Threatpost for B2B

Optimism and praise followed last week’s Java critical patch update. Oracle not only patched 42 vulnerabilities in the Java browser plug-in, but also added new code-signing restrictions and new prompts warning users when applets are potentially malicious. It took less than a week, however, to deflate any good will toward Java that resulted.

Noted Java bug hunter Adam Gowdiak, founder and CEO of Security Explorations of Poland, said this week that he reported to Oracle a new Reflection API vulnerability that affects all Java versions, including 7u21 released last Tuesday.

“It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday. “Successful exploitation in a Web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).”

Attackers can exploit this vulnerability to achieve a complete Java security sandbox escape, Gowdiak said, adding that he also send proof-of-concept code to Oracle demonstrating an exploit. Gowdiak, who first reported vulnerabilities in the Reflection API a year ago, also said that this vulnerability is present in the server versions of the Java Runtime Environment, as well as in the JRE Plugin and JDK software.

“It’s been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API-based vulnerabilities,” Gowdiak said. “It looks like Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the ‘allowed’ class space. If so, no surprise [this issue] was overlooked.”

Gowdiak identified four Java components and APIs that are risk for exploit: Sun Microsystems’ implementation of the XSLT interpreter; Long Term Persistence of JavaBeans Components; RMI and LDAP (RFC 2713); and many SQL implementations.

“These are the APIs and Java components that could be potentially used as execution vectors for untrusted Java code in other than web browser environments,” he told Threatpost via email. “In other words, they have the potential to be abused for the exploitation of Java SE flaws.”

Last week’s Oracle patch update repaired many issues plaguing the platform. Of the 42 vulnerabilities patched in the update, all but three were remotely exploitable. A number of Java zero-day vulnerabilities and exploits have been the center of watering hole attacks and other high-profile website hacks.

The update also now requires any applets that execute at runtime on the browser be signed with a trusted certificate, and that all code will prompt the user for approval. The level of user interaction required depends on the potential risk involved, Oracle said. Oracle has color coded its user prompts; blue for apps signed by a trusted certificate, and yellow indicating an untrusted or expired certificate. Red text accompanies high-risk warnings that an applet could be a security risk.

“We are not sure if these warnings will help the platform,” Gowdiak said. “Java was supposed to provide a safe execution environment for untrusted, potentially harmful code. A dialog prompt warning a user about a security risk prior to the execution of an untrusted application basically denounces one of the main advantages of the platform: its security.”

Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java.

“The platform will not deny the execution of Java applications, however in high-risk scenarios the user is provided an opportunity to abort execution if they choose,” Oracle said in its advisory last week. “Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications.”

Dennis Fisher talks with Chris Hoff of Juniper Networks about his childhood scaring sheep on a farm in New Zealand, his early days hacking on the first wave of personal computers, his misadventures in a college computer lab and how he ended up as an itinerant security guy.

Download: 05_chris_hoff.mp3

Image via Flickr user Myrcurial‘s photostream, Creative Commons

Download: 05_chris_hoff

Targeted cyberespionage attacks have dominated discussions within the security community and outside of it from the mainstream media to the halls of the executive and legislative branches of government.  But until now, discussions about attacks stemming from China that target intellectual property from engineering, manufacturing and military interests in the United States, have been anecdotal and one-off analyses of specific breaches.

The 2013 Verizon Data Breach Investigations Report (DBIR) has changed that. For the first time, the report has branched out and extensively quantified nation-state attacks motivated by espionage. This is a significant departure from previous editions of the report, which many consider to be the industry standard research on data breaches.

Released today, the report takes great pains to correlate threat actor motives and the data that is compromised. It also has a host of new contributors, now 19 in all, bringing fresh perspectives to the data set used to make up the bulk of the 60-plus page report. As has been the case with the past eight DBIRs, the data comes from paid forensic investigations carried out by Verizon’s RISK Team, in addition to contributions from law enforcement and computer emergency response teams worldwide, as well as industry groups, large consulting and services organizations, and the U.S. Secret Service.

The data in this year’s report comes from 621 breaches where data loss or disclosure was confirmed and 47,000 reported security incidents. Despite the new focus on espionage-related attacks, the report still does its customary deep dive into financially motivated attacks and comparing the tactics used by cybercriminals to those used by nation-state actors.

The report’s bevy of new contributors brought with them the most insightful data into attacks tied to China targeting intellectual property, which accounted for 19 percent of breaches.

“They all focus on something different,” said Jay Jacobs, one of the DBIR authors and a principal at Verizon. “You have to understand the research and information you want to pull out; that makes a difference in what you want to share. If you want to count the number of SQL injection attacks, that’s one thing. If you want to correlate that to industry and organization size, you have to expand your vision.”

The majority of data breaches still rely on the exploitation of weak or default credentials or stolen passwords. Hackers continue to blend hacking and malware to steal payment card information or to gain legitimate access to network resources to steal intellectual property. Most financially motivated attacks are opportunistic and rated as low difficulty, while those motivated by espionage use a combination of phishing emails and advanced malware to ramp up the difficulty of initial compromise and subsequent actions.

And there isn’t a typical victim for espionage attacks.

“The ‘I’m too small to be a target’ argument doesn’t hold water. We see victims of espionage campaigns ranging from large multinationals all the way down to those that have no IT staff at all,” the report says. “Lesson two is that some industries appear to be more targeted than others.”

Most attacks motivated by espionage target the manufacturing and transportation industries, while retail and food services lead the way for financially motivated actors. State-sponsored hackers covet not only secrets and internal organizational data, but system information.

“Most organizations have some form or proprietary or internal information they want kept private. Without this secret sauce, it’s hard to stay competitive,” the report says. “And because it’s a secret and competitively advantageous, others may want to steal that sauce. Thus, ‘who wants my sauce?’ is probably a better question than ‘am I a target of espionage?’”

The number of state-affiliated actors accounts for 21 percent of attacks, compared to 55 percent attributed to organized crime groups. While China accounts for the majority of state-affiliated espionage attacks (96 percent), Eastern European countries such as Romania, Bulgaria and Russian Federation countries account for the bulk of financial crimes targeting payment systems with commodity malware not found in espionage attacks. Attribution, Verizon says, isn’t based just on geolocation of IP addresses for example, but data from arrests and the use of particular tactics associated with known groups of attackers. Insiders, meanwhile, aren’t on the radar with 92 percent of attacks attributed to external sources, again, most of those coming from criminal groups. Insiders have a role in 14 percent of data breaches, most of that number resulting from non-malicious actions, including human error.

The use of malware hasn’t tapered off. Espionage-related attacks, for example, account for a spike in the use of malicious email attachments as part of phishing campaigns. Phishing has become the initial entry point in many financial attacks too, in addition to direct compromise of a point-of-sale system or ATM machine. Malware used in espionage attacks, however, has very different goals than financially motivated attacks. Malware used to spy on organizations enables prolonged access to systems, control of those systems, and the ability to capture and exfiltrate data.

Spyware, keyloggers and RAM scrapers dominate the types of malware used in financially motivated attacks, while in espionage attacks, the threat actors are interested in a number of different things including grabbing screenshots of sensitive data. State-affiliated attackers are interested in maintaining persistence on machines and want to install backdoors in order to move data and install more malware such as downloaders, password dumpers and rootkits.

“Throughout this process, attackers promulgate across the systems within the network, hiding their activities within system processes, searching for and capturing the desired data, and then exporting it out of the victim’s environment,” the report says.

Hacking remains the most popular way attackers are infiltrating organizations, primarily through the use of stolen credentials. In financially motivated attacks, hackers will brute force attacks to steal weak credentials, or socially engineer them. Organized crime groups behind financially motivated attacks again made payment card data the most sought-after data type; that in addition to identity information can most quickly be turned into cash. In espionage attacks, stolen credentials are used to set up backdoor connections and then shell services such as SSH or RPC are used to pivot internally to different network resources. Similarly, Web-based desktop sharing services such as RDP and VNC are favorites for financially motivated attackers.

Given the number of new data sources, this year’s DBIR branches out in a number of new directions. With the number of high-profile espionage attacks gaining more attention, i.e., attacks on the New York Times, Apple, Facebook, Twitter and a number of government an activist organizations, organizations now have more insight into attacks that rely on more than social engineering and commodity malware.

“We’re seeing a diverse set of data that we can analyze,” Verizon’s Jacobs said. “We’re getting more views into breach data and seeing a diversity in threat actors and motives.”

As Twitter continues to secure its footing in the social network spectrum, it continues to be complemented by an ongoing deluge of spam and malware, intent on tapping into – and duping – the social network’s 200 million plus users.

Tanya Shafir, a researcher at the security firm Trusteer recently discovered a new type of new malware being used by cybercriminals to infect otherwise legitimate Twitter accounts.

According to a post by Director of Product Marketing Dana Tamir on the company’s blog today, the malware is “an active configuration of TorRAT” and is spreading via man-in-the-browser attacks.

Once a user stumbles upon a malicious page, the page injects Javascript (below) into the victim’s Twitter account page, which in turn swipes the user’s Twitter authentication token. With the token, the malware can contact Twitter’s API and post whatever it sees fit – or in this case – a boatload of Dutch spam.

Trusteer spotted the malware posting a series of tweets about everything from Beyonce to the Netherlands’ king, Willem-Alexander on some users’ accounts. Each tweet was accompanied with a suspicious link – which while not inspected, Trusteer assumes is a malicious website that likely leads to a drive-by download.

Malware like this has been seen before, but as Trusteer points out, it’s usually attempting to leverage users’ financial data by targeting their banking accounts and log-in credentials.

Twitter has done a good job at curbing spammy and malicious tweets as of late but at one point last year some accounts were sending over 150,000 malicious tweets at a time. Now the site allows users to report unwanted tweets as spam and block users who are blatantly peddling questionable content.

If you’ve ever sat in on a cybersecurity hearing on Capitol Hill or attended a security conference , then you’re no doubt familiar with the oft-preached need for information sharing and private-public partnerships. So frequently repeated are these refrains that they’re almost as meaningless as the acronym “APT.”

However, the security firm Group-IB and the Russian government’s cybersecurity investigatory unit, Department K, claim to have curbed the theft of a billion rubles by doing just that: sharing information and partnering.

Russia’s largest bank, Sberbank of Russia, suspected that someone was attacking its online banking operation and reached out to Group-IB to carry out a forensic analysis of its networks. Group-IB determined that the attacker was stealing money from the bank’s customers by circumventing its SMS-based payment verification feature.

In the end, the Russian cybersecurity police known as Department K used information provided by Group-IB and Sberbank of Russia to arrest an unnamed 40-year-old man from the Volga River city of Togliatti. According to Group-IB, the prolific Russian cybercriminal exploited the online banking systems of various Russian banks in order to perform more than 5,000 fraudulent transactions from as far back as August 2011.

Group-IB’s analysis determined that the attacker, who has been since arrested, deployed the popular the Carberp malware against his targets. The perpetrator of the attack campaign installed the Carberp Trojan on the machines of Sberbanks’ unknowing online customers. The malware then used Web-injection functionality to display spoofed banking pages to users on infected systems. In this way, users willingly submitted their banking log-in information and cell phone numbers into web forms that appeared to come from their bank, but actually communicated back to the attacker. Using this information, the man managed to clone his victims’ SIM cards and bypass SMS-based mobile payment confirmations.

“The investigation of this case — from the first moment when Group-IB received a complaint from a victim to when the perpetrator was apprehended — was conducted in record time, in less than six months. Thus, we managed to prevent thefts from Russian banks on the amount of 1 billion Roubles ($34 Million)” said Group-IB CEO, Ilya Sachkov. “This was the first case investigated within the European Cyber Security Federation (ECyFed) union, which includes Group-IB, CyberDefcon, and CSIS.”

*Image of Sberbank of Russia bank in Krasnodar, Russia via Helen Flamme‘s Flickr photostream

Details have been disclosed about vulnerabilities exploited in Chrome and Java during the Pwn2Own contest. Google made patches available for the Chrome flaw within 24 hours, while Oracle patched Java fully last week.

Details were not disclosed by the researchers, who netted tens of thousands for their exploits, until last Friday, more than a month after the contest.

The exploits in question here used a variety of techniques to break both the popular browser and the browser plug-in. Java has had a particularly miserable year in terms of security, starting shortly after Christmas with a number of zero-day exploits used high profile targeted attacks. Chrome, meanwhile, remains a difficult challenge for researchers and hackers alike. Not only is it a popular target during Pwn2Own, but Google runs a concurrent Pwnium event during the CanSecWest Conference challenging researchers to take a crack at the browser.

MWR Labs researchers were able to take down an up-to-date version of Chrome running on a fully patched Windows computer during the contest. Not only did they find and exploit a previously unknown flaw in Chrome, but were able to chain that together with a kernel exploit targeting Windows to elevate privileges and own the browser.

Meanwhile, James Forshaw, of Context Information Security of London, was able to break Java with an exploit for CVE-2013-1488, a vulnerability in the java.sql.DriverManager class, a trusted part of the Java framework, he wrote in a blogpost on Friday. This part of Java, he said, is used to access relational databases.

“Within the source code for this class, a Java vulnerability hunter would be drawn to the two AccessController.doPrivileged blocks like a moth to a flame,” he said. “They allow the Java libraries to temporarily elevate its privileges to perform a security critical action.”

Oracle released Java 7u21 last week with security patches that repaired all of the vulnerabilities exploited at Pwn2Own. Forshaw’s exploit enabled a sandbox bypass by repurposing unrelated code to ultimately disable the security manager and run malicious code as trusted. He said Oracle does not rate this flaw as critical because of the work involved, but a determined, persistent attacker could find success.

“That is also why I think something like Java can never be secured against hostile code running within a sandboxed environment,” Forshaw said. “The attacker has too much control to craft the environment to exploit the tiniest of weaknesses. The large amount of trusted code bundled with the JRE just acts to amplify that power.”

MWR Labs researchers, in turn, had to get equally creative to exploit the vulnerabilities in Chrome and beat the browser’s sandbox, as well as Chrome’s use of address space randomization layout (ASLR). The exploit targeted a WebKit vulnerability, which was the browser’s rendering engine, as well as a kernel overflow vulnerability in Windows, the underlying operating system.

The WebKit bug occurred in the way it handled viewing targets in Scalable Vector Graphics documents. SVG files support animation and interactive features on websites. MWR said in a blogpost it was able to specify a viewTarget for an SVG document and embed non-SVG elements inside a document.

“This vulnerability was extremely flexible as we were able to cast an element into almost any SVG element type,” MWR Labs said. “We did this by creating an HTML element with the tag name set as a valid SVG tag.” The tag name is invalid, the researchers said, but after the cast, the unknown element is recognized as valid and the properties and methods of the SVG document can be accessed from JavaScript and access the adjacent memory. This allowed MWR to read adjacent memory, control it and not risk crashing the browser.

“It is very difficult to secure such a complex piece of software, which frequently deals with untrusted input,” MWR said. “Even with modern exploit mitigation techniques and the inclusion of a sandboxed renderer processes, these protection mechanisms can be circumvented by exploiting the underlying operating system.”

Thousands of U.K. business computers have been infected by espionage malware using a custom protocol to communicate with its command and control servers. Researchers at Israeli security company Seculert added that the malware is still percolating with a number of capabilities yet to be deployed.

The custom protocol has another unique element to it, in that it always initiates communication with a command that includes the string “some_magic_code1” as an authenticator. After an initial connection over HTTP, the interaction changes to the custom protocol and additional instructions are fed to infected machines.

Seculert CTO Aviv Raff said the malware, in one example, was instructed to add a new user to the infected system with a user name of WINDOWS and a password of MyPass1234 which would be used to give the attacker remote access to the compromised machine.

“This ‘magic malware’ — as we’ve dubbed it — is active, persistent and had remained undetected on the targeted machines for the past 11 months,” Raff wrote on the company’s blog.

Custom protocols used by malware to communicate with a remote server have part of some high-profile targeted attacks, including the one on RSA Security in 2011. In this case, targets in a number of U.K. industries, including financial services, education and telecommunications, have already been hit by the malware, which is capable of stealing data from compromised machines, enabling remote access for the attackers and hijacking Web browsing sessions.

“It can be used for espionage,” said Seculert CTO Aviv Raff in an email to Threatpost.

Raff said there are indications that the malware is still under development.

“We have seen several indication of features which are not yet implemented, and functions which are not yet used by the malware,” Raff said, adding that some of those features include the ability to open a browser on the victim machine via an RDP session.

“The missing and unused features are more technical. e.g. creating new processes under an impersonated user or parsing XML files,” Raff added.

Raff also said that Seculert cannot be certain how initial infections are happening.

“Currently, we don’t know the exact infection vector. But, because of the small presence of the dropper on the infected machine, it seems to be some sort of an exploit (spear phishing or drive-by download),” Raff said.

“As the malware is capable of setting up a backdoor, stealing information, and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” Raff added. “But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.”

FireEye experts have been tracking the Operation Beebus campaign for a few months now, and their latest research suggests that whomever is responsible for the attacks is ultimately interested in stealing drone technology-related secrets.

Operation Beebus is an APT-style attack campaign targeting government agencies in the United States and India as well as numerous aerospace, defense, and telecom industry organizations. The attackers are targeting these groups with a yet unseen backdoor-Trojan called Mutter that exploits known vulnerabilities.

The domains and command and control servers running this campaign are located all over the world and FireEye believes that the infamous Comment Crew is responsible for the campaign. Comment Crew is the same group that Mandiant recently uncovered as APT 1, a secret unit of China’s People’s Liberation Army tasked with hacking into and stealing information from international companies and governments.

In at least one case, FireEye observed a spear phishing attack that deployed a malicious attachment masquerading as a document containing details about the Pakistani military’s advances in drone technology. The document is attributed to Aditi Malhotra, an Associate Fellow at the Centre for Land Warfare Studies (CLAWS) in New Delhi. Malhorta is apparently a real person with writings that can be found online, but it is not clear if she actually wrote the document or if the attackers are just using her name. A second document is all mixed up, with a contact email from Andrews Air Force Base in Maryland and a physical address in Pakistan. Other documents used are either blank or contain unreadable characters.

Interestingly, the malware is making use of an evasion technique similar to one deployed by those that attacked South Korean banks and broadcasters last month. In essence, the attackers designed the malware so that it delays execution and remains inactive on host systems for as long as possible. The idea here, FireEye researcher James Bennett explains, is that if the malware waits long enough, then the scanner will give up on its analysis and pass the malware off as benign software. In this way, the malicious software is better at avoiding the dynamic detection methods deployed by most malware scanners.

Bennett claims that Operation Beebus is designed to pilfer all sorts of information related to air-, sea-, and land-based drone technology. Bennett says that he has seen the campaign attempt to steal research, design, and manufacturing specifications for drone vehicles and subsystems from more than 20 target organizations. At least one of those targets was, according to Bennett, an academic institution receiving military funding for its unmanned vehicle research.

The Mutter Backdoor itself, which is among the common threads across the entire Operation Beebus campaign, comes in two varieties. Both are DLL droppers. You can read the technical details along with the rest of the FireEye analysis here.

The next shoe has fallen in an effort to force wireless carriers and handset makers to provide regular security updates to Android mobile devices. The American Civil Liberties Union filed a complaint this week with the U.S. Federal Trade Commission accusing four leading carriers of deceptive business practices and knowingly selling defective phones to consumers and businesses.

ACLU principal technologist and senior policy analyst Christopher Soghoian brought the issue to light earlier this year the Kaspersky Lab Security Analyst Summit where he said millions of Android devices were multiple versions in arrears and vulnerable to not only attacks on their personal digital information, but potentially physical attack as well.

In the complaint written by Soghoian, the ACLU asks the FTC to investigate Verizon, AT&T, TMobile and Sprint Nextel, adding that the carriers’ reluctance to patch security vulnerabilities in Android phones is a deceptive and unfair business practice. Further, the ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange at no cost their phones for another that receives regular security updates, or return the phone for a full refund.

The FTC came down hard on mobile hardware manufacturer HTC in late February, when a settlement was reached after a complaint was filed against HTC America charging them with putting the security and privacy of customers at risk by failing to provide regular security patches to Android devices. HTC, at significant costs, will have to not only develop at release patches, but establish a program that injects security into its development processes, submit to security assessments for 20 years and provide adequate security training for its developers.

It’s hard to tell what happens next with the ACLU complaint, Soghoian said.

“Now we wait. If the FTC decides to investigate, we won’t know about it until the investigation is over and a settlement is reached,” he said. “That could take a year or two. That is frustrating for outsiders, but that is just how the FTC does business.”

Threatpost reached out to all four carriers in question for comment. AT&T and Sprint Nextel never replied. TMobile spokesperson Glenn Zaccara provided a statement to Threatpost that said the company provides regular security updates to Android customers.

“We provide regular and frequent OS updates as well as maintenance releases for a variety of improvements, including security related improvements,” Zaccara said, adding that the most recent OS upgrades provided to customers were sent out April 8 when Samsung Galaxy S II and Samsung Galaxy Tab 2 users were upgraded to Jellybean (Android 4.1.2).

Android 4.1.2 was released by Google last Oct. 9, more than a month before Google released Android 4.2; 4.2.2 was released Feb. 11, meaning that current users remain releases behind.

“So in response to our complaint about slow updates, T-Mobile is citing a recent software update for 2 particular handsets, enabling users to upgrade to a version of Android that was released by Google in October of 2012,” Soghoian said. “How exactly does this make T-Mobile look good?”

Ars Technica did a detailed study on Android handset updates, and the numbers aren’t pretty for the four carriers in question here, as well as for a number of handset makers. Verizon, AT&T and TMobile sometimes took up to 13 months to provide updates, while many models from all four carriers never receive a second update.

A Verizon statement said: “We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience. We will review the complaint when it is filed with the FTC.”

The ACLU complaint is 17 pages long and goes into detail on the influence carriers have in terms of which features manufacturers are to include in smartphones, including carrier-specific apps and the removal of certain features, such as tethering capabilities, that would threaten the carriers’ revenue stream, the complaint said.

For context, the complaint cited numbers from ComScore Reports that 53 percent of smartphones used by consumers are Android devices, and that 70 percent of devices sold in the fourth quarter of 2012 were Android based. In addition, the complaint said that Google statistics show only two percent of Android devices are running the latest version of the OS, 4.2.x. Meanwhile, Android 2.3 (Gingerbread), released in 2011, is on 40 percent of Android devices, according to Google’s developer dashboard.

“The slow rate of adoption of the most recent versions of Android does not reflect a failure by consumers to seek out and install operating system updates,” Soghoian wrote in the complaint. “Instead, it reflects the fact that for most Android smartphones in use, updates to the most recent version of the operating system simply have not been made available for consumers to install.”

Android malware, meanwhile, is an extraordinary problem. Research done by Kaspersky Lab indicates that 99 percent of mobile malware targets Android because of its open source nature and the ease of which attackers can get malicious applications up on the Google Play store. The level of vetting, for example, does not match that of Apple’s App Store.

“Widely distributed Android malware has exploited known security vulnerabilities in the Android operating system for which fixes from Google existed, but which the vast majority of consumer devices had not received at the time of infection,” the complaint said. “The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch. “

Two elders of information security came to Source Boston 2013 Wednesday morning to encourage the next generation to grab the torch from them and to urge great caution in diving too deeply into specialization.

Heavy thinkers Dan Geer and Richard Thieme said that the industry is closing in on an end of an era where practitioners soon will no longer come to security from a variety of backgrounds, bringing along with them lessons learned in other disciplines.

“We’re close to a transitional end because people can get degrees and certifications, and security is becoming institutionalized,” said Thieme, a former clergyman who has a literature background.

Geer, who has a bio-medical background, says he thinks about security in terms of disease models, much in the way a civil engineer would apply their knowledge of bridge construction to security or a physician would think in terms of triage.

“Any background that requires you to think [applies to security],” Geer said. “That’s what makes this field fascinating. This is truly a renaissance field. While you can, I think you should steal this mind-view from us. Steal from us before we are replaced by a leading expert on one cubic inch of the security manual.”

Geer and Thieme are true historians and observers of technology and security, and both are still making an impact. Geer is CISO of In-Q-Tel, which is a venture capital firm that operates on behalf of the intelligence community looking for innovative security technologies to bankroll. Thieme, meanwhile, continues to contribute articles to the community and is a frequent speaker at industry events. He has spoken at every DefCon, for example, since 1996. As moderator Josh Gorman said, Geer and Thieme represent the left brain and right brain of the industry, Geer its scientist and mathematician, and Thieme the hacker culture’s conscience and source of ethics.

Geer’s fascination with metrics and measuring security outcomes has made his reputation. As an indicator of the beginning of the end of security generalists, he shared details of a project he conducted where he plotted over a 21-year period the number academic articles in computer security literature and the number of times those works were cited. Looking at what he called the half-life of these articles, he plotted how long it took for articles to be cited a 50th time, and arrived at the conclusion that while the number of authors is rising, the average half-life of an article is falling.

“I think that’s an unarguable marker for specialization,” Geer said. “I can’t recommend anyone to be a generalist. Be a serial specialist, but I don’t think it’s possible to start from scratch and be a broad-spectrum generalist.”

Thieme said this dynamic is also true for citations in the medical field, which weakens the level of institutional knowledge.

“Masters of their domains are not familiar with their history,” Thieme said. “They are specialized to the point where true dialog between people is difficult because common points of reference are not there.”

Richard Thieme image via Jason Scott

The latest Java update released Tuesday includes new prompts warning users of potentially malicious applets, in addition to patches for 42 vulnerabilities, all but three of which are remotely exploitable.

Java 7 update 21 is part of Oracle’s scheduled Critical Patch Updates for the program and browser plug-in. Zero-day vulnerabilities discovered and exploited throughout the first two months of the year, however, forced almost monthly alerts and updates leading up to this week’s release.

Oracle recommends that users upgrade to the latest version of Java immediately citing a number of attacks in the wild targeting vulnerabilities that had not been patched until this week. A number of security experts, meanwhile, continue their calls to disable Java altogether, though many concede that this may be an issue for enterprises with home-grown applications that rely on Java.

Java 7u21 affects Java 7u17 and earlier, Java 6u43 and earlier and Java 5u41 and earlier, Oracle said. The company also added additional code-signing and warnings to users that an applet could be malicious. In a previous version, Oracle changed the default security setting from medium to high, a move meant to prevent unsigned Java Web applications from executing automatically. Users were warned before unsigned applets run, denying silent exploitation of a vulnerability, Oracle said.

Attackers, however, quickly found a way around the setting changes. Researchers discovered exploits in some of the popular exploit kits that not only spoofed the dialog box presented by Oracle to users for trusted applets but used a certificate signed with a stolen private key that had been revoked by certificate authority GoDaddy months before the attack was discovered.

In this week’s updates, applications using Java applets or Java Web Start that execute at runtime on the browser, for example, are required to sign code with a trusted certificate, Oracle said. All Java code will prompt the user, the Oracle advisory said.

“The type of dialog messages presented depends upon risk factors like, code signed or unsigned, code requesting elevated privileges, JRE is above or below the security baseline, etc.,” Oracle said. “Low risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk.”

Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java.

“The platform will not deny the execution of Java applications, however in high-risk scenarios the user is provided an opportunity to abort execution if they choose,” Oracle said. “Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications.”

New user prompts from Oracle are color-coded with a blue information shield representing an application signed by a trusted certificate, while a yellow shield or triangle indicates either an untrusted or expired certificate. Red text accompanies such warnings in the dialog box telling the user that running the application in question could be a security risk.

Microsoft is ready to officially declare network worms passé for the enterprise. In its latest Security Intelligence Report, released Wednesday, Microsoft said that risks posed by Web-based threats to large, distributed network environments have surpassed malware such as Conficker.

The report is based on data collected from more than one billion endpoints in more than 100 countries by the company’s Malicious Software Removal Tool, Hotmail accounts and Windows Defender users, said Holly Stewart, senior program manager for Microsoft’s Malware Protection Center.

For years, Microsoft has considered Conficker the benchmark of network-based malware. The worm first popped up in 2008 and paved the way for other credential-stealing malware. Now that’s changed, Stewart said.

“Conficker has been thought of as the sentinel of infiltration,” Stewart said. “It has not changed in years. It spreads using an old vulnerability. It steals passwords and uses USB drives and shared drives to move on the network. It’s been tracked as a beacon of things within the network when things are not quite right.”

Conficker is more of a chameleon, constantly changing propagation methods and malware techniques. The worm emerged in November 2008 and attacked a Windows vulnerability to steal passwords and build one of the more formidable botnets ever recorded, reaching a peak of 12 million bots in 2009 according to some estimates. But as enterprises in particular shore up their security efforts, Conficker infections are dwindling noticeably, Microsoft said. The drop coincides with a number of factors, including increased password vigilance and a policy decision by Microsoft to disable its Autorun functionality by default starting with Windows XP and Vista in 2011.

“Conficker started to decline in Q2 2011. If you look at two other worms, Autorun and Rimecud, both used the same propagation method and both had serious declines (37 percent and 69 percent respectively),” Stewart said. “Certainly there’s a correlation of the amount of threats we saw in the enterprise; it seems to indicate the decision had some impact.”

Autorun malware spreads via removable media and generally drops backdoors that enable additional malware infections such as keyloggers that steal credentials and other personal data. Rimecud is similar malware in that it propagates via USB drives and instant messenger applications. Its

payload includes backdoor connections to remote servers and additional malware is installed from third-party servers and peer-to-peer networks.

Naturally, however, enterprises aren’t out of the woods now that network worms have tailed off. Web-based threats have been a growing threat for years as hackers exploit common input-validation vulnerabilities with automated SQL injection attacks or cross-site scripting attacks that enable them to remotely control vulnerable browsers. Users are redirected to sites hosting malicious content and are infected with more malware, or are lured to an attacker-controlled site via social engineering (phishing, spam, typo-squatting) and tricked into entering legitimate credentials. The result has been a spike in Web-based attacks, in particular iFrame Redirects.

The Microsoft SIR said that seven of the top 10 threats it detects involves some sort of malicious website or compromised Web content, and two of those seven are iFrame-redirection attacks. Stewart said 3.3 million iFrame redirections were detected, a five-fold increase.

“It’s a really big shift in what we’re seeing as top threats for the enterprise,” Stewart said. “Malicious iFrame redirection is a middle man in these Web-based attacks; it’s that little component where the user is exposed to malicious content.”

Hackers have been able to automate scans for sites vulnerable to attacks such as SQL injection. A targeted Google search, for example, will render a detailed and sizeable list of Web servers vulnerable to any number of attacks. IFrame attacks are effective because the code is not obvious to the user or even the Web administrator for example, because the attacker isn’t adding a page to the vulnerable server, defacing a page or adding

malware, just a redirector, Stewart said.

“The iFrame exposes visitors to bad stuff that the attacker is hosting somewhere else,” Stewart said. “It’s a piece in the chain of a Web-based delivery system.”

IFrame attacks are not alone. Other threats such as Zbot, or the Zeus Trojan, the Blacole Trojan and keygen programs that generate product keys used to validate pirated software climbed the charts, Microsoft said.

“Enterprise customers are much more exposed than ever to malicious Web content,” Stewart said.

BOSTON – Downstream is where you live today as a security person. If Gene Kim has his way, you’ll be inline soon enough.

Kim’s keynote today at Source Boston 2013 took listeners on a deep dive of the integration of development and IT operations and helped map out how organizations may be able to wedge security into the conversation and help security practitioners escape a system that pre-ordains failure—one they are for the most part powerless to avoid today.

Kim has spent more than a decade studying high-performing operations teams in a variety of industries inside and outside of IT. Those which are successful, are so with a combination of rigor and discipline, and pay more than lip service into the integration of security into application or process development. To put it in Star Trek terms, as Kim did, developers embody Mr. Spock in that they sit closely to the boss and think too hard about problems, while operations are more like Mr. Scott, engineers who pull levers and knobs, and yell a lot in an emergency. Security? They’re the token security guard who wears the red uniform and usually ends up as the casualty in every episode.

“We need to span the boundary between the two,” Kim said of development and operations. “We need to increase the flow of work in the proper direction and not pass defects downstream.”

Kim relayed an example of how Twitter injects static analysis into the development lifecycle every time a developer hits save on a project. If there’s an issue, they’ll get an email informing them of a vulnerability and how to remediate it. When the problem is fixed, the developer will get a “thank you” email.

“Security is done not at the end of a project when you add costs, but they do it inline,” Kim said. “In my opinion, this is the way all information security is going to be done 10 years from now. Not in batches and not at the end of a project.”

Kim said companies are collectively spending $2.6 trillion annually on IT failures, ranging from downtime, to data loss and more. Adding $2.6 trillion to the economy would radically change things, he said.

“Creating a culture and process that pre-ordains failure, for security downstream, this affects lives,” he said.

Kim assured attendees too that this kind of rigor isn’t reserved for rock star companies such as Google or high-end financial services companies, or Netflix. He’s seen success stories with retailers, higher education institutions and in many other industries. Learning from the big guys, however, never hurts.

Netflix, for example, was the only company running Amazon Web Services instances not to endure any downtime during a 2011 outage, Kim said. That’s because they made a decision never to rely on AWS for availability, he said, pointing to a decision to introduce chaos into its DevOps environment. The Chaos Monkey tool built by Netflix randomly kills processes in production all the time, forcing developers and operations to work together with security and learn how to defeat failure.

“They got really good at having code and an environment that survives failure,” Kim said. “The goal is to break things before they get into productions. Find misconfigurations, enforce HTTPs, add static code analysis to their automated integration and testing; they did all these things.”

Ultimately, organizations must evolve toward a culture that accepts risk and learns from failures. Google, for example forces its developers to manage their own code for six months before its passed on for approval and ultimately production.

“If an application is fragile, there is a hand-back mechanism where it goes back to the developer,” Kim said. “It’s a way for developers and operations to hold each other accountable.”

That accountability also includes feedback loops that include DevOps and security so that all are involved in incident escalation and mutual understanding of respective issues.

“The outcome is that defects are fixed faster,” Kim said. “If you do it for one issue, you should be able to replicate it throughout an organization. You have better communication and cooperation.”

BOSTON – Downstream is where you live today as a security person. If Gene Kim has his way, you’ll be inline soon enough.

Kim’s keynote today at Source Boston 2013 took listeners on a deep dive of the integration of development and IT operations and helped map out how organizations may be able to wedge security into the conversation and help security practitioners escape a system that pre-ordains failure—one they are for the most part powerless to avoid today.

read more

Dennis Fisher talks with Bruce Schneier about the effects of the Boston Marathon bombing, how the psychology of fear plays into people’s reactions to these events and what the political aftermath could be.

Download: threatpost_schneier_4_16_20131.mp3

Dennis Fisher talks with Bruce Schneier about the effects of the Boston Marathon bombing, how the psychology of fear plays into people's reactions to these events and what the political aftermath could be.

You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.

read more

Throw another log onto the proverbial Android malware fire: According to mobile security firm NQ Mobile, infections targeting devices running the Google-based operating system doubled in 2012. That translates to a 163 percent increase from 2011 and accounts for over 65,000 different types of malware discovered, up 30,000 from 25,000 the year before.

This is at least per the firm’s 2012 Security Report, an annual review of malware scanned by NQ Mobile and its Security Lab, released Monday.

A handful of other trends are discussed in the report, including a decrease in malware targeting Symbian-based devices, and China being responsible for the lion’s share of infections globally.

The report also breaks down three of the most prevalent malware attack vectors, like how attackers are still taking genuine apps from Google’s Play marketplace, adding malicious code and then uploading the tweaked app to third party app stores.

Attackers are also using malicious URLs and SMS phishing, or smishing to thwart Android users.

Attacks on Android devices are a fairly regular occurrence these days, and have grown exponentially, at one point in 2011, even up 742 percent over the course of three months. In China, botnets, some 100 million strong, composed entirely of Android devices thrive, while in Japan, malicious apps litter messageboards and phony app marketplaces.

Samsung-branded devices have shared the brunt of Android’s troubles as of late. SMS vulnerabilities and password bypass flaws have been discovered on a handful of Samsung Galaxy devices over the past month or so, forcing the vendor to work on a patch to address the issue.

For those interested in the full NQ Mobile report, it can be viewed here. (.PDF)

Throw another log onto the proverbial Android malware fire: According to mobile security firm NQ Mobile, infections targeting devices running the Google-based operating system doubled in 2012. That translates to a 163 percent increase from 2011 and accounts for over 65,000 different types of malware discovered, up 30,000 from 25,000 the year before.

read more

The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company’s database, source code and customers’ credit card numbers and passwords. The company said that the customer credit card numbers were encrypted, as were the passwords, but it forced a system-wide password reset after the attack was discovered.

The attack on Linode was described by the company on Monday, a few days after it said that one of its customers was compromised. The details of the attack are quite similar to other attacks that have resulted in password leaks and database breaches, aside from the use of the ColdFusion zero day. Many of these operations tend to be executed through the use of stolen or compromised credentials or a known bug in one of the targeted systems.

The ColdFusion vulnerability used in the Linode attack was patched by Adobe on April 9.

“As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure,” Linode officials said. 

“Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.”

The company said that customer passwords are not stored in the Linode database. However, the company does store salted hashes of those passwords, and that’s what the attacker accessed. Those hashes should be of no use to the attacker, but the company decided to reset all customer passwords anyway.

The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company's database, source code and customers' credit card numbers and passwords. The company said that the customer credit card numbers were encrypted, as were the passwords, but it forced a system-wide password reset after the attack was discovered.

read more