTTPS Everywhere for your laptop.

Firesheep.JPG

"Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you've already visited."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

So you think nobody knows what you've been watching on the net?

Subject: General Tech | August 17, 2011 - 02:03 PM |
Tagged: security, fud, tracking cookie, super cookie, ETag value

KISSmetrics is a small company which is able to track your movements across sites like Hulu and Spotify, using what some call a super cookie but more accurately is an ETag value.  That ETag value is a unique identifier stored in both a browser's cache and metadata folders which can be sent to KISSmetrics via JavaScript along with a header, so that any time you visit a site partnered with KISSmetrics they will know it is you.

Of course, very soon after the technical documentation of the trick was released to the net KISSmetrics claimed that they were completely innocent and that it was all a misunderstanding.  According to the CEO of KISSmetrics the company has never tracked anyone nor shared the information with a third party, so either the company never plans to ever make any money or he is being very specific in his definitions of what "is is".  Even better, they claim not to use ETag values at all only first party cookies.  As well, they claim support for the Do Not Track header and a "consumer-level opt-out" for their tracking as well.  That is disingenuous in that there is no sign of how to start the opt out process on their site, nor is there any clear way that they could identify you in order to let you opt out without a cookie or ETag placed on your machine in the first place.

The Do Not Track header is a good idea, but in addition you should consider browser add ins such as BetterPrivacy, NoScript and Ghostery as essential and perhaps even get used to running Chrome in Incognito mode, if you do not want to be trapped.  Don't use them to disable the ads which fund your favourite websites, they should be used to identify and possible block violations to your privacy only.  You can follow the link at The Register if you would like to see the technical research that has lead to these questions about KISSmetrics.

supercookie.jpg

"A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Nearly Half of Organizations Have Lost Sensitive or Confidential Information on USB Drives in Just the Past Two Years

Subject: General Tech | August 9, 2011 - 01:27 PM |
Tagged: security, fud

The next time your boss complains when you suggest that picking up secure USB sticks because of the price, you might want to reference this report from Kingston which details several horror stories of what happens with a lax policy towards portable storage.  We have seen Stuxnet recently, as well there is a long list of tricks that can be played with USB devices with the U3 autorun present on many USB devices. 

This goes far beyond just a complaint about using USB sticks received for free at trade shows or picked up on discount from Costco, the report cites an instance where unmarked USB sticks were left in obvious spots in government parking lots and over half of them ended up being plugged into the wok PC of the person who found it.   Maybe now spending a little extra on secure USB sticks will seem a little more attractive to the beancounters.

main_image.jpg

Fountain Valley, CA -- August 9, 2011 -- Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced the results of a study conducted by the Ponemon Institute looking at USB prevalence and risk in organizations. The study found that inexpensive consumer USB Flash drives are ubiquitous in all manner of enterprise and government environments ― typically with very little oversight or controls, even in the face of frequent and high profile incidents of sensitive data loss. The Ponemon Institute is an independent group that conducts studies on critical issues affecting the management and security of sensitive information about people and organizations.

The study underscores the pressing need for organizations to adopt more secure USB products and policies. A group of 743 IT professionals and IT security practitioners from global companies based in the United States were polled, and all acknowledged the importance of USB drives from a productivity standpoint. They cautioned, however, about the lack of organizational focus regarding security for these tools to meet appropriate data protection and business objectives.

The most recent example of how easily rogue USB drives can enter an organization can be seen in a U.S. Department of Homeland Security test in which USBs were ‘accidentally’ dropped in government parking lots. Without any identifying markings on the USB stick, 60 percent of employees plugged the drives into government computers. With a ‘valid’ government seal, the plug-in rate reached 90 percent.

According to the Ponemon study, more than 40 percent of organizations surveyed report having more than 50,000 USB drives in use in their organizations, with nearly 20 percent having more than 100,000 drives in circulation. The study finds that a whopping 71 percent of respondents do not consider the protection of confidential and sensitive information on USB Flash drives to be a high priority. At the same time, the majority of these same respondents feel that data breaches are caused by missing USB drives.

The Ponemon study concluded that a staggering 12,000 customer, consumer and employee records were believed to be lost on average by these same companies as a result of missing USBs. According to a previously released Ponemon report, the average cost of a data breach is $214 per record, making the potential average total cost of lost records to the organizations surveyed for the Ponemon USB Flash drive study, reach upwards of $2.5 million (USD). Other key findings in the report include:

Evidence of widespread compromise is apparent:

  • Nearly 50 percent of organizations confirmed lost drives containing sensitive or confidential information in the past 24 months.
  • The majority of those organizations (67 percent) confirmed that they had multiple loss events – in some cases, more than 10 separate events.

Oversight and control of USBs in enterprises can be better:

  • Free USB sticks from conferences/trade shows, business meetings and similar events are used by 72 percent of employees ― even in organizations that mandate the use of secure USBs.
  • In terms of policies and controls, of the hundreds of IT professionals and IT security professionals polled, only 29 percent felt that their organizations had adequate policies to prevent USB misuse.

“An unsecured USB drive can open the door for major data loss incidents,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute. “Organizations watch very carefully, and put a plethora of controls around, what enters their businesses from cyberspace. This study drives home the point that they must also take a more aggressive stance on addressing the risks that exist in virtually every employee’s pocket.”

“Kingston believes a lack of oversight, education and corporate confusion are factors that lead to the overwhelming majority of data loss when it comes to USB Flash drives,” said John Terpening, Secure USB business manager, Kingston. “Organizations fear that any attempt to control a device like a USB is likely to be futile and costly, both in terms of budget and loss of productivity. However, a simple analysis of what an organization needs and the knowledge that there is a range of easy-to-use, cost-effective, secure USB Flash drive solutions can go a long way toward enabling organizations and their employees to get a handle on the issue.”

The full report can be downloaded from the Kingston Web site.

Source: Kingston

Skype fall down, go boom ... doubtful Microsoft has anything to do with it

Subject: General Tech | May 26, 2011 - 12:12 PM |
Tagged: fud, skype, microsoft

According to The Inquirer, at 12:15 GMT (+1 hr thanks to daylight savings), Skype suffered a major network failure that seems to not only have taken out the Skype VoIP client but also impacted the availablitity of their site.  As of right now there is no work around or solution, Skype is investigating the cause but for now other clients are your best bet for communicating over the web. 

Since this has occured 2 weeks after Microsoft purchased Skype, speculation is running rampant that this is some sort of planned interruption.  It seems a little far fetched to think that even a company with as much financial power as Microsoft would dump $8.5 billion just to shut down a competing service.  They are going to want some return on their investment and simply using Skype's patents, some of which are still under review now or its infrastructure to prop up Sharepoint is not going to return that money.  Ad generated revenue on the sidebar of the client and hooking this up to Microsoft's various social and gaming applications seems more likely, which implies that shutting down Skype is the last thing on their mind.

Hopefully it will be fixed in time for This Week in Computer Hardware.

broken-phone.jpg

"VOICE OVER IP (VoIP) and chat service Skype has crashed throughout the world and continues to crash on login, leading many to suspect that its recent acquisition by Microsoft is a definite disaster.

The service began to crash around 12:15pm UK time, kicking people offline and freezing when they tried to log back in again. Other users who remained online had difficulties making calls. Restarting your PC or reinstalling Skype has no effect, as the problem is clearly on Skype's end."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Not the kind of sharing we like to see, the Blackhole exploit kit is available for free

Subject: General Tech | May 25, 2011 - 11:48 AM |
Tagged: fud, security

The Blackhole exploit kit, which until now required you to have a pocketful of money and enough hacker cred to get onto the sites where was available for sale, is now freely available to any and all.  The exploit kit is a tool that allows misanthropes to commit a type of drive by attack, where clicking on a 'tainted' iframe will allow remote code execution to install a payload on your system.  It was part of the famous US Postal Service attack that occurred recently as well as other incidents The Register mentions.  Even better, the source code for ZeuS was also jsut made available.  Patch early, patch often.

biohazard.png

"A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime.

The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting legitimate sites can be redirected using these scripts to scareware portals on sites designed to exploit browser vulnerabilities in order to distribute banking Trojans, such as those created from the ZeuS toolkit."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Crikey! Open source Android might be just a wee bit too open with your data

Subject: General Tech | May 17, 2011 - 01:23 PM |
Tagged: Android, security, clientlogin, impersonation, fud

Researchers at Germany's University of Ulm have discovered a vulnerabliity in Android's authentication protocol, known as ClientLogin which should protect your login credentials to apps like your contact list and your calendar.  It seems that while your request is encrypted, the response which includes your credentials is sent back in plain text, and those credentials remain valid for 2 weeks.  The new versions of Android have fixed this flaw but according to the story at The Register connections to Picassa still return in plain text.

 

android-fud.jpg

"The vast majority of devices running Google's Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant's servers, university researchers have warned."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register