Security

Application security may still have a ways to go, but Open Source is showing promise…

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

“The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That’s encouraging,” Oberg says. And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

via State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test – DarkReading.

A recent article on Law.com (part one of a seven part series) discusses the importance of legal holds for the preservation of electronically stored information (ESI) and other documents.

Why are courts placing so much emphasis on this ministerial step in preservation of issuing a written litigation hold? It appears that patience is running thin for lost ESI in federal court. More importantly, ignorance of litigation hold requirements is no excuse. Also, the days of he-said-she-said litigation hold arguments are numbered. Courts want to see a transparent and credible process by simply looking at a few documents such as the written hold notice, distribution list, follow-up interview reports or logs, as examples.

As articulated by Judge Scheindlin in Pension Committee v. Banc of America, courts definitely do not want to wade through stacks of motions papers and days of hearings to determine if preservation efforts were sufficient to prevent the destruction of ESI and other documents. As a result, it is imperative for an organization to have in place a litigation hold policy and adequate procedures necessary to avoid going down the litigation “detour” of discovery sanctions motions.

via Law.com – Step 1 for Legal Holds: Trigger Events.

This is an interesting and evolving area.  Many of these devices run embedded OS with flash memory so traditional forensic techniques do not work.  However, the Android platform (and other mobile platforms) have similar characteristics and thus the R&D in those areas can be applied to embedded devices.    Moral of the story: if it has data storage or network activity, you’ll find a forensic geek poking around somewhere close by (hint: contact us if you want to discuss):

Attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure.

The so-called Project Grey Goose Report on Critical Infrastructure points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the main threats to targeting and hacking into energy providers and other critical infrastructure networks.

via Spike In Power Grid Attacks Likely In Next 12 Months – DarkReading.

Ahhh, nothing like the weekly Adobe zero-day exploit.

This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324). We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information.

via New Adobe Reader and Acrobat Vulnerability – Adobe Product Security Incident Response Team (PSIRT).

Well, it’s nice to see Adobe at the top of the list given all the 0-day exploits.  Bit9 seems to do great work but the white paper is behind a registration firewall (they should just release it, trust me, it’s better that way).  Here’s the results from the press release:

This year Adobe applications top the list with four applications identified in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database:

• Adobe Acrobat
• Flash Player
• Reader
• Shockwave

had vulnerabilities that were rated “High” including ones that allowed remote attackers to execute arbitrary code, trigger memory corruption, denial of services or application crashing.

Other vulnerable applications on the list include:

* Apple Quicktime

* Mozilla Firefox

* Opera

* RealPlayer

* Sun Java

* Trillian

The applications on the list meet the following criteria:

* Runs on Microsoft Windows

* Is well-known in the consumer space and frequently downloaded by individuals

* Is not classified as malicious by enterprise IT organizations or security vendors

* Contains at least one critical vulnerability that was:

o First reported in January 2009 or after

o Registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS)

o Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists

o The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.

via Bit9 Releases Annual Report on Top Vulnerable Applications in 2009.

More thoughts on our smart grid vulnerability:

However, the smart grid changes all of that. The researchers from IOActive demonstrated that smart grid boxes can be hacked and that they can spread worms. Not only that, the boxes themselves will be connected to every home and be available to anyone. Anyone therefore has access to the smart grid. With tens of millions of the boxes planned to be distributed throughout the United States, potential attackers can easily get their hands on the systems to tear apart and find new vulnerabilities and attacks. More important, when there is a vulnerability found, how will it be mitigated?

There is a perfect storm brewing where the skills and resources required to launch a significant attack is being drastically lower. Depending upon the effects of a possible worm on the smart grid boxes, and the vulnerability of the generators, there can be a combined attack that does have strategic impact.

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor.

I love that “without our knowledge” quote.  Wouldn’t it be nice if companies took the security of your personal data seriously?  If you are a company who wants to try this, take a look at our fraudForensics service…do yourself and your customers a huge favor.

Staff at mobile phone company T-Mobile passed on millions of records from thousands of customers to third party brokers, the firm has confirmed.

Details emerged after the firm alerted the information commissioner, who said his office was preparing a prosecution.

Christopher Graham said brokers had sold the data to other phone firms, who then cold-called the customers as their contracts were due to expire.

A T-Mobile spokesman said the data had been sold “without our knowledge”.

via BBC NEWS | UK | T-Mobile staff sold personal data.

I won’t inundate the blog with Windows exploits but the first zero-day bug is noteworthy.

In a security advisory, Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.

via Computerworld > Microsoft confirms first Windows 7 zero-day bug.

On a similar note, security firm Sophos recently tested Windows 7 with 10 viruses on 10/22/2009 and found 80% of them successeded:

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

Interesting research on protecting computers from root kits (full PDF here):

Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance.

The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that’s tightly locked down. The researchers, from Microsoft and the computer science department at North Carolina State University, plan to present their findings Thursday at the 16th ACM Conference on Computer and Communications Security.

via Boffins boast newfangled rootkit blocker • The Register.

We spend a lot of time talking with corporate IT and security managers who believe the infrastructure they have in place protects them.  But what is often overlooked is that many client side applications are known vulnerable with no fix in sight.  Can you imagine removing Adobe Flash or PDF Reader from a user’s computer?  There would be revolts (at least).

Companies have to accept that their computers will be compromised and that a strategy deploying traditional security techniques is not sufficient to protect the company.  Instead, they must be able to identify problems, fix them and then patch the appropriate vectors.  Shameless plug: our threatForensics services uses innovative forensic techniques to proactively protect your company.  Give us a try…it will change how you operate and will quickly reduce your company’s risk.

“Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be.”

via Slashdot News Story | Flash Vulnerability Found, Adobe Says No Fix Forthcoming.