Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Sat, 28 Jun 08
Taming Internet Explorer Browser Plug-Ins
http://blog.washingtonpost.com/securityfix/2008/06/taming_internet_explorer
_brows_1.html?nav=rss_blog
Security Fix has often lamented the lack of decent point-and-click software tools to help Microsoft Internet Explorer Web browser users kill insecure "ActiveX controls," plug-ins for IE that have traditionally been among the biggest avenues of attack from spyware and adware. That's why I'm pleased to call attention to a free new tool called "AxBan," which helps neuter insecure ActiveX plug-ins installed by some of the most widely used third-party software applications. ActiveX is a Microsoft creation woven into both IE and the Windows operating system. It was designed to allow Web sites to develop interactive, multimedia-rich pages. However, such powerful features rarely ever come without security trade-offs. Poorly designed ActiveX controls can be an extremely potent weapon for cyber crooks, since most ActiveX controls distributed with third party software are marked "safe for scripting." This means that they will run when invoked and without requiring the user's permission. As
Fri, 27 Jun 08
Free Tools to Secure Your Web Site
http://blog.washingtonpost.com/securityfix/2008/06/free_tools_to_secure_you
r_web_1.html?nav=rss_blog
Over the past six months, millions of Web pages have been hacked and seeded with malicious software, and in a great many cases the sites were hacked because their curators failed to put in place even basic database security measures. In most of these compromises, the hackers broke in using an attack called SQL injection. Rather than attacking specific software security vulnerabilities, SQL injection attacks target configuration weaknesses in the database layer of the site's Web application, be it ASP, CGI, or PHP. While most SQL attacks are automated with the help of scanning tools, SQL attacks can be carried out using nothing more than a Web browser. An injection vulnerability most commonly exists when a site accepts input from a visitor -- such as through a search or login box -- but fails to filter out potentially harmful instructions, non-standard characters or computer code. Successful SQL attacks can force
Thu, 26 Jun 08
Security Update for Adobe Reader, Acrobat
http://blog.washingtonpost.com/securityfix/2008/06/security_update_for_adob
e_read_1.html?nav=rss_blog
Adobe has issued a security update for its Adobe Acrobat and free Adobe Reader applications. The patch plugs a critical flaw that Adobe said attackers could leverage to take control of a vulnerable system. The latest update, available here for both Microsoft Windows and Mac OS X systems, applies to the most recent versions of Acrobat and Reader (v. 8.1.2). It also plugs the vulnerability in the following Adobe products: -Adobe Reader 7.0.9 and earlier -Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2 -Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier If you have any of these products installed, take a moment now to update them. As the SANS Internet Storm Center rightly notes, malicious software writers have traditionally been quick to incorporate critical Adobe vulnerabilities into their creations, so it's probably best not to let any grass grow under your feet on this one.
Thu, 26 Jun 08
Report: China Home to Half of All Malicious Web Sites
http://blog.washingtonpost.com/securityfix/2008/06/report_china_home_to_hal
f_of_a.html?nav=rss_blog
More than half of the Web sites foisting malicious software on visitors are located at networks in China, according to data released today. Stopbadware.org, a joint project between researchers at Harvard, Oxford and Google, found that 52 percent of the more than 200,000 infected sites the group analyzed in late May were hosted at Chinese networks. In contrast, U.S.-based networks accounted for 21 percent of the bad sites, Stopbadware found. The sites examined in the study were all reported as malicious by Google, which interestingly enough ranked as the 6th largest source of malicious Web sites in this report, with 4,261 malware sites. Most of those appear to be the result of scammers and virus writers devising ways to automate the creation of sites at Google-owned Blogger.com. This report was released more than a year after Stopbadware's inaugural malicious sites study, which examined the network distribution of about 50,000 nasty
Thu, 26 Jun 08
New Trojan Leverages Unpatched Mac Flaw
http://blog.washingtonpost.com/securityfix/2008/06/new_trojan_leverages_unp
atched.html?nav=rss_blog
A tool for exploiting an unpatched security hole in Mac OS X systems has been developed and until earlier today was being distributed through an online forum that caters to Mac hackers, Security Fix has learned. The exploit tool, labeled "Applescript Trojan horse template" by hackers at Macshadows.com, appears to be a collective and ongoing effort to create a package of malicious software that capitalizes on the ARDagent security hole first publicized last week. The vulnerability essentially allows any program to run on a Mac user's machine without first prompting the user to enter his or her user name and password. The first Macshadows.com post on developing this Trojan, dated May 18. Currently, the Macshadows user forum appears to have been wiped clean, both from the Macshadows.com Web site and from Google's cache. However, Security Fix obtained screen shots of forum postings from the code's authors, which are sprinkled throughout
Sat, 21 Jun 08
Serious Security Vulnerabilty In Apple OS X Leopard
http://blog.washingtonpost.com/securityfix/2008/06/serious_security_vulnera
bilty_1.html?nav=rss_blog
An unpatched security hole in Apple's OS X operating system could be used by attackers to change key system settings or to take control of vulnerable computers, security researchers warn. In a posting to news-for-nerds site Slashdot.org on Wednesday, an anonymous reader noted that a core component of OS X 10.4 (Tiger) and 10.5 (Leopard) called Apple Remote Desktop Agent could be leveraged by any user on the machine to install new programs or alter important system settings. Generally, these tasks are reserved for only the "root" account -- the most powerful user account on the system -- or at the very least they require the user to first enter a password for the requested changes to take effect. The security hole has to do with the fact that ARDAgent accepts commands from Applescript, the scripting language built into OS X. As a result, a simple one line script can
Fri, 20 Jun 08
Apple Issues Fix for Safari On Windows Security Flaw
http://blog.washingtonpost.com/securityfix/2008/06/apple_issues_fix_for_saf
ari_on_1.html?nav=rss_blog
Apple today pushed out a new version of its Safari browser for Microsoft Windows users. The latest iteration plugs at least four security holes, including one that allowed automatic downloading of files to the Windows desktop. In some cases, these files could be started without the user's knowledge. Safari version 3.1.2 corrects a flaw, which allows any rogue Web site to "carpet bomb" the user's Windows Desktop. At the time this vulnerability was first detailed, many people down played its severity. But in a recent, exclusive interview with Security Fix last week, researcher Liu Die Yu demonstrated how he could force his proof-of-concept malicious code to automatically run on a Windows machine, just by convincing a Safari for Windows user to click on a link. Apple says it fixed the problem by changing two behaviors in Safari: First, the new version no longer saves downloaded files to the Windows desktop.
Fri, 20 Jun 08
Citibank to Replace ATMs Following Crime Spree
http://blog.washingtonpost.com/securityfix/2008/06/citibank_to_replace_atms
_follo.html?nav=rss_blog
One of my sources, the other day, tipped me off that Citibank was in the process of replacing most of its automated teller machines (ATMs), but the source couldn't definitively say why. Citibank told ATM & Debit News that it was replacing some 2,000 proprietary ATMs in "a bid to improve customer service." But a story today by Wired.com reporter Kevin Poulsen suggests that the financial giant is responding to a computer intrusion into a Citibank server that processes ATM withdrawals, an incident that appears to have led to an ATM crime spree. From the story at Wired.com's Threat Level Blog: "Citibank denied to Wired.com's Threat Level that its systems were hacked. But the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray. Federal
Fri, 20 Jun 08
Cyber Justice Chronicles
http://blog.washingtonpost.com/securityfix/2008/06/cyber_justice_chronicles
_2.html?nav=rss_blog
A 21-year-old Panama City, Fla., man was sentenced this month to 41 months in prison for crashing the network of a major U.S. corporation by creating a moneymaking army of hacked Microsoft Windows machines. Robert Matthew Bentley, a.k.a. "lsdigital," was imprisoned and ordered to pay $65,000 in restitution for the damage he inflicted on Newell Rubbermaid, whose network was temporarily crippled after Bentley and his unnamed co-conspirators installed ad-serving software on more than 100 computers owned by the company. A copy of Bentley's sentencing order is here (PDF), and his original indictment is here (PDF). Prosecutors say Bentley and his cohorts made thousands of dollars in commissions working for the now defunct DollarRevenue.com, which paid "affiliates" a small sum each time they installed the company's adware. In a related case, Gregory King, also 21, of Fairfield, Calif., pleaded guilty to using a large army of hacked PCs to conduct crippling
Wed, 18 Jun 08
Firefox 3 Released - Sort Of
http://blog.washingtonpost.com/securityfix/2008/06/firefox_3_released_sort_
of_1.html?nav=rss_blog
Mozilla officially issued the third major release of its Firefox Web browser today. Firefox 3 includes tens of thousands of bugfixes, some performance enhancements, and a few new security features. But if you've been eagerly waiting for the final release, you may have to cool your heels. Mozilla set a goal of breaking the Guinness Book of World Records' record for the most downloads of a program in a single 24-hour period. Mozilla may be well on its way to breaking the current record (I actually couldn't find any such existing record to break in a search at the Guinness Book online). It's a cute gimmick, but the download record may be slowing would-be users from grabbing a copy of the new browser. So far, I have only been able to pull up the Firefox 3 download page once for a brief moment this afternoon. At any rate, I've been
Tue, 17 Jun 08
Anonymous Domain Sales: A Spammer's Delight
http://blog.washingtonpost.com/securityfix/2008/06/anonymous_domain_sales_a
_spamm_1.html?nav=rss_blog
Spammers routinely register their sites under false names, or hijack someone else's identity to do so. But new research shows they're also paying for premium services when registering domain names to ensure a deeper level of anonymity. Data collected by Knujon, an anti-spam outfit that tries to convince registrars to deep-six spam sites, shows that spammers are increasingly registering sites through a handful of domain privacy services that refuse to provide a direct method to contact domain holders. These services are offered by many Web site name registrars, which allow customers to hide their name and address from the global, publicly-searchable "WHOIS" directory of domain name holders. Most domain privacy protection services provide at least a custom e-mail address linked to each domain, so that correspondence with the domain holder can be passed along through the registrar. But spammers are increasingly flocking to a handful of domain privacy services that
Sat, 14 Jun 08
Data Loss: The Ultimate Cluestick
http://blog.washingtonpost.com/securityfix/2008/06/data_losses_the_ultimate
_clues.html?nav=rss_blog
One of the most clueful and well-informed reports on how hackers are stealing company data these days was published this week by Verizon, which examined more than 500 data breaches that they investigated over the past few years. In a nutshell, Verizon found that when it comes to security, companies are too trusting of their core business partners, far too complacent with their own internal security, and too willing to violate their own security policies. Graphic: Verizon Business While those high-level conclusions may seem obvious, some of the numbers behind those findings bear highlighting. For example, Verizon found that in nearly half of the attacks, it took the bad guys between hours and days to reach the data they were after. In addition, Verizon found that 63 percent of the victims didn't realize they'd been hacked until months after the compromise. Peter Tippett, vice president of risk intelligence for Verizon
Fri, 13 Jun 08
Opera 9.5 Offers Anti-Malware Protection
http://blog.washingtonpost.com/securityfix/2008/06/opera_95_offers_antimalw
are_pr.html?nav=rss_blog
Opera Software today shipped a new version of its Web browser that the company says will help protect users from Web sites that try to install malicious software. The new version, Opera 9.5, is available here. Opera is the latest browser maker to include anti-malware capabilities. The beta versions of both Internet Explorer 8 and Firefox 3 include similar features. Opera spokesman Thomas Ford said the new software's malware-blocking capability comes from Seattle-based Haute Secure, a security company started by four former Microsoft employees. If an Opera user tries to visit a site included on Haute's blacklist, Opera will display a fraud warning saying the page has been reported for distributing malicious software (see the screen shot to the right). Ford noted that unlike Firefox, which each day downloads a list of dangerous sites provided by Google through a partnership with Stopbadware.org, Opera 9.5 consults Haute's database with each page
Thu, 12 Jun 08
Malware Silently Alters Wireless Router Settings
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_
wirele_1.html?nav=rss_blog
A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers. According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle. While researchers have
Wed, 11 Jun 08
Microsoft, Apple Issue Security Updates
http://blog.washingtonpost.com/securityfix/2008/06/microsoft_apple_issue_se
curity_1.html?nav=rss_blog
Microsoft today issued software updates to fix at least 10 security vulnerabilities in various versions of Windows. Among the most dangerous of those is a flaw in the Bluetooth wireless communications feature included with many Windows systems that could open vulnerable systems to complete compromise just by being turned on and in range of an attacker. Bluetooth is a technology that facilitates wireless communication between devices, and many newer Windows laptops ship with Bluetooth functionality built in and turned on. This is a serious vulnerability, but since Bluetooth is a proximity based wireless technology (most devices need to be within 30 ft. of each other to exchange data), an attacker would in most cases need to be fairly close to the target. Symantec's Ben Greenbaum said the Windows Bluetooth vulnerability is especially noteworthy because it allows an attacker in range of a Bluetooth-enabled device running Windows XP or Vista to
Wed, 11 Jun 08
Redefining Anti-Virus Software
http://blog.washingtonpost.com/securityfix/2008/06/redefining_antivirus_sof
tware.html?nav=rss_blog
Microsoft Windows users have long been advised to shield their PCs from attacks by using anti-virus software, which principally relies on technology designed to quarantine or delete files that possess certain characteristics of known hostile programs. But as the anti-virus firms continue to struggle to stand their ground amid a flood of new malicious programs being unleashed each day, a complementary approach to fighting malware is beginning to take root. This approach seeks to identify the universe of known good programs and treat the outliers with extreme prejudice. Bit9, is on the forefront of this tactic. The Cambridge, Mass., firm was jump-started in 2003 by a grant from the National Institute of Standards & Technology to develop computer immune systems to protect PCs and networks from previously unknown attacks. The company has since indexed approximately 6.2 billion programs available online, scanning each against 28 different anti-virus engines to see if
Tue, 10 Jun 08
Ransomware Encrypts Victim Files With 1,024-Bit Key
http://blog.washingtonpost.com/securityfix/2008/06/ransomware_encrypts_vict
im_fil.html?nav=rss_blog
Now more than ever, it's important that Windows users ensure their machines are safe from hackers. A dangerous new strain of malicious software that holds the victim's computers files for ransom has been unleashed, and Kaspersky Lab is warning that security researchers have yet to crack the encryption key. The malware in this case is the latest version of Gpcode (Kaspersky calls it Gpcode.ak), a nasty piece of "ransomware" that scrambles all of the victim's data files with an encryption key known only to the attacker(s). Victims are told via a pop-up message that they need to purchase a special decryption program to regain access to their data. Kaspersky and other anti-virus companies have previously unraveled the secret encryption key for all previous versions of Gpcode, but this time, the malware author apparently has learned from his previous mistakes. Now, the Gpcode author is encrypting victim files with an extremely
Mon, 9 Jun 08
Revisiting the Safari Vulnerability on Windows
http://blog.washingtonpost.com/securityfix/2008/06/revisiting_the_safari_vu
lnerab_1.html?nav=rss_blog
A little over a week ago, I wrote about a security advisory from Microsoft warning that Apple's Safari Web browser for Windows introduces new vulnerabilities. Specifically, Microsoft said it allows automatic downloading of files to the Windows desktop, files that in some cases could be run without the user's knowledge. Over the weekend, I heard from a noted security researcher who has put together a proof-of-concept exploit for this vulnerability that suggests it is more of a design flaw in Windows rather than any problem with Safari. The code comes from an analysis by Liu Die Yu, a researcher credited with finding a number of security holes in Windows, and specifically in Internet Explorer. If you visit this test link with Safari on Windows, it should automatically download a harmless file called "schannel.dll." That file contains a short script so that the next time you start Internet Explorer it launches
Fri, 6 Jun 08
Software Update Prompts Nuclear Plant Shutdown
http://blog.washingtonpost.com/securityfix/2008/06/software_update_prompts_
nuclea_1.html?nav=rss_blog
A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network. The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive
Thu, 5 Jun 08
How to Harden Your Mac
http://blog.washingtonpost.com/securityfix/2008/06/how_to_harden_your_mac_1
.html?nav=rss_blog
If you're a quasi-sophisticated Mac user and have been looking for advice on how to better safeguard your machine from hackers or local prying eyes, look no further: Apple has released a massive, 240-page guide that describes various methods for securing the operating system. According to SecurityFocus.com, the manual includes an overview of the Mac OS X's security architecture and advice on hardening the operating system against external attackers. It also includes information on locking down the system to protect against unauthorized access by people with physical access to the system. Before you delve into this guide, you might want to familiarize yourself with Apple's "Terminal," the text-only command line interface for the Mac: The guide relies heavily on this tool, and Apple warns readers that only technically-adept users should use the guide.
Tue, 3 Jun 08
Beware of Error Messages At Bank Sites
http://blog.washingtonpost.com/securityfix/2008/06/beware_of_error_messages
_at_ba_1.html?nav=rss_blog
If you own or work at a small to mid-sized business, and are presented with an error message about data synchronization or site maintenance when trying to access your company's bank account online, you might want to give the bank a call: A criminal group that specializes in deploying malicious software to steal banking data is presenting victims with fake maintenance pages and error messages as a means of getting around anti-fraud safeguards erected by many banks. Dozens of banks now require business customers to log in to their accounts online using so-called "two factor authentication" methods, which generally require the customer to enter something in addition to a user name and password, such as a random, one-time-use numeric code generated by a key fob or a scratch-off pad. The fake error message inserted by malware used in last month's U.S. Tax Court scam, among others. But one of this
Sun, 1 Jun 08
Microsoft: Safari Flaw a Danger to Windows Users
http://blog.washingtonpost.com/securityfix/2008/05/microsoft_safari_flaw_a_
danger_1.html?nav=rss_blog
Microsoft warned on Friday that Apple's Safari Web browser for Windows exposes PCs to a security hole that permits potentially malicious files to be downloaded to a user's machine and run without prompting the user. Microsoft's advisory comes two weeks after security researcher Nitesh Dhanjani warned both Redmond and Cupertino that Safari introduces a vulnerability in Windows and OS X machines, which allows any rogue Web site to "carpet bomb" the user's Desktop (Windows), or Downloads directory (Apple), with unwanted files (Safari is not installed by default on Windows machines). Screenshot: Nitesh Dhanjani Dhanjani said Apple indicated it wasn't in a hurry to fix the Windows vulnerability, if it ever got around to it. "Apple does not feel this is a issue they want to tackle at this time," Dhanjani wrote on his blog. "In my most recent email to Apple, I suggested that they incorporate an option in Safari