Enterprise Security Today

Remote-Code Vulnerability Being Exploited in IE 6 and 7

Tue, 09 Mar 2010 13:51:17 -0500

Older versions of Internet Explorer are under attack. Microsoft warned Tuesday afternoon that cybercriminals are actively exploiting a security vulnerability that lets attackers execute malicious code from remote locations.

Microsoft's internal investigation reveals that the latest version of the browser, Internet Explorer 8, is not affected. Likewise, Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected.

Here's a quick list of affected versions for IT administrators looking to implement a workaround to mitigate the risk: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7.

"In addition to Microsoft's Patch Tuesday updates today, the company also issued an advisory for a new zero-day vulnerability affecting Internet Explorer," said Josh Talbot, security intelligence manager for Symantec Security Response. "Symantec has observed exploitation of this vulnerability in the wild and has created Trojan.Malscript!html and JS.Downloader detection to mitigate this attack."

The Root of the Problem

Microsoft said the vulnerability exists due to an invalid pointer reference being used within Internet Explorer. Under certain conditions, it's possible for the invalid pointer to be accessed after an object is deleted, according to a March 9 Microsoft security advisory. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

"At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes," Microsoft said. "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

Mitigating Factors

IT administrators can take heart in the mitigating factors that may protect their...

Deluxe Adopts SenSage Security Intelligence Solution

Tue, 09 Mar 2010 12:57:28 -0500

SAN FRANCISCO, March 9, 2010 -- SenSage, Inc. today announced that Deluxe Corporation (NYSE: DLX) has adopted the SenSage Security Intelligence solution family as part of its ongoing effort to unify and refine security information and event management (SIEM), log management, and controls monitoring operations. Most recently, SenSage has provided Deluxe with enhanced real-time capabilities that improve its ongoing efforts to protect sensitive customer data and meet the strict and varied security requirements of its banking customers.

Deluxe, business partner to nearly 6,400 North American financial institutions, provides check customization, fraud prevention and customer loyalty programs that help banks build lasting relationships and grow core deposits. Information security management has continuously been a key enabler to the Deluxe value proposition, as it has always involved the safe handling of banking customer data. SenSage has helped Deluxe to further refine its security management practices.

"Integrating data collection, storage and analysis functions with SenSage gives us an expanded view of user and system log activities, enhancing current data protection activities and controls," said Dan Ritari, vice president of enterprise information risk management at Deluxe. "SenSage has a great reputation in the marketplace for unified SIEM and log management solutions. Our engagement with them enhances our compliance process and simplifies some of the challenges we face in securing a complex, geographically diverse data environment."

With SenSage, Deluxe security and compliance professionals can more easily detect fraudulent behavior such as profile changes that enable unauthorized access to transactions, locked accounts, or unauthorized changes to master data files through exception-based alerts and reporting. The benefits of the SenSage solution to Deluxe include:

� Proactive compliance through real-time monitoring of sensitive data access.

� Better risk visibility and reduced fraud through long-term data retention and analysis with deep investigation capabilities.

"By...

Energizer USB Charger Software Contains Malware

Mon, 08 Mar 2010 14:06:28 -0500

Some Windows PC users may hope the Energizer bunny didn't keep going and going. It turns out the Energizer DUO USB battery charger is a vehicle for attacks on PCs, according to the Department of Homeland Security's Computer Emergency Readiness Team.

US-CERT researchers said Friday that the software that installs with the Energizer charger contains a Trojan horse that gives malicious hackers a back door into Windows machines.

"An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user," US-CERT said. "Removing the Energizer USB charger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts."

A Trusted Source

Although the fix seems relatively easy for consumers who are aware they have been infected, the path in was also straightforward. Rob Enderle, principal analyst at the Enderle Group, said consumers were probably not expecting the Energizer software to carry a malicious payload.

"Typically in a Windows 7 or even a Windows Vista install, if you mess around with ports you should get a warning," Enderle said. "Because consumers got the software from a trusted source, chances are you'll bypass the warning and go ahead and install it because you think you are only installing the battery monitor. This is a nasty piece of work."

Enderle questioned the origin of the software, noting that Trojans seem to make their way into programs when the software is developed outside the U.S. Chances are, he said, the software was developed in China or some other foreign country.

What's So Unusual?

Symantec also investigated the Energizer malware and discovered that the Trojan listens for commands on port 7777. That by itself is not so unusual, the company said, but Symantec researchers were surprised that...

Light Patch Tuesday Won't Include VBScript Vulnerability

Fri, 05 Mar 2010 09:04:49 -0500

After a record-matching February that flooded corporate security departments with 13 bulletins to address 26 flaws, Microsoft's March Patch Tuesday cycle will be more manageable for IT administrators. On March 9, Microsoft will ship two security updates to fix eight vulnerabilities in Windows and Office.

In its monthly advance notification, Microsoft gave a sneak peak into the bulletins. Both are marked important, Microsoft's second-highest severity rating.

But despite not earning critical status, the flaws are hardly benign. The eight vulnerabilities Microsoft outlined could open the door to attackers to insert malicious code onto unpatched computers.

Pesky Office Bugs

The first bulletin will fix vulnerabilities in Windows XP, Vista and Windows 7. This bulletin also affects the most recent service packs for XP and Vista, SP2 and SP3. Microsoft said both the 32-bit and 64-bit editions of these operating systems have the important bugs. The second bulletin will tackle bugs in Excel 2002, Excel 2003, and Excel 2007 on Windows, as well as Excel 2004 and Excel 2008 for the Mac and some Excel issues in Office service packs.

From what Paul Henry, a security and forensic analyst at Lumension, has seen, it doesn't appear that the bulletins released will address all the issues in the wild.

"Interestingly, Microsoft also announced some end-of-life dates of Windows XP, so customers will soon have to start updating these operating systems, which include Windows XP Service Pack 2, as they will no longer be supported after July 13, 2010," Henry said. "Customers are being encouraged to upgrade to Service Pack 3 or to Windows 7 as soon as possible."

The VBScript Vulnerability

On Monday, customers were alerted to a VBScript vulnerability that was exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. But Microsoft's March patches will not address...

McAfee: System Security Is Weak Despite Locked Doors

Thu, 04 Mar 2010 14:42:22 -0500

Evidence from the recent Aurora hack attacks on major American corporations suggest that many may have tightly locked virtual front doors, but no cybersecurity inside their systems, a McAfee expert warned on Wednesday. In a Security Insights blog post, Paul Kurtz, McAfee's chief technology officer, discussed his study of the December-through-February attacks on Google, Intel, Adobe Systems, and other large firms.

He concluded that "Many organizations have tight security around financial systems and other mission-critical systems, but leave their intellectual-property repositories broadly accessible. The company might have strong perimeter security, but once you're in, the [source code] is readily available."

Protecting 'Crown Jewels'

The Aurora attack, named for what is assumed to be the hackers' internal reference to the operation based on malware findings, is believed to have originated in China. The incident has strained relations between the U.S. and Chinese governments and caused Google to reconsider its presence there. The Wall Street Journal reported that as many as 100 companies may have been targeted.

Kurtz said the hackers "went after the crown jewels of the targeted companies, their intellectual property." To do so, they likely tried to gain access to source-code management systems used internally to manage projects. Once they cracked the systems, they would be free to steal the code or implant malicious code.

Kurtz and McAfee's Stuart McClure discussed their findings at the RSA Conference in San Francisco this week, but didn't say whether Google or other companies lost their source code in the attack, according to the Journal. The two have published a white paper on their research available to companies on McAfee's web site.

Stepping Up Security

Data security is one of the fastest-growing technology sectors, with a 53 percent rise in open security positions in the second half of 2009, according to Barclay Simpson's annual market report.

"This is one of...

Homeland Chief Outlines U.S. Cybersecurity Strategy

Thu, 04 Mar 2010 14:15:31 -0500

U.S. Department of Homeland Security Secretary Janet Napolitano outlined the steps DHS is taking to secure cyberspace at the RSA Conference 2010 in San Francisco on Wednesday. The former governor of Arizona also called upon experts and the public to contribute ideas to improve the nation's cybersecurity.

"All Americans have an important role to play in securing our computer systems and cyber networks," Napolitano said. "We are challenging our nation's best and brightest to utilize their expertise and creativity to devise new ways to engage the public in the shared responsibility of safeguarding our cyber resources and information."

Boosting Infrastructure Security

In her keynote address, Napolitano stressed DHS's dedication to recruiting and retaining the cybersecurity employees needed to confront terrorist and criminal threats. Moreover, she emphasized the department's commitment to supporting innovations such as EINSTEIN -- an intrusion detection program originally developed by US-CERT, the department's computer emergency readiness team.

"In the past year we've deployed the second phase of EINSTEIN to 11 federal agencies, and we will be growing to 21 this year," Napolitano noted. "And now we are testing the technology for the third phase of EINSTEIN," which will give DHS "the ability to detect malicious activity and disable attempted intrusions before harm is done to our critical systems."

Ensuring U.S. government continuity as well as private-sector services and information -- even as it protects privacy -- are among the important tasks DHS now faces, Napolitano said. To meet these challenges, DHS has developed "a national cybersecurity incident response plan in full collaboration with the private sector" that will be tested during an exercise in September.

What's more, DHS efforts continue to focus on "providing the ability to bounce back even more quickly should a large-scale attack -- or really an attack of any size -- occur," Napolitano said. To this end,...

Data Security Concerns Dominate CeBIT in Germany

Fri, 05 Mar 2010 07:34:31 -0500

Data security issues dominated the CeBIT trade fair, which began a five-day run in Germany Tuesday with its main focus on business software to run banks, laboratories, warehouses and other enterprises.

Anti-virus company Symantec warned that malware -- software designed to cause damage -- was now mounting 8 million attacks daily against Internet users, while 13,000 new Web sites went online every day with spyware waiting to catch out visitors.

Ilias Chantzos, a Symantec executive, said, "The numbers keep rising all the time." These days hackers, were even trying to interfere with municipal traffic lights, he warned. Symantec makes Norton anti-virus software.

Web search firm Google defended itself against allegations by German politicians that photographs of homes and offices might assist burglars and snoopers.

It said its Street View service, part of Google Maps and showing panorama images of 19 nations already, was legal under German law and would show German road frontages by the end of this year.

On the same day, German exhibitors were shaken by a court ruling that current police access to phone company call records is too lax.

Phone companies said at the fair they faced vast expense if they had to retain data on the times and destinations of phone calls with even tighter security, as the German constitutional court demanded. They demanded the German government pay the added cost.

European Union law requires phone companies to keep logs in case they are needed for anti-terrorism and serious crime inquiries.

CeBIT, which runs from Tuesday to Saturday, has about 4,150 exhibitors attending this year, only half as many as it had at its peak nine years ago.

This time round many pavilions are empty and consumer-electronics products are rare at the event, which focuses on corporate buyers.

A remote pavilion one was handed over for performances by up-and-coming German rock bands in the faint...

NATO Chief Warns of Threats in Cyberspace

Fri, 05 Mar 2010 07:34:58 -0500

NATO is facing new threats in cyberspace that cannot be met by lining up soldiers and tanks, the alliance's secretary-general said Thursday in an apparent reference to terror groups and criminal networks.

Anders Fogh Rasmussen said there were several international actors who want "to know what's going on inside NATO, and they also use cyberspace to achieve their goals."

He refused to give details or name groups except to say there were "many of them."

"It's really a broad range of threats. There are many actors in cyberspace, and we have to develop a capacity to protect ourselves against those attacks," Fogh Rasmussen told reporters on the sidelines of a one-day NATO seminar in Helsinki.

The alliance has been reticent to discuss its actions in countering cyberattacks and threats, but was prompted to tackle the problem after hackers unleashed a wave of attacks against NATO-member Estonia three years ago.

The barrage crippled dozens of government and corporate sites in what is one of Europe's most wired countries. It prompted NATO to enhance its cyber war capabilities and to establish the alliance's cyber defense research center in the Estonian capital, Tallinn, in 2008.

The organization also set up an agency to manage cyber defense across NATO's communication and information systems and to help members in defending against cyberattacks.

Fogh Rasmussen reiterated that "the core function" of the alliance would still be to defend its members' territories and populations. But in modernizing the alliance, "it's not sufficient to line up soldiers and tanks and military along the borders. You really have to address the threat at its roots, and it might be in cyberspace."

Thursday's seminar, on increasing strategic cooperation between NATO and its partners, was chaired by the foreign ministers of Finland and Sweden -- both non-NATO members that work closely with the alliance.

Swedish Foreign Minister Carl Bildt said...

Few Details Emerge in White House Cybersecurity Plan

Thu, 04 Mar 2010 08:16:37 -0500

The Obama administration on Tuesday gave the public a peek at the Bush administration's classified plan to secure the nation's computer systems, but the newly revealed list of broad goals provided few surprises and key provisions remain secret.

The decision to publish a summary of the cyber initiative on the White House blog came just a month after the Washington-based Electronic Privacy Information Center filed a lawsuit in federal court seeking release of the computer security document.

Privacy advocates and other groups have long fought to get the Bush cyber plan made public, concerned that it discussed surveillance activities and Internet traffic monitoring by intelligence agencies that could violate Americans' personal privacy.

The government's precautions for dealing with cyber security has become a critical national security issue, as U.S. computers have been continually attacked and scanned by hackers, criminals and terrorists looking to steal money, data and state secrets.

U.S. officials and cyber experts have repeatedly warned that the nation is not adequately prepared for a cyber attack. Government and key private computer systems -- such as those that run the electric grid or nuclear power plants -- must be better protected, the critics say.

While the new White House posting did not provide details on the Bush-era classified cyber plan, one privacy group welcomed the public disclosure as a good first step for the Obama White House, which has pledged to run a more open, transparent government.

"The White House should be credited with beginning an important public discussion about the future of cybersecurity," said Marc Rotenberg, EPIC's executive director.

Rotenberg added, however, that the entire document still needs to be made public, including the legal authorities the government operates under and the privacy safeguards it employs when scrutinizing Internet traffic for cyber threats.

White House cyber coordinator Howard Schmidt announced the decision to make the...

Core Security Technologies and nCircle Integrate Further

Thu, 04 Mar 2010 08:27:33 -0500

SAN FRANCISCO -- Core Security Technologies, provider of the CORE IMPACT family of comprehensive enterprise security testing solutions, today announced that it has expanded its relationship with security and compliance auditing leader nCircle, broadening integration between the two companies' highly complementary security assessment solutions.

By leveraging fully-supported integration between CORE IMPACT Pro, the market's leading automated penetration testing software solution, and the nCircle IP360 network vulnerability management system, commercial organizations can streamline their vulnerability management processes to more quickly and cost effectively validate critical vulnerabilities that are immediately exploitable on their networks.

For government agencies and commercial businesses that support such organizations, use of the two products in concert allows for compliance with specific controls within 18 of the 20 Requirements laid out in the recently introduced Consensus Audit Guidelines (CAG), including the ability to fully meet many of the security mandates.

Developed by a consortium of public and private security leaders and first published by training specialists SANS Institute in Feb. 2009, CAG Requirements specifically cite the need for cyber-security controls that are tacitly proactive and can "inform defense" of actual attacks that have compromised systems, or those that could transpire to do so.

By feeding the results of vulnerability assessments run using nCircle IP360 directly into IMPACT Pro, IT security teams within government agencies and commercial organizations can pinpoint the exploitability and severity of vulnerabilities in direct relation to real-world malware and hacking techniques to understand precisely which results represent their more significant points of risk.

The combination of vulnerability scanning and automated penetration testing is recognized among IT security practitioners as a best practice for finding and assessing networking systems flaws and configuration errors. Through this process, organizations can improve their overall vulnerability management processes and dramatically reduce the cost of remediation, while reducing the risk of potential attacks and related loss...