More news from Secunia via ars technica. Apple has surpassed Oracle as the software company leader in security vulnerabilities. Microsoft is third. You can read the details here.
Also of note in the Secunia report, in the world of Windows, third party application vulnerabilities far exceed those found in Windows itself. And unfortunately, many third party applications do not have as well developed automated patch updating services as Microsoft.
ars technica reported that, “Microsoft has been helping Adobe develop a sandbox similar to the Protected View in Office 2010.” Considering that Adobe Reader is #5 on Secunia’s list of third party products ranked by number of vulnerabilities, this is welcome news. More on Protected View in Office 2010 here.
The question is, why wouldn’t you want all your applications sandboxed this way?
Jeremiah Grossman posted information on a very serious Safari privacy vulnerability which Apple has not yet patched. Here is a the lead paragraph of Jeremiah’s post:
Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.
Jeremiah says he notified Apple on June 17th. Other than what appears to be an automated email reply, there has been no response. Since Apple had not responded in a meaningful way, Jeremiah decided to go public, as the 83+ million Safari v4 and v5 users have a right to know so they can change the Autofill configuration to protect themselves.
SC Magazine is reporting that a hard drive containing the personal information of 79,000 current and former American Airlines employees was stolen. Not to worry though, the disk was encrypted. What? It wasn’t? Apparently not. “The affected individuals have been notified and offered one year of free credit monitoring services.”
My recommendation, don’t wait for a notification, spend the $100 per year yourself for credit monitoring.
Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:
Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication
Trend Micro’s research lab is reporting that the Koobface trojan continues to put unsuspecting Facebook users at risk. Because Koobface is really a bot, its Command & Control infrastructure can and does change the message and the link you receive to lure you a page that will download the Koobface trojan onto your system.
You could ask, why can’t Facebook eradicate Koobface? Apparently, they are not seeing a significant number of users canceling their accounts due to Koobface and other malware to warrant the investment.
Why not simply block Facebook? If the business side of the organization (sales and marketing) is OK with that, then blocking Facebook in the office is a reasonable step. There are two issues to consider:
Increasingly, sales and marketing departments want to take advantage of Facebook and other social networking sites to reach current and prospective customers.
Even if you do block social networking sites in the office, laptop users who travel or just use their laptops at home are at risk of being exploited by malware from social networking sites.
A few days ago, Rich Mogull at Securosis raised the issue, should PCI assessment firms sell the products needed to remediate the gaps their assessors find? Rich posed this question in light of Trustwave’s acquisition of yet another company, Breach, that sells products that are used to meet PCI regulatory requirements.
Rich, of course, was very diplomatic, but considering the level of ambiguity in the PCI regulations, the temptation for collusion between assessors and consultants who implement PCI controls cannot be ignored.
Rich is careful to point out that Trustwave is not doing anything unlawful or even unethical since the PCI Council “shows no interest in controlling conflicts of interest…”
Just as the big accounting firms were forced divest their consulting arms, companies should not be able to perform PCI assessments and provide remediation products and services. Let me point out that not all assessors do remediation. And let me also point out that Cymbel is not an assessor and provides products and services which are used to meet PCI regulations.
The Electronic Frontier Foundation (EFF), in conjunction with The Tor Project, has announced a new Firefox plug-in called HTTPS Everywhere, which will automatically provide encrypted SSL sessions to major web sites that support HTTPS. Obviously, this is an effort to improve browsing privacy, but is it also increasing risks to those users? The answer could be yes.
If you are a road-warrior and use HTTPS Everywhere from your hotel room, I would agree that you are reducing the likelihood of a third party sniffing your traffic. However, HTTPS will increase risk for corporations whose firewalls or intrusion prevention systems do not have the ability to decrypt SSL. For example, one of the default sites encrypted by HTTPS Everywhere is Facebook. If you have policies that allow certain employees to use certain features of Facebook for marketing/sales purposes, you surely want to monitor that traffic for threats. Given the amount of malware on Facebook, an employee could inadvertently go to a page that downloads a trojan onto the employee’s workstation. If your firewall or IPS cannot decrypt SSL then it will not be able to detect the malware.
The excitement of World Cup Soccer is increasing. Do you know how many people in our organization are watching matches during the work day? How much Internet bandwidth is being consumed? What about the active malware campaigns leveraging the tournament?
Palo Alto Networks has a blog post detailing its World Cup Soccer video controls and protection capabilities called Prepare for Soccer Hooliganism 2.0.
What kind of access to Facebook do you give your employees? What about those in Marketing who want to use Facebook to monitor a competitor’s social marketing efforts? Or just gather competitive intelligence? Completely blocking Facebook for everyone in the organization may not make sense anymore because there are legitimate business uses for Facebook.
Palo Alto Networks has been a leader in enabling fine-grained policy control of web-based applications. Today, they extended their Facebook policy capabilities by creating a “Read-Only” option. I have no doubt that this was a customer driven enhancement to their already robust Facebook policy capabilities.
This is a great example of enabling business value while minimizing risk.