28. July 2010 · Comments Off on Apple fixes Safari auto-fill vulnerability · Categories: Vulnerabilities · Tags: ,

It looks like Apple was working on a fix for the Safari auto-fill vulnerability after all. According to MacRumors, “As noted in the security documentation accompanying today’s release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user’s Address Book information, including name, company affiliation, city/state/country, and email address.”

25. July 2010 · Comments Off on The Robin Sage saga – social engineering at its finest · Categories: blog · Tags: ,

The Robin Sage story broke in early July and I am late in getting to it. I was going to skip it, but it’s such a good story, I wanted to note it. The Dark Reading version is quite detailed.

The key though is straightforward – people accepted invitations from someone they did not know. It’s that simple. This is a type of “inside-out,” social engineering attack vector which has become the primary method of cyber criminals. Why bother with the traditional “outside-in” attack on network device or endpoint software vulnerabilities when all you need to do is lure the victim to a malware-laden web page.

Running a Robin Sage type of “experiment” in your organization should be part of your security awareness training program.

25. July 2010 · Comments Off on Fraud related to virtual goods sales increases to 1.9% · Categories: Fraud, Security-Compliance · Tags: , ,

The Wall St. Journal is reporting that fraud related to the sale of virtual goods, primarily in online games, increased to 1.9% in 2009. This compares to 1.1% for physical goods. These numbers are coming from CyberSource Corp., a subsidiary of Visa, which provides payment management services including fraud detection related to the sale of digital goods. (We at Cymbel have no relationship with CyberSource or the other vendors like PayPal mentioned in the article.)

While interesting, these numbers are not surprising. As the article states, many of the precautions that can be used in the physical world, like checking the shipping address against the address on the credit card, are not available in the world of purely digital goods.

So for those selling digital goods, selecting a payment processing provider should be just as much about its fraud detection capabilities as processing fees.

25. July 2010 · Comments Off on Apple leads in software vulnerabilities · Categories: Security-Compliance, Vulnerabilities · Tags: ,

More news from Secunia via ars technica. Apple has surpassed Oracle as the software company leader in security vulnerabilities. Microsoft is third. You can read the details here.

Also of note in the Secunia report, in the world of Windows, third party application vulnerabilities far exceed those found in Windows itself. And unfortunately, many third party applications do not have as well developed automated patch updating services as Microsoft.

25. July 2010 · Comments Off on Adobe Reader improved security coming · Categories: Security-Compliance, Vulnerabilities · Tags: , ,

ars technica reported that, “Microsoft has been helping Adobe develop a sandbox similar to the Protected View in Office 2010.” Considering that Adobe Reader is #5 on Secunia’s list of third party products ranked by number of vulnerabilities, this is welcome news. More on Protected View in Office 2010 here.

The question is, why wouldn’t you want all your applications sandboxed this way?

How does Microsoft’s sandboxing technology compare to Suse Linux Enterprise Desktop‘s AppArmor?

22. July 2010 · Comments Off on Safari privacy vulnerability – Apple unresponsive · Categories: Security-Compliance, Vulnerabilities · Tags: , ,

Jeremiah Grossman posted information on a very serious Safari privacy vulnerability which Apple has not yet patched. Here is a the lead paragraph of Jeremiah’s post:

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

Jeremiah says he notified Apple on June 17th. Other than what appears to be an automated email reply, there has been no response. Since Apple had not responded in a meaningful way, Jeremiah decided to go public, as the 83+ million Safari v4 and v5 users have a right to know so they can change the Autofill configuration to protect themselves.


11. July 2010 · Comments Off on Fake YouTube page used to infect soccer fans · Categories: blog · Tags: , ,

Zscaler discusses yet another example of blackhats drawing unsuspecting fans to fake web pages containing malware. This time it’s a fake YouTube page designed to attract soccer fans during the World Cup.

I call this type of attack, “inside-out,” in the sense that the attacker draws an insider out to a web-page to initiate the attack rather than using the traditional “outside-in” direct attack method of finding and exploiting a network or application vulnerability. While traditional vulnerability assessments are still important, they do not provide the complete picture of your risks.

This is why we recommend a Next Generation Firewall or a Secure Web Gateway which offers protection from this type of social engineering attack.

11. July 2010 · Comments Off on American Airlines hard drive stolen · Categories: Breach, Security-Compliance

SC Magazine is reporting that a hard drive containing the personal information of 79,000 current and former American Airlines employees was stolen. Not to worry though, the disk was encrypted. What? It wasn’t? Apparently not. “The affected individuals have been notified and offered one year of free credit monitoring services.”

My recommendation, don’t wait for a notification, spend the $100 per year yourself for credit monitoring.

05. July 2010 · Comments Off on Six database breaches during H1/2010 point to needed controls · Categories: Breach, SANS 20 Critical Controls, Security-Compliance

Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:

  1. Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
    • Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
  2. University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
    • CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
    • CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
  3. WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
    • CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
    • CC#7 – Application Software Security, Subcontrol #2 – Automated code analysis
    • CC#7 – Application Software Security, Subcontrol #3 – Automated remote web vulnerability scanner
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  4. Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  5. Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
    • CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
    • CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
    • CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
  6. Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication
05. July 2010 · Comments Off on Koobface trojan continues to plague Facebook · Categories: Malware, Next Generation Firewall, Palo Alto Networks, Security-Compliance, Social Engineering · Tags: ,

Trend Micro’s research lab is reporting that the Koobface trojan continues to put unsuspecting Facebook users at risk. Because Koobface is really a bot, its Command & Control infrastructure can and does change the message and the link you receive to lure you a page that will download the Koobface trojan onto your system.

You could ask, why can’t Facebook eradicate Koobface? Apparently, they are not seeing a significant number of users canceling their accounts due to Koobface and other malware to warrant the investment.

Why not simply block Facebook? If the business side of the organization (sales and marketing) is OK with that, then blocking Facebook in the office is a reasonable step. There are two issues to consider:

  1. Increasingly, sales and marketing departments want to take advantage of Facebook and other social networking sites to reach current and prospective customers.
  2. Even if you do block social networking sites in the office, laptop users who travel or just use their laptops at home are at risk of being exploited by malware from social networking sites.

Palo Alto Networks’ next-generation firewall solves the first issue today and has announced GlobalProtect, which will solve the second issue in its next release at the end of 2010.