Threatpost for B2B

The latest Java update released Tuesday includes new prompts warning users of potentially malicious applets, in addition to patches for 42 vulnerabilities, all but three of which are remotely exploitable.

Java 7 update 21 is part of Oracle’s scheduled Critical Patch Updates for the program and browser plug-in. Zero-day vulnerabilities discovered and exploited throughout the first two months of the year, however, forced almost monthly alerts and updates leading up to this week’s release.

Oracle recommends that users upgrade to the latest version of Java immediately citing a number of attacks in the wild targeting vulnerabilities that had not been patched until this week. A number of security experts, meanwhile, continue their calls to disable Java altogether, though many concede that this may be an issue for enterprises with home-grown applications that rely on Java.

Java 7u21 affects Java 7u17 and earlier, Java 6u43 and earlier and Java 5u41 and earlier, Oracle said. The company also added additional code-signing and warnings to users that an applet could be malicious. In a previous version, Oracle changed the default security setting from medium to high, a move meant to prevent unsigned Java Web applications from executing automatically. Users were warned before unsigned applets run, denying silent exploitation of a vulnerability, Oracle said.

Attackers, however, quickly found a way around the setting changes. Researchers discovered exploits in some of the popular exploit kits that not only spoofed the dialog box presented by Oracle to users for trusted applets but used a certificate signed with a stolen private key that had been revoked by certificate authority GoDaddy months before the attack was discovered.

In this week’s updates, applications using Java applets or Java Web Start that execute at runtime on the browser, for example, are required to sign code with a trusted certificate, Oracle said. All Java code will prompt the user, the Oracle advisory said.

“The type of dialog messages presented depends upon risk factors like, code signed or unsigned, code requesting elevated privileges, JRE is above or below the security baseline, etc.,” Oracle said. “Low risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk.”

Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java.

“The platform will not deny the execution of Java applications, however in high-risk scenarios the user is provided an opportunity to abort execution if they choose,” Oracle said. “Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications.”

New user prompts from Oracle are color-coded with a blue information shield representing an application signed by a trusted certificate, while a yellow shield or triangle indicates either an untrusted or expired certificate. Red text accompanies such warnings in the dialog box telling the user that running the application in question could be a security risk.

Microsoft is ready to officially declare network worms passé for the enterprise. In its latest Security Intelligence Report, released Wednesday, Microsoft said that risks posed by Web-based threats to large, distributed network environments have surpassed malware such as Conficker.

The report is based on data collected from more than one billion endpoints in more than 100 countries by the company’s Malicious Software Removal Tool, Hotmail accounts and Windows Defender users, said Holly Stewart, senior program manager for Microsoft’s Malware Protection Center.

For years, Microsoft has considered Conficker the benchmark of network-based malware. The worm first popped up in 2008 and paved the way for other credential-stealing malware. Now that’s changed, Stewart said.

“Conficker has been thought of as the sentinel of infiltration,” Stewart said. “It has not changed in years. It spreads using an old vulnerability. It steals passwords and uses USB drives and shared drives to move on the network. It’s been tracked as a beacon of things within the network when things are not quite right.”

Conficker is more of a chameleon, constantly changing propagation methods and malware techniques. The worm emerged in November 2008 and attacked a Windows vulnerability to steal passwords and build one of the more formidable botnets ever recorded, reaching a peak of 12 million bots in 2009 according to some estimates. But as enterprises in particular shore up their security efforts, Conficker infections are dwindling noticeably, Microsoft said. The drop coincides with a number of factors, including increased password vigilance and a policy decision by Microsoft to disable its Autorun functionality by default starting with Windows XP and Vista in 2011.

“Conficker started to decline in Q2 2011. If you look at two other worms, Autorun and Rimecud, both used the same propagation method and both had serious declines (37 percent and 69 percent respectively),” Stewart said. “Certainly there’s a correlation of the amount of threats we saw in the enterprise; it seems to indicate the decision had some impact.”

Autorun malware spreads via removable media and generally drops backdoors that enable additional malware infections such as keyloggers that steal credentials and other personal data. Rimecud is similar malware in that it propagates via USB drives and instant messenger applications. Its

payload includes backdoor connections to remote servers and additional malware is installed from third-party servers and peer-to-peer networks.

Naturally, however, enterprises aren’t out of the woods now that network worms have tailed off. Web-based threats have been a growing threat for years as hackers exploit common input-validation vulnerabilities with automated SQL injection attacks or cross-site scripting attacks that enable them to remotely control vulnerable browsers. Users are redirected to sites hosting malicious content and are infected with more malware, or are lured to an attacker-controlled site via social engineering (phishing, spam, typo-squatting) and tricked into entering legitimate credentials. The result has been a spike in Web-based attacks, in particular iFrame Redirects.

The Microsoft SIR said that seven of the top 10 threats it detects involves some sort of malicious website or compromised Web content, and two of those seven are iFrame-redirection attacks. Stewart said 3.3 million iFrame redirections were detected, a five-fold increase.

“It’s a really big shift in what we’re seeing as top threats for the enterprise,” Stewart said. “Malicious iFrame redirection is a middle man in these Web-based attacks; it’s that little component where the user is exposed to malicious content.”

Hackers have been able to automate scans for sites vulnerable to attacks such as SQL injection. A targeted Google search, for example, will render a detailed and sizeable list of Web servers vulnerable to any number of attacks. IFrame attacks are effective because the code is not obvious to the user or even the Web administrator for example, because the attacker isn’t adding a page to the vulnerable server, defacing a page or adding

malware, just a redirector, Stewart said.

“The iFrame exposes visitors to bad stuff that the attacker is hosting somewhere else,” Stewart said. “It’s a piece in the chain of a Web-based delivery system.”

IFrame attacks are not alone. Other threats such as Zbot, or the Zeus Trojan, the Blacole Trojan and keygen programs that generate product keys used to validate pirated software climbed the charts, Microsoft said.

“Enterprise customers are much more exposed than ever to malicious Web content,” Stewart said.

BOSTON – Downstream is where you live today as a security person. If Gene Kim has his way, you’ll be inline soon enough.

Kim’s keynote today at Source Boston 2013 took listeners on a deep dive of the integration of development and IT operations and helped map out how organizations may be able to wedge security into the conversation and help security practitioners escape a system that pre-ordains failure—one they are for the most part powerless to avoid today.

Kim has spent more than a decade studying high-performing operations teams in a variety of industries inside and outside of IT. Those which are successful, are so with a combination of rigor and discipline, and pay more than lip service into the integration of security into application or process development. To put it in Star Trek terms, as Kim did, developers embody Mr. Spock in that they sit closely to the boss and think too hard about problems, while operations are more like Mr. Scott, engineers who pull levers and knobs, and yell a lot in an emergency. Security? They’re the token security guard who wears the red uniform and usually ends up as the casualty in every episode.

“We need to span the boundary between the two,” Kim said of development and operations. “We need to increase the flow of work in the proper direction and not pass defects downstream.”

Kim relayed an example of how Twitter injects static analysis into the development lifecycle every time a developer hits save on a project. If there’s an issue, they’ll get an email informing them of a vulnerability and how to remediate it. When the problem is fixed, the developer will get a “thank you” email.

“Security is done not at the end of a project when you add costs, but they do it inline,” Kim said. “In my opinion, this is the way all information security is going to be done 10 years from now. Not in batches and not at the end of a project.”

Kim said companies are collectively spending $2.6 trillion annually on IT failures, ranging from downtime, to data loss and more. Adding $2.6 trillion to the economy would radically change things, he said.

“Creating a culture and process that pre-ordains failure, for security downstream, this affects lives,” he said.

Kim assured attendees too that this kind of rigor isn’t reserved for rock star companies such as Google or high-end financial services companies, or Netflix. He’s seen success stories with retailers, higher education institutions and in many other industries. Learning from the big guys, however, never hurts.

Netflix, for example, was the only company running Amazon Web Services instances not to endure any downtime during a 2011 outage, Kim said. That’s because they made a decision never to rely on AWS for availability, he said, pointing to a decision to introduce chaos into its DevOps environment. The Chaos Monkey tool built by Netflix randomly kills processes in production all the time, forcing developers and operations to work together with security and learn how to defeat failure.

“They got really good at having code and an environment that survives failure,” Kim said. “The goal is to break things before they get into productions. Find misconfigurations, enforce HTTPs, add static code analysis to their automated integration and testing; they did all these things.”

Ultimately, organizations must evolve toward a culture that accepts risk and learns from failures. Google, for example forces its developers to manage their own code for six months before its passed on for approval and ultimately production.

“If an application is fragile, there is a hand-back mechanism where it goes back to the developer,” Kim said. “It’s a way for developers and operations to hold each other accountable.”

That accountability also includes feedback loops that include DevOps and security so that all are involved in incident escalation and mutual understanding of respective issues.

“The outcome is that defects are fixed faster,” Kim said. “If you do it for one issue, you should be able to replicate it throughout an organization. You have better communication and cooperation.”

BOSTON – Downstream is where you live today as a security person. If Gene Kim has his way, you’ll be inline soon enough.

Kim’s keynote today at Source Boston 2013 took listeners on a deep dive of the integration of development and IT operations and helped map out how organizations may be able to wedge security into the conversation and help security practitioners escape a system that pre-ordains failure—one they are for the most part powerless to avoid today.

read more

Dennis Fisher talks with Bruce Schneier about the effects of the Boston Marathon bombing, how the psychology of fear plays into people’s reactions to these events and what the political aftermath could be.

Download: threatpost_schneier_4_16_20131.mp3

Dennis Fisher talks with Bruce Schneier about the effects of the Boston Marathon bombing, how the psychology of fear plays into people's reactions to these events and what the political aftermath could be.

You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.

read more

Throw another log onto the proverbial Android malware fire: According to mobile security firm NQ Mobile, infections targeting devices running the Google-based operating system doubled in 2012. That translates to a 163 percent increase from 2011 and accounts for over 65,000 different types of malware discovered, up 30,000 from 25,000 the year before.

This is at least per the firm’s 2012 Security Report, an annual review of malware scanned by NQ Mobile and its Security Lab, released Monday.

A handful of other trends are discussed in the report, including a decrease in malware targeting Symbian-based devices, and China being responsible for the lion’s share of infections globally.

The report also breaks down three of the most prevalent malware attack vectors, like how attackers are still taking genuine apps from Google’s Play marketplace, adding malicious code and then uploading the tweaked app to third party app stores.

Attackers are also using malicious URLs and SMS phishing, or smishing to thwart Android users.

Attacks on Android devices are a fairly regular occurrence these days, and have grown exponentially, at one point in 2011, even up 742 percent over the course of three months. In China, botnets, some 100 million strong, composed entirely of Android devices thrive, while in Japan, malicious apps litter messageboards and phony app marketplaces.

Samsung-branded devices have shared the brunt of Android’s troubles as of late. SMS vulnerabilities and password bypass flaws have been discovered on a handful of Samsung Galaxy devices over the past month or so, forcing the vendor to work on a patch to address the issue.

For those interested in the full NQ Mobile report, it can be viewed here. (.PDF)

Throw another log onto the proverbial Android malware fire: According to mobile security firm NQ Mobile, infections targeting devices running the Google-based operating system doubled in 2012. That translates to a 163 percent increase from 2011 and accounts for over 65,000 different types of malware discovered, up 30,000 from 25,000 the year before.

read more

The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company’s database, source code and customers’ credit card numbers and passwords. The company said that the customer credit card numbers were encrypted, as were the passwords, but it forced a system-wide password reset after the attack was discovered.

The attack on Linode was described by the company on Monday, a few days after it said that one of its customers was compromised. The details of the attack are quite similar to other attacks that have resulted in password leaks and database breaches, aside from the use of the ColdFusion zero day. Many of these operations tend to be executed through the use of stolen or compromised credentials or a known bug in one of the targeted systems.

The ColdFusion vulnerability used in the Linode attack was patched by Adobe on April 9.

“As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure,” Linode officials said. 

“Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.”

The company said that customer passwords are not stored in the Linode database. However, the company does store salted hashes of those passwords, and that’s what the attacker accessed. Those hashes should be of no use to the attacker, but the company decided to reset all customer passwords anyway.

The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company's database, source code and customers' credit card numbers and passwords. The company said that the customer credit card numbers were encrypted, as were the passwords, but it forced a system-wide password reset after the attack was discovered.

read more

Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. As part of its reward program, Google paid out more than $30,000 to a researcher who found three of the vulnerabilities.

read more

Months of distributed denial of service attacks against major U.S. banks have evolved in magnitude and ferocity causing service disruptions for online banking customers. They’ve also shown the way for other attackers to adapt and evolve techniques used in those attacks.

read more

Dennis Fisher talks with Gary McGraw, CTO of Cigital, about his childhood as a violin prodigy, his early introduction to personal computers with the Apple II, his start in software security and the state of the discipline today.

You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.

read more

In the lucrative world of online gambling, many poker rooms – especially those that rely on the user to download a client to play – are marred by insecurities.

read more

The assault against Free Tibet and Uyghur supporters is unrelenting as another watering hole attack has been uncovered, this time against a caregiver site supporting Tibetan refugee children.

read more

MIAMI BEACH--Stephen Watt was involved in a series of attacks on retailers and restaurants that federal prosecutors called the largest identity theft in U.S. history. He wrote the sniffer used by some of his friends to steal millions of credit card numbers. After federal agents raided his apartment, confiscated all of his computer equipment, he eventually was indicted on a series of charges related to the attacks on TJX, Dave & Buster's and others and was facing several years in prison. So he took a plea deal, hoping to reduce his prison time and the financial burden on his family. In all of that, what he regrets most is taking the plea.

read more

Microsoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue screen. Microsoft recommends users uninstall the patch, which is also causing compatibility with some endpoint security software.

read more

A German security company spent 18 months analyzing malware among millions of Web sites ranked by the world's most popular search engines and concluded Google was safer than Bing.

read more

A form of spyware first seen in 2008 and known for siphoning away users’ bank account credentials, emails, screenshots and various other bits of information has surfaced again – this time targeting computer users in India.

read more

MIAMI BEACH--The security teams that have to defend enterprise networks are faced with a broad and deep threat landscape populated with all manner of malware and targeted attacks. Those teams often have to react quickly to new threats, well before vendors respond with new technologies. By the look of things on the offensive side of the ball, much of which is on display at the Infiltrate conference here, things are not likely to get any easier for network defenders anytime soon.

read more