« Archives in March, 2011

RSA won’t talk? Assume SecurID is broken

While I applauded RSA’s announcement, it’s been over a week since RSA informed customers that a compromise of confidential information concerning the SecurID two-factor authentication product. It appears that RSA continues to remain silent despite attempts by researchers, reporters, and customers to get additional information to the extent of the compromise and what it means to the continued viability of the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

I would like to know more about the intrusion and the extent of the compromise to make a more informed decision on future direction myself. However, since we aren’t getting that, the parroting of Security 101 is not a bad idea. Even though author Dan Goodin of The Register seems to imply that this information is basic security practice that should already be understood, these are those things that continue to allow attackers into the network. No matter how many times we tell someone not to do something or even to do something, they continue to do just the opposite. While education and awareness should not be your only security control, it’s an important administrative control that will continually have to be reinforced.

Like Goodin states, “SecurID’s two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it’s better to assume it is.” Look at your environment, assess the risk, and put effective mitigating controls in place to protect the environment.

Read more…

Critical U.S. Infrastructure at Risk of Cyber Attack, Experts Warn

I have to post this because I now have my wife forwarding me articles. Now, I see this as pretty cool. All those years of badgering her over security vulnerabilities and what she should and shouldn’t do online has finally paid off. To see that she is forwarding security related articles means that she is paying attention to the important things.

Anyway, the article states:

Just as the computers that ran Iran’s nuclear program were sabotaged and crippled by a cyber “super worm” virus, the software used to run much of America’s industrial, transportation and power infrastructure — including nuclear power plants and major airports — is vulnerable to cyber attack, and two software companies have revealed dozens of successful hacks to prove it.

The problem I have with the attention that the SCADA industry is getting is that it took something like Stuxnet to get someone’s attention. The security issues have been there for years because it was an infrastructure that was designed without security in mind. Many people just shrugged off the issues because nothing really ever happened despite the warnings.

Read more…

Critical Security Updates for Adobe Acrobat, Flash, Reader

Adobe today released a software update to plug a critical security hole in its Flash Player, Adobe Acrobat and PDF Reader products. The patch comes a week after the software maker warned that miscreants were exploiting the Flash vulnerability to launch targeted attacks on users.

Read more…

PHP.net breach: Concern over safety of source code

Maintainers of the PHP programming language spent the past few days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.

The compromise of wiki.php.net allowed the intruders to steal account credentials that could be used to access the PHP repository, the maintainers wrote in a brief note. They continue to investigate details of the attack, which exploited a vulnerability in the Wiki software and a separate security flaw in Linux. The site has been down since at least Friday.

Read more…

Google patches Flash bug before Adobe

Google has already released an update for its Chrome browser that fixes a critical vulnerability in Adobe’s Flash Player that’s under attack. Users of the animation software on other browsers and operating systems will have to wait until next week for the same patch.

Chrome was able to beat the rest of the pack thanks to ongoing collaboration with Adobe that allows Google advanced access to updated builds of Flash, Adobe spokeswoman Wiebke Lips said. Google is then able to push the update to Chrome users through the browser’s automatic update mechanism.

Read more…

RSA Compromised by Sophisticated Attack

In an open letter, RSA executive chairman Art Coviello revealed that the information was stolen via an APT (advanced persistent threat) attack. RSA warned customers Thursday that hackers have stolen information about its RSA SecurID two-factor authentication that could be used by cybercriminals to potentially breach customers’ systems.

The problem I have with this warning is using “an APT attack” as a scapegoat. This is a cop-out statement to say “hey, we got hacked”. Ever since Operation Aurora, companies have started making claims that they were hit by an APT when in fact they had a security hole and someone exploited it. Take for instance InfoWorld, which I got this news from, and the way their journalist bloggers write about APT. Roger Grimes wrote an article back in October titled “How advanced persistent threats bypass your network security.” Complete FUD.

Hundreds of companies around the world have been thoroughly compromised by APTs (advanced persistent threats) — sophisticated forms of cyber attacks through which hackers mine for sensitive corporate data over the long term.

MANDIANT described the APT in an M-Trends Report. Journalist should read this and understand it before blindly leading readers into their interpretation of APT.

What I don’t have a problem with is that RSA was honest with their customers and published a warning about their attack.

Read more…

Adobe Releases Security Advisory for Flash Player, Reader, and Acrobat

Adobe has released a security advisory to alert users of a vulnerability affecting the following products:

  • Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux, and Solaris
  • Adobe Flash Player 10.2.154.18 and earlier versions for Google Chrome users
  • Adobe Flash Player 10.1.106.16 and earlier versions for Android
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.
  • Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. At this time, the vendor has not released a fix for this vulnerability. The Adobe advisory indicates that this vulnerability is being actively exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

    Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment.

    Google Chrome triumphs in hacker challenge

    So far Google’s Chrome is unscathed in the annual Pwn2Own hack match, with one contestant a no-show and the other team working on another product instead, writes Greg Keizer of ComputerWorld.

    Read more…

    Scareware slingers exploit Japan tsunami disaster

    I told you it wouldn’t be long before we start seeing scammers and criminals exploiting the earthquake in Japan.

    Pond-life malware writers have wasted little time poisoning search results based on Friday’s devastating earthquake in Japan with links to scareware portals.

    Black-hat search engine manipulation was used to push sites offering fake security software high in the index of results based on the search term keyword “most recent earthquake in Japan”, Trend Micro warns.

    More attacks along the same lines can be expected, even though Google has done a good job of late in cleaning up its search indexes. Surfers are advised to go directly to recognised news sites.

    Read more…

    WARNING: Possible scams and malware

    With the recent earthquake in Japan, users should be aware of the possible attempts by scammers and criminals to exploit the human generosity during a major time of need. Following national disasters, cyber criminals tend to establish fake relief organizations and relief efforts in order to scam givers out of their hard earned cash. Malware will also start to pop up in the supposed form of video footage and pictures. Users should use extreme caution when receiving email related to the earthquake.

    People wanting to give to the earthquake should use well established and recognized relief organizations. Do not respond to solicitations through email but visit the actual site or physical location.