Security

Ahhh, nothing like the weekly Adobe zero-day exploit.

This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324). We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information.

via New Adobe Reader and Acrobat Vulnerability – Adobe Product Security Incident Response Team (PSIRT).

Well, it’s nice to see Adobe at the top of the list given all the 0-day exploits.  Bit9 seems to do great work but the white paper is behind a registration firewall (they should just release it, trust me, it’s better that way).  Here’s the results from the press release:

This year Adobe applications top the list with four applications identified in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database:

• Adobe Acrobat
• Flash Player
• Reader
• Shockwave

had vulnerabilities that were rated “High” including ones that allowed remote attackers to execute arbitrary code, trigger memory corruption, denial of services or application crashing.

Other vulnerable applications on the list include:

* Apple Quicktime

* Mozilla Firefox

* Opera

* RealPlayer

* Sun Java

* Trillian

The applications on the list meet the following criteria:

* Runs on Microsoft Windows

* Is well-known in the consumer space and frequently downloaded by individuals

* Is not classified as malicious by enterprise IT organizations or security vendors

* Contains at least one critical vulnerability that was:

o First reported in January 2009 or after

o Registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS)

o Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists

o The application cannot be automatically and centrally updated via Enterprise tools such as Microsoft SMS & WSUS.

via Bit9 Releases Annual Report on Top Vulnerable Applications in 2009.

More thoughts on our smart grid vulnerability:

However, the smart grid changes all of that. The researchers from IOActive demonstrated that smart grid boxes can be hacked and that they can spread worms. Not only that, the boxes themselves will be connected to every home and be available to anyone. Anyone therefore has access to the smart grid. With tens of millions of the boxes planned to be distributed throughout the United States, potential attackers can easily get their hands on the systems to tear apart and find new vulnerabilities and attacks. More important, when there is a vulnerability found, how will it be mitigated?

There is a perfect storm brewing where the skills and resources required to launch a significant attack is being drastically lower. Depending upon the effects of a possible worm on the smart grid boxes, and the vulnerability of the generators, there can be a combined attack that does have strategic impact.

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor.

I love that “without our knowledge” quote.  Wouldn’t it be nice if companies took the security of your personal data seriously?  If you are a company who wants to try this, take a look at our fraudForensics service…do yourself and your customers a huge favor.

Staff at mobile phone company T-Mobile passed on millions of records from thousands of customers to third party brokers, the firm has confirmed.

Details emerged after the firm alerted the information commissioner, who said his office was preparing a prosecution.

Christopher Graham said brokers had sold the data to other phone firms, who then cold-called the customers as their contracts were due to expire.

A T-Mobile spokesman said the data had been sold “without our knowledge”.

via BBC NEWS | UK | T-Mobile staff sold personal data.

I won’t inundate the blog with Windows exploits but the first zero-day bug is noteworthy.

In a security advisory, Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.

via Computerworld > Microsoft confirms first Windows 7 zero-day bug.

On a similar note, security firm Sophos recently tested Windows 7 with 10 viruses on 10/22/2009 and found 80% of them successeded:

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

Interesting research on protecting computers from root kits (full PDF here):

Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance.

The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that’s tightly locked down. The researchers, from Microsoft and the computer science department at North Carolina State University, plan to present their findings Thursday at the 16th ACM Conference on Computer and Communications Security.

via Boffins boast newfangled rootkit blocker • The Register.

We spend a lot of time talking with corporate IT and security managers who believe the infrastructure they have in place protects them.  But what is often overlooked is that many client side applications are known vulnerable with no fix in sight.  Can you imagine removing Adobe Flash or PDF Reader from a user’s computer?  There would be revolts (at least).

Companies have to accept that their computers will be compromised and that a strategy deploying traditional security techniques is not sufficient to protect the company.  Instead, they must be able to identify problems, fix them and then patch the appropriate vectors.  Shameless plug: our threatForensics services uses innovative forensic techniques to proactively protect your company.  Give us a try…it will change how you operate and will quickly reduce your company’s risk.

“Security researchers at Foreground Security have found an issue with Adobe Flash. Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be.”

via Slashdot News Story | Flash Vulnerability Found, Adobe Says No Fix Forthcoming.

It would be nice if carriers and developers would consider this before distributing to unsuspecting consumers.  However, any progress toward awareness or solutions is fine by me.

Georgia Tech researchers have received a $450,000 NSF grant to boost security of iPhones, BlackBerries and other smartphones and the wireless networks on which they run. And it’s those networks where the researchers are really zeroing in.

via iPhone worms, other smartphone malware in researchers’ sights – Network World.

In the fast paced race for revenue, apps on your iPhone, Android phone, other device and eve Facebook fall prey to every trick in the book.  The problem is, most people have no idea.  A write-up and video on The Consumerist shows the CEO of Mafia Wars bragging to aspiring developers.

As we previously mentioned, one popular developer is already on the receiving end of a class action lawsuit for allegedly taking user’s personal data without permission.  TechCruch has a great article
if you want an insider’s take on how to scam users?

From the beginning, the profitability and viability of popular Facebook social networking games Mafia Wars and Farmville were predicated on the backs of scams, boasts Zynga CEO Mark Pincus in this video. “I did every horrible thing in the book just to get revenues,” he crows in the clip to a gathered bunch of fellow scumbag app developers.

via Facebook: Mafia Wars CEO Brags About Scamming Users From Day One.

A great study was just posted which highlights what we are seeing with nearly every computer we analyze…while corporations spend millions on security products, the protection is simply not sufficient.  By using forensics to empirically see where your weakness exist, you can quickly identify and patch problems with your existing security infrastructure.  We have found this is the most cost-effective and effective way to improve IT security at a company.

Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report.

via Most security products fail to perform.