eWorld Translations

In a briefing of the Senate committee overseeing commerce, transportation and technology, Admiral Mike McConnell, former US Director of National Intelligence (DNI) revealed that the nation “would lose” in a cyber war if the nation was attacked today.

McConnell believes that in order to force the nation’s entities to protect their IT systems it will take a catastrophic cyber attack, which he told to expect.

Alan Paller, Director of Research at the SANS Institute, commented on this issue in the SANS NewsBites: “Watching the Senators’ expressions when Admiral McConnell told them that we would lose in a cyber war, was a powerful awakening. They didn’t know!  Other than the chairman and ranking member, who served in the same roles on the Senate Intelligence Committee until last year, and had had intense classified briefings, the Commerce Committee members had no idea how far behind the United States has fallen. Their lack of knowledge completely explains why Congress passed such a terrible law (in FISMA), why they never fixed it, and why the Office of Management and Budget staff, living in similar oblivion, won’t take the clear and proven steps necessary to reduce the security risk to federal systems.”

Dr. Eugene Schultz, CTO of Emagined Security, who was also the co-founder and original project manager of
the Department of Energy’s Computer Incident Advisory Capability (CIAC), cautions: “Unfortunately, senior management in the U.S. commercial sector is unlikely to heed McConnell’s warning, let alone act on it. The following quote from a prominent CIO summarizes the problem nicely: ‘You security guys keep talking and talking about the end of the world. It doesn’t seem to come.’”

No matter whether you are representing or working for a large or SME company or are a sole proprietor or freelancer or a home user, we can only urge you to take much less of a laissez-faire approach than that placated by Dr. Schultz.

Please take the time to review and update your security measures, policies and procedures to be better prepared for any potential adverse activities that could affect you and/or your business. Contact us today if you’d like our help.

A zero-day flaw in both Visual Basic Scripting (VBScript) and Windows Help is under investigation by Microsoft since this vulnerability could be exploited to introduce malware on computers that are running the Windows 2000, Windows XP or Server 2003 operating system and which use Internet Explorer (IE) version 7 or 8.

Polish security analyst Maurycy Prodeus, with iSEC Security Research, who revealed the vulnerability and posted attack code last week, called the bug a “logic flaw.”

Another security researcher, Cesar Cerrudo, believes “that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundreds of messages telling the user to press F1 to continue.”

One of the workarounds offered by Microsoft, namely to not press the F1 key when prompted by a website to do so, is a no-brainer and boils down to common sense. Prodeus’ attack is successful, as Cerrudo points out, because it abuses the VBScript “MsgBox()” function.

According to Microsoft’s Security Advisory, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this attack.

Let us help you to assure that your products, policies and procedures are up-to-date. Contact us today.

The Open Door Clinic of Greater Elgin, Illinois (USA), a not-for-profit corporation that treats and consults patients infected with HIV/AIDS, allegedly leaked confidential patient information as the result of installing a peer-to-peer file sharing network application on one of its computer or a computer used by one of its staff for work, according to a class action law suit filed last month.

The suit’s class is comprised of 260 or more people whose personal medical information was leaked; it alleges breach of confidentiality, invasion of privacy and negligence, given that the clinic became aware of the data leak as early as summer 2008, yet, neglected to inform its patients at that time.

Let us help you to avoid similar headaches for you and your organization. Contact us today to arrange for a review and update of your privacy and security products, policies and procedures.

According to security and vulnerability research company Secunia, a typical home user who is running Windows is facing the “unreasonable” challenge to patch one software or another every five days.

In the last week of January, of the users who ran Secunia’s Personal Software Inspector (PSI) application, half had at least 66 programs from more than 21 vendors on their machines, resulting in the need to master 22 or more different patch mechanisms.

While Secunia’s Chief Security Officer, Thomas Kristensen, is calling for software vendors to create a unified patching standard, he is not holding his breath for this to become a reality any time soon.

Therefore, the company is releasing a technical preview of PSI 2.0 which will include automatic updating functionality reminiscent of what Microsoft provides for Windows and other software. Their patch tool eventually will handle 70-80% of the software on consumers’ Windows machines.

You can read more about Secunia’s PSI findings in their white paper.

We’ll gladly help you to review and update your computer’s configuration, your security mechanisms and your policies. Contact us today.

Three people have been arrested by the Spanish authorities in connection with the Mariposa botnet consisting of about 13 million PCs worldwide which included personal computers at 40 major banks as well as at Fortune 1000 companies (including half of the Fortune 100 companies).

The botnet was first detected in December 2008 and was shutdown in December 2009, defeated with the assistance of a coalition of security experts, academics and law enforcement – the Mariposa Working Group – that monitored communications between compromised computers and the cyber criminals.

What ultimately brought the group down was that it used a real name while registering command-and-control domains, thereby enabling the Mariposa Working Group to track them down. Even more critically, one suspect also made direct connections from his own computer to try and reclaim control of the botnet after authorities took it down around Christmas. Investigators were able to identify him based on that traffic.

Allegedly, the three people arrested in Spain (identified by he Spanish authorities only by their Internet handles and ages (“netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25) were the administrators of Mariposa. In other countries, arrests are said to be imminent.

Mariposa is believed to be one of the largest botnets detected to date. By comparison, researchers believe that the infamous Conficker botnet was linked to only half as many IP addresses.

Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, told The Associated Press, based on bank records that investigators examined as well as computer that were seized to determine how much money the criminals made: “They’re not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits – the most frightening thing is they are normal people who are earning a lot of money with cyber crime.”

Botnets are networks of infected PCs that have been hijacked from their owners, often without their knowledge, and put into the control of criminals. Linked together, the machines supply an enormous amount of computing power to spammers, identity thieves, and Internet attackers.

For assistance in reviewing and updating your defensive measures and policies, contact us today.

A paper released by McAfee at the RSA conference indicates that the attackers who gained access to systems at Google and Adobe as well as at other companies did so by going after their source-code management systems (SCMs).

Apparently a lot of the affected companies used an SCM from Perforce which, according to the paper, was “wide open” to the attackers.

Initial access to the companies’ systems was gained through weaponized email (formerly known as spear phishing), which exploited a zero-day vulnerability in the Internet Explorer browser.

The targeted victims received an e-mail or instant message that appeared to originate from somebody whom they knew and trusted, and contained a link to a website that executed a malicious JavaScript which downloaded a binary to the user’s system disguised as a JPEG file and opened a backdoor onto said victim’s computer, setting up a connection to the attackers’ command-and-control servers.

There is a chance that the source code at these companies was modified to make customers of their software in return vulnerable to attack down the line. This is reminiscent to the attackers creating themselves a set of keys in advance for locks that are going to be sold far and wide.

A copy of the white paper is available a the Wired website.

If you would like our help in reviewing and updating both your computer systems’ security and your respective policies, contact us today.

Earlier this week, Symantec released its 2010 State of Enterprise Security study which indicated that about three quarter of the organizations that responded encountered at least one cyber security attack within the past year. Even more disconcerting, about one third of those stated that these attacks were “somewhat/highly effective.”

This is a considerable increase above and beyond the attacks reported the year before. Nevertheless, a mere 42 percent of the responding organizations (2100 CIOs, CISOs and IT managers from 27 countries) indicated in January 2010 that security was their most important issue.

If you can spare the time, read the 16-page report in its entirety. Otherwise here are some highlights:

• 25 % of respondents did not experience any cyber attacks [yeah, right ... wake up folks ... you likely don't have the right defensive measures in place that would alert you to them ... in which case there's a good chance you're already "owned"]; luckily the rest of the responding enterprises had a higher awareness level regarding this issue.
• A full 100 % of the enterprises surveyed encountered cyber losses in 2009 which by type were evenly spread across: Customer personally identifiable information (PII); Downtime of environment; Theft of intellectual property. For large enterprises, the associated loss averaged USD 2.8 million per year, each.
• An IT operations manager for an auto dealership consortium, talking about the cost of losing confidential customer information, indicates: “If we lose information, such as social security numbers or credit cards, we’re liable. We estimate that it costs us $11000 a name if there is a compromise in Security.”While some costs are harder to quantify, they are no less severe, as he emphasizes: “The costs of cyber attacks are financial, brand, stock price and a lot of other things as well. But the biggest cost is a ruined reputation. Who wants to do business with a company that cannot protect their customers’ information?”
• The initiatives that were rated most problematic from a security standpoint are cloud computing and virtualization:
  • Infrastructure-as-a-Service
  • Platform-as-a-Service
  • Server virtualization
  • Endpoint virtualization
  • Software-as-a-Service
• Recommendations
  • Protect the infrastructure
  • Protect the information
  • Develop and enforce IT policies
  • Manage systems

If you’d like our help in assessing your current situation and mitigating your risk exposure, contact us today.

A flaw in Adobe’s Download Manager (DLM) exposes users to the installation of arbitrary software on vulnerable Windows systems.

While the DLM ActiveX control and the corresponding Firefox plug-in under Windows normally is not installed permanently on personal computers, it stays on the system and remains active until said computer is rebooted.

The culprit is that Adobe’s DLM tells users what it is downloading but does not ask for permission before installing the download(s) on Windows XP computers. Under Windows 7 and Vista, on the other hand, the UAC steps in, requesting confirmation of the intention to install.

The aforementioned situation arises for example when a user has installed an update to the Adobe Flash Player, Adobe ShockWave, Adobe Reader or any of the other Adobe products.

If  you would like us to help you assess your exposure to these and other vulnerabilities, and to discuss and implement tools, policies and procedures to remedy them, contact us today.

US-CERT, the U.S. Computer Emergency Readiness Team, has published an advisory, warning that a number of clientless SSL virtual private network (VPN) products from Cisco, Juniper, SafeNet and SonicWall are affected by a vulnerability that could be exploited to bypass authentication procedures and/or launch other attacks.

As the advisory explains, “”By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers.”

According to the advisory, there is no known way to correct this flaw, but rather only a number of workaround, among them to limit both URL-rewriting and VPN server connections to trusted domains, and to disable any URL-hiding features.