On August 23, 2010 Microsoft issued Security Advisory 2269637, warning about a new method of attack based on the standard way Windows finds a DLL called by a program when the program does not specifically define the location. InfoWorld’s Woody Leonhard, among others had an article about this on August 24 – Heads Up: A whole new class of zero-day Windows vulnerabilities looms.
In a matter of days, hackers were publishing attacks against many Windows apps including FireFox, Chrome, Word, and Photoshop. See Windows DLL exploits boom (August 26).
This is just one example of the speed with which zero-day attacks can proliferate. This is a particularly bad situation because just one Windows vulnerability is being used to create a large number of zero-day attacks across a wide range of applications. We recommend organizations deploy FireEye to counter these zero-day attacks.
From an end user perspective, on August 27, Woody Leonhard published a helpful article, How to thwart the new DLL attacks. To summarize, Woody has two excellent recommendations for users:
First, never double-click on a file that’s in a potentially compromised location. Drag it to your desktop, then open it.
Second, make Windows show you filename extensions and hidden files.
Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.
Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.
If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.
In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.
To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.
With the increasing popularity of mobile devices like iPhones and Android-based phones, we are beginning to see targeted malware, raising the question, do we need anti-malware for our mobile devices? ReadWriteWeb Enterprise was prompted to write an article on this topic as a result of the Android game Tap Snake which was reported to be spyware.
It appears the mobile anti-malware market is fairly immature:
I took to the opportunity to test a few of the anti-malware apps available on the market: antivirus free from droidSecurity, Lookout, Symantec‘s Norton Mobile Security for Android beta, and Smobile. I was also going to try SmrtGuard, but I couldn’t get the app to activate before Tap Snake was removed from Android Market. Of those four apps, only one detected Tap Snake as a potential threat.
The article goes on to say that tightly controlling what apps can be loaded onto mobile devices may all enterprises need at this time.
Earlier this week, the NYTimes wrote an article on the life and times of BadB, Vladislav Horohorin, a Russian cyber criminal recently arrested while on a trip to France.
He is expected to appear soon before a French court that will decide on his potential extradition to the United States, where Mr. Horohorin could face up to 12 years in prison and a fine of $500,000 if he is convicted on charges of fraud and identity theft. For at least nine months, however, he lived openly in Moscow as one of the world’s most wanted computer criminals.
It appears that BadB operated openly in Russia despite the fact that he was indicted in the United States in November 2009. He was arrested only because he traveled to a country which respects the rule of law and does not have an adversarial relationship with the U.S.
Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals’ expertise or for allowing their networks of virus-infected computers to be used for political purposes — to crash dissident Web sites, perhaps.
Definitely worth reading the whole article.
CSOOnline has a good article on ACH (Automated Clearing House) fraud:
Fraud involving the Automated Clearing House (ACH) Network, which is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals, is becoming an increasingly popular way for hackers to siphon money out of the bank accounts of unsuspecting victims.
Fraudsters only need two pieces of information to pull off ACH fraud; a checking account number and a bank routing number. They typically obtain the information with a targeted phishing email that tricks the victim into running malicious software which then allows criminals to install keylogging software and steal bank account passwords.
In order to reduce the risk of this type of exploit, we recommend using a bootable, secure “Trusted Client” on an encrypted USB stick from Becrypt.
There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.
I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:
- Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
- Work from a prioritized baseline of information security measures and controls
- Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
- Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.
Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.
How many people remember Intel’s vPro? Do you know if your PC supports vPro? Do you care? It was announced by Intel at least six years ago.
As Intel says on its vPro home page:
Notebook and desktop PCs with Intel® vPro™ technology enable IT to take advantage of hardware-assisted security and manageability capabilities that enhance their ability to maintain, manage, and protect their business PCs. And with the latest IT management consoles from Independent Software Vendors (ISVs) with native Intel vPro technology support, IT can now take advantage of enhanced features to manage notebooks over a wired or corporate wireless network- or even outside the corporate firewall through a wired LAN connection.
PCs with Intel vPro technology integrate robust hardware-based security and enhanced maintenance and management capabilities that work seamlessly with ISV consoles. Because these capabilities are built into the hardware, Intel vPro technology provides IT with the industry’s first solution for OS-absent manageability and down-the-wire security even when the PC is off, the OS is unresponsive, or software agents are disabled.
While vPro looks intriguing, it does not appear to me that ISVs really embraced it. Perhaps one of the reasons for Intel acquiring McAfee was it felt it had to force the issue. The Microsoft approach of “loose” integration was not working and Intel decided to place a bet on the Apple strategy of “tight” integration.