The glitzy, interactive abilities of Web 2.0 have led to a profusion of new applications, but the technology also is bringing a new era of security vulnerabilities, a security researcher warned Wednesday.
"Security was a challenge to begin with, but if anything it's getting harder in the Web 2.0 world," said Jacob West, manager of the security research group at Fortify, a company that helps companies make sure their software is secure.
A big culprit is JavaScript, a language that's widely used to control Web browsers and enable more sophisticated operations.
http://www.news.com/8301-10784_3-9927541-7.html?tag=cd.blog
Urs
Beating the "botnets"–armies of infected computers used to attack websites–requires borrowing tactics from the bad guys, say computer security researchers.
A team at the University of Washington, US, wants to marshal swarms of good computers to neutralize the bad ones. They say their plan would be cheap to implement and could cope with botnets of any size.
Their system, called Phalanx, uses its own large network of computers to shield the protected server. Instead of the server being accessed directly, all information must pass through the swarm of "mailbox" computers.
http://technology.newscientist.com/article/dn13753-to-defeat-a-malicious-botnet-build-a-friendly-one.html
Researchers have devised an encryption scheme that could simplify the protection of sensitive information by allowing banks, hospitals, and other organizations to lock files using keys that are based on specific attributes, such as an employee's position or geographic location.
The method, which was unveiled last week, adds to the growing body of research known as functional or attribute-based encryption.
Functional encryption tries to simplify things. It allows data to be encrypted using attributes directly tied to the recipients, such as their names or email addresses, without the need for the parties to have exchanged keys ahead of time.
http://www.theregister.co.uk/2008/04/23/research_simplifies_encryption/
Quantum cryptography, a new technology until now considered 100 per cent secure against attacks on sensitive data traffic, has a flaw after all, Swedish researchers say.
"In computer terms, we've found a bug," said Jan-Aake Larsson, an associate professor of applied mathematics at the Linkoeping University in southern Sweden.
"It was surprising - we didn't expect to find a flaw," he said, adding that he and another researcher at the university had also discovered a way to fix the problem.
http://abc.com.au/news/stories/2008/04/21/2223348.htm
Microsoft Corp. today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel.
"They realized they were in our gun sights," said Jimmy Kuo, a principal architect with Microsoft's malware protection center, the group responsible for the Malicious Software Removal Tool (MSRT). Microsoft updates and automatically redistributes the software tool to Windows users each month on Patch Tuesday.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079653
Microsoft has called on companies to work together to improve overall security, and not just rely on the police to do it for them.
Ed Gibson, Microsoft's chief security advisor in the UK, said during his keynote at Infosecurity Europe 2008 that security affects the entire industry and that companies must work together.
"Any one of you here would volunteer for neighborhood watch if you thought it would improve your community. So why not online?" he said.
http://www.vnunet.com/vnunet/news/2214852/security-community-cyber-crime
INFOSEC VIDEO
The FBI quietly established last summer a task force involving U.S. intelligence and other agencies to identify and respond to cyberthreats against the United States.
Called the National Cyber Investigative Joint Task Force, the group has "several dozen" personnel working together at an undisclosed location in the Washington area, said Shawn Henry, the FBI's deputy assistant director of its cyberdivision.
The FBI's justification for next year's budget, in which it has requested an additional 70 agents and more than 100 support personnel for its cyberdivision, says the task force "seeks to address cyber-intrusions presenting a national security threat."
http://washingtontimes.com/apps/pbcs.dll/article?AID=/20080421/NATION/900241339/1002
The length of time between the development of security patches and the development of exploits targeting the security holes they address has been dropping for some time.
Hackers exploit this period of time - the so-called patch window - to launch attacks against unpatched machines. Typically, exploits are developed by skilled hackers versed in the arcane intricacies of reverse engineering.
However, hackers have now begun using off-the-shelf tools to at least partially automate this process, a development that might lead to exploits coming out hours instead of days after the publication of patches.
Security researchers at Berkeley, the University of Pittsburgh, and Carnegie Mellon have launched a research project investigating the approach (pdf.), which relies on comparing the configuration of patched and unpatched machines.
http://www.theregister.co.uk/2008/04/21/automated_exploit_creation/
See also:http://blogs.technet.com/ms_schweiz_security_blog/archive/2008/04/30/automatic-patch-based-exploit-generation.aspxhttp://www.cs.cmu.edu/~dbrumley/pubs/apeg.pdf
And, a very good response from Roger's blog:http://blogs.technet.com/rhalbheer/archive/2008/04/25/security-updates-and-exploits.aspx
Mobile networks and handsets are becoming more of a target for criminals with a technical bent, security experts are warning.
"There's a real transition from online in to the mobile space," said Simeon Coney, head of business development at Adaptive Mobile, which helps operators keep an eye on the malicious traffic flowing across their networks.
In the PC world, malicious programs started with viruses designed to be a nuisance, but now they have evolved into software designed solely to help their creators make money.
http://www.nationalcybersecurity.com/blogs/600/Cyber-Criminals-Shifting-Targets-To-Mobiles.html
Paper Abstract:In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.
In many cases we are able to automatically generate exploits within minutes or less. Although our techniques may not work in all cases, a fundamental tenant of security is to conservatively estimate the capabilities of attackers. Thus, our results indicate that automatic patch-based exploit generation should be considered practical. One important security implication of our results is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update, may allow attackers who receive the patch first to compromise the significant fraction of vulnerable hosts who have not yet received the patch. Thus, we conclude update schemes, such as Windows Update as currently implemented, can detract from overall security, and should be redesigned. http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html
A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.
As depressing as the survey may be for the security pros whose job it is to keep corporate networks safe, the results are a substantial improvement over last year. That was when 64% of people were willing to give away their passwords. But there were other disturbing signs this year: 61% of workers surveyed shared their birthdates and a similar number – 60% of men and 62% of women shared their names and telephone numbers.
http://blogs.wsj.com/biztech/2008/04/16/security-is-no-match-for-chocolate-and-good-looking-women/?mod=WSJBlog
I'm sure if they would have used Swiss chocolate, they got a t least 30%! However, this story is not new, I talked about such surveys years ago - but what really frightens me is, that (statistically) people haven't learned their lessons!
A beta release of Windows Live OneCare 2.5, Microsoft's automated security suite for home users and small businesses, is available for testing from the Microsoft Connect Web site. Microsoft stated through its blog that there is little apparent difference between the beta and standard versions.
http://windowsvistablog.com/blogs/windowsexperience/archive/2008/04/07/windows-live-onecare-2-5-now-in-beta.aspx
At RSA Conference 2008, Microsoft announced the availability of the public beta release of its next-generation Microsoft Forefront security solution, currently code-named “Stirling.” Microsoft Forefront “Stirling” is an integrated security system that is designed to deliver comprehensive, coordinated protection, making it easy to control, access and manage security capabilities across an organization’s IT infrastructure.
Customers can begin evaluating Forefront “Stirling” today by downloading it from http://www.microsoft.com/stirling or by getting a copy at Microsoft’s booth at RSA Conference 2008. Forefront “Stirling” is scheduled for release to market in the first half of 2009.
http://www.microsoft.com/stirlinghttp://www.microsoft.com/presspass/press/2008/apr08/04-08ForefrontBetaPR.mspx
There is no storefront or corporate headquarters for Cybercrime Inc., but savvy salesmen in a murky, borderless economy are moving merchandise by shilling credit card numbers - "two for the price one."
"Sell fresh CC," promised one salesman who offered teaser credit card numbers for samples in New Jersey and Canada. "Visa, MasterCard, Amex. Good Prices. Many countries!!!!!"
Electronic crime is maturing, according to security experts, and with its evolution, clever criminals are adopting conventional approaches that reflect cold business sense - from supermarket-style pricing to outsourcing to specialists acting as portfolio managers, coders, launchers, miners, washers and minders of infected "zombie" computers...
http://www.iht.com/articles/2008/04/04/technology/cybercrime07.php
Microsoft today called for broad discussions about the safety of the Internet in an initiative it dubbed "End to End Trust" in a white paper released during the RSA Conference that opened today in San Francisco.
In a keynote address at the security conference, Craig Mundie, chief research and strategy officer at Microsoft, talked up the company's plans. Core to the concept of End to End Trust, said Mundie, is something he called "a trusted stack," where security is housed or rooted in the hardware, but each piece -- the hardware, software, the data, and even the people involved -- can be authenticated if necessary.
The whitepaper “End to End Trust” can be found at http://www.microsoft.com/endtoendtrust
Other interesting topics:• http://www.eweek.com/c/a/Security/Microsoft-Calls-for-Initiative-on-Web-Security• http://www.microsoft.com/security/rsa2008/default.mspx
In a new report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent!
With this in mind the hacker’s future looks rosy as outsourcing applications is on the up, with 78 percent of organisations that say software development is business critical for them choosing to outsource their vital applications. But security is being left out in the cold - with companies failing to build security in when they outsource the development of their critical applications, according to a report released today by Quocirca and supported by Fortify Software.
http://www.security.itproportal.com/articles/2008/04/07/outsource-your-code-youre-more-likely-be-hacked/
Back in February, Microsoft posted about the release of prerequisites for Windows Vista Service Pack 1. While several million customers installed the updates successfully, you may have read that a few customers experienced an endless reboot cycle while installing one of the prerequisites: KB937287, the Servicing Stack Update (SSU), which contains the Service Pack 1 installation program.
As posted last month on the Windows Vista blog, we suspended automatic distribution of the SSU while we investigated the problem. Over the past few weeks, we’ve learned a lot more about the problem and have taken steps to address the issue. Today, we’d like to let you know that we are resuming automatic distribution of the SSU tomorrow and provide more clarity on what happened.
To clear up any concerns for those of you who have already installed the update: There is no problem with the files that make up the Servicing Stack Update (KB937287); the problem some customers encountered was with the installation process for the update. That means if you already have the update installed, you do not need to uninstall it or install the rereleased version of the update.
So what caused the problem? Read more: http://blogs.technet.com/mu/archive/2008/04/07/windows-vista-sp1-prerequisite-kb937287.aspx
The USA's Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). Last week, the IC3 released its annual report for 2007. You can download a copy from here.
From F-Secure: Malicious software and frauds are very closely related. Malware research frequently leads to our discovering new ways with which to scam victims. So we're often reading up on the topic… http://www.f-secure.com/weblog/archives/00001416.html
A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa.
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_2
Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it. There are two different concepts mapped onto the same word — the English language isn't working very well for us here — and it can be hard to know which one we're talking about when we use the word.
http://www.wired.com/politics/security/commentary/securitymatters/2008/04/securitymatters_0403
Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.
Speaking at the Cyber Warfare 2008 event in London this week, Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.
http://news.zdnet.co.uk/security/0,1000000189,39378360,00.htm
PGP Corp. has introduced an encryption application that lets enterprise users protect all the data they carry around in their smartphones.
PGP Mobile encrypts Windows Mobile-based data automatically, but still allows mobile data to be shared securely with other mobile and desktop users. The new crypto app works as part of the enterprise-wide PGP Encryption Platform, which helps to reduce the expense of managing multiple vendors' encryption keys, users, policies, and reporting tools, PGP said in a statement.
http://news.yahoo.com/s/cmp/20080402/tc_cmp/207001047;_ylt=AkMfptzgZ7KtisoVGEnoXnKDzdAF
Phone calls that are routed through the Internet instead of telephone wires are increasingly popular with businesses looking to cut telephony costs. But they have security problems that might leave a business that uses this technology vulnerable to a hacker. The extent of the problems – and the process for identifying and fixing them – is murky, however.
VoIPshield, which makes security software for these calls – the “VoIP” stands for voice over Internet protocol, the technical name for Internet telephony – will publicly announce over 100 security vulnerabilities in the VoIP systems sold by Avaya, Cisco and Nortel later today. The goal is to raise awareness about flaws in these systems – and create a market for VoIPshield’s product, Rick Dalmazzi, the company’s CEO, tells the Business Technology Blog.
http://blogs.wsj.com/biztech/2008/04/02/internet-telephony-has-security-problems/?mod=WSJBlog
The Chaos Computer Club (CCC), one of Germany's oldest and largest hacker organisations, threatened to publish Chancellor Angela Merkel's fingerprints as part of a campaign against the government's use of biometric data in new passports, media reported Tuesday.
http://english.peopledaily.com.cn/90001/90781/90879/6384611.html
You know that hidden bomb shtick in the movies? There's a bomb that's going to go off and kill a gazillion people. First, the good guys have to find it. Then they have to figure how to get into it to disarm it. Then they almost have it disarmed when they discover a booby trap they have to work around. Then they find the two wires - red and blue. The hero has to snip the blue wire but they both look black under the yellow light. Then he gets lucky. He snips the blue wire.
When it comes to Internet fraud, however, some of us don't get so lucky.
According to master-hacker-turned-security-guru Kevin Mitnick, those layers of resistance set up by the mad bomber ought to be the way everyone thinks when they are trying to keep the bad guys out of their computers, networks, and databases.
http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitknick-On-Avoiding-Fraudsters/