Author Archive

« Older Entries

Stop the UK Government snoops

By derek | Filed in Privacy

The government has just announced a plan to spy on us all, to be pushed through “as soon as Parliamentary time allows”. [1] They want to see details of who we call, text and email, and which websites we visit – without any kind of warrant or reason. They want to force phone and internet companies to install special devices to provide all this data on each and every one of us. [2]

Experts are lining up to condemn this idea as intrusive, expensive and ineffective. [3] But we know that when the Labour government announced similar plans a few years ago, a huge outcry was needed to make them to back down. [4]

So let’s build a massive petition right away, to show David Cameron that British citizens simply won’t put up with the government spying on their every move. Please click here to add your name now:
https://secure.38degrees.org.uk/stop-the-snooping-plan

A final version of the plan is due to be announced in just one month’s time. [5] We need to move fast if we’re to get this scrapped before then. A big petition right now could persuade David Cameron to rethink before he commits too deeply. His officials will report the rising number of signatures to him. And they will warn him that he can expect voters to challenge him every step of the way.

MPs from different political parties are already expressing unease. [6] One prominent Conservative MP, former shadow Home Secretary David Davis, has been in touch with the 38 Degrees office to say: “These plans would give the state huge new powers to snoop on ordinary people. They’d be expensive, unnecessary, and a huge invasion of everybody’s privacy. If they are to be stopped, public pressure will be critical – including from 38 Degrees members”.

Add your name to the petition today:
https://secure.38degrees.org.uk/stop-the-snooping-plan

David Cameron claims this will make us safer. But this is about spying on all of us, not serious criminals. It’s already perfectly possible for the government to monitor people suspected of serious crimes, with proper permission and oversight. [7] And serious criminals will inevitably find ways to hide their online identities.

Most importantly, this isn’t the kind of Britain we want to live in. We shouldn’t respond to criminals by abandoning our principles and scrapping basic civil liberties. We shouldn’t treat every citizen like a potential criminal who needs to be monitored. Help stand up for our right to privacy when we browse the internet or phone our friends - please sign the petition and spread the word now:
https://secure.38degrees.org.uk/stop-the-snooping-plan

RoboForm: Learn more...
Share
Be the first to comment

Unsecured wireless networks can get you into serious trouble

By derek | Filed in Privacy, Security advice, Tips & Settings, Warnings and Alerts

 

A federal lawsuit filed by Liberty Media Holdings – a San Diego adult content company – promises to keep the lawyers and copyright experts busy in the months ahead. The lawsuit – which accuses around 50 individuals of using their Internet connection, or allowing their connection to be used by a third party to file-share an adult movie – is interesting because it will test whether people who leave their wireless network on open access can be held liable if a third party uses it to download copyrighted content.

 A growing number of businesses are now offering guest access to their company network for site visitors and contractors. This is acceptable if the access is controlled through the use of a password and audit logging system – complete with acceptable usage policies – but many companies avoid the cost of these controls by simply opening up their wireless network on a password-free basis. Although this saves a few dollars a month on subscription fees, it is a very dangerous game because the legal liability risks are quite high.

 This will likely be a test case about the wider use of unsecured wireless networks & could have wide reaching Implications for all of us, not just US based members but worldwide as other legal authorities follow or adopt the  likely US outcome

 Will this end up stopping city wide free wireless or “free” hotspots that don’t ask for user name & password to connect. Could it further go down to the Average clueless user who leaves his/her home wireless unsecured or lets his friend or neighbour connect (without putting explicit restrictions on what that guest can do on the network), even though that is against the majority of ISPs T&C

 http://www.infosecurity-magazine.com/view/24809/comment-businesses-need-to-wake-up-to-open-wireless-access-risks/

Share
Be the first to comment

Adobe Flash player Update 27 March 2012

By derek | Filed in adobe, browser, Chrome, Exploits, firefox, Malware, Security advice, updates, Warnings and Alerts, Windows

There seems to have been a security update to 11.2.202.228 but I can find no release notes or information why the update has been issued except general gossip to say to fix undisclosed vulnerabilities

Some users have reported problems with installing the update via adobe web based install so an alternative method is to use the full installers on http://www.adobe.com/products/flashplayer/distribution3.html

I understand that some antiviruses including Eset/Nod have conflicts with the adobe web based installer

Edit:
details here
http://forums.adobe.com/message/4296259

it isn’t a security fix but a whole new version of flashplayer with additional capabilities

Share
Be the first to comment

Microsoft Security Essentials Anti-Virus ( MSE) update problems

By derek | Filed in Antivirus, Malware, microsoft, Security advice, Tips & Settings, Warnings and Alerts, Windows

There have been problems with MSE ( Microsoft Security Essentials Anti-Virus) updating itself, either through the program or via Windows update the last 2 days. It will continually tell you that you are up to date when you are in fact several definition updates behind
Currently at 7 am GMT on 23 March 2012 the latest published definitions are 1.123.212.0
MSE or WU will only give 1.123.194.0
Yesterday it was 4 definition sets behind

The way to update is to do a manual update from http://www.microsoft.com/security/portal/definitions/howtomse.aspx

Share
2 Comments so far. Join the Conversation
Tags: ,

Make sure your Java is up to date

By derek | Filed in browser, Exploits, Java, Malware, Security advice, updates, Warnings and Alerts

 

Public Java Exploit Amps Up Threat Level — Krebs on Security:
http://krebsonsecurity.com/2011/11/public-java-exploit-amps-up-threat-level/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

“An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.”

“The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.”

 

Share

Microsoft Fixit for Duqu 0 day exploit

By derek | Filed in browser, Exploits, Malware, microsoft, Phishing, Privacy, Security advice, Tips & Settings, Warnings and Alerts, Windows

Temporary fixit & workaround for 0 day exploit relating to duqu malware

Fixit & unfixit here http://support.microsoft.com/kb/2639658

Advisory with manual “fixes”  http://technet.microsoft.com/en-us/security/advisory/2639658

My considered advice is that you won’t need it and you should wait until Microsoft issue a full patch
So far all attacks have been directly targetted against specific companies or Government departments,  That might change as the skiddies get hold of the exploit

Using the fixit might make some applications/ word docs  or websites not display correctly ( or even at all )  if they use embedded True type fonts & they haven’t been set to gracefully fall back on standard system fonts

If we start to see general attacks, then I will update this & suggest using the fixit

An additional workaround to prevent Websites attacking you by using embedded fonts is to set Internet Explorer font downloads to prompt instead of allow . That way you at least get an alert if a font is being downloaded and you can make an educated opinion as to whether it is likely to be malicious

  • Open Internet Explorer
  • On the Tools menu, click Options and then click the Security tab.
  • Select Custom and click Settings.
  • Scroll to the Downloads section.
  • Change the Font Download setting from  Enable to Prompt
RoboForm: Learn more...
Share

Fake Firefox update

By derek | Filed in browser, firefox, mozilla, spam

Lots of spam emails circulating with following content

New update arrive.

Your security is our top priority. Our open source security process means we have an international community of experts working around the clock to monitor the latest threats. As soon as a security threat is discovered, we write a patch and release an update to stay one step ahead. Downloading Firefox updates is a very important part of staying safe online. Firefox is constantly evolving as our community finds ways to make it better, and as we adjust to the latest security threats. Keeping your Firefox up-to-date is the best way to make sure that you are using the smartest, fastest and . most importantly . safest version of Firefox available. A Firefox update will not make any changes to your bookmarks, saved passwords or other settings. However, there is a possibility that some of your Add-ons won.t be immediately compatible with new updates. Re-installing Firefox will not affect your settings, bookmarks or preferences in any way. A Firefox software update is a quick download of small amounts of new code to your existing Firefox browser. These small patches can contain security fixes or other little changes to the browser to ensure that you are using the best version of Firefox available. Update in a click : firefox-7.0.1

needless to say the download is a trojan, identified by several antiviruses as carpberb and by others as Z-bot Please don’t fall for it Firefox 7 isn’t out yet, although it will be soon

Share

Microsoft security info

By derek | Filed in microsoft
  • SIRv11: Putting Vulnerability Exploitation into Context

    As Vinny Gullotto, our GM blogged earlier in the week, the 11th edition of the Security Intelligence Report (SIRv11) has been released. One of the new areas of research in this release is a study of the most prevalent kinds of vulnerability exploitation and how much of that exploitation is 0-day (short for zero-day, an attack or exploitation of a vulnerability without an available update). We took two paths to find this answer. The first was an analysis of how the top families found by the Microsoft Malicious Software Removal Tool (MSRT) were known to infect systems. We found that none of the top 27 families were known to use 0-day vulnerabilities in 1H11.

    The second way we approached this answer was to measure all of the exploit activity tracked by the MMPC through our real-time protection products (such as Microsoft Security Essentials and Forefront Endpoint Protection) and compare the number of attacks that were 0-day at the time (no update available) versus attacks that occurred after the update was made available. We actually gave a month buffer zone (so any exploits that happened during the month in which the update was made available was still counted as 0-day). We expected the percentage to be low, and it was– 0.12 percent to be exact for 1H11. Here’s what it looks like in chart form:

    Chart illustrating percentage of exploits that were 0-day in 1H11
    Chart 1 – Chart illustrating percentage of exploits that were 0-day in 1H11

    One question that we discussed a lot while working on this report was: How do we measure what we don’t know and therefore can’t see? (In other words, 0-day by definition means you may not know about it.) Great question! Answer: We can’t measure what we can’t see. However, what we have seen tells us that “secret 0-days” don’t stay a secret for very long. Take, for example, a few we tracked in 2010. These attacks nearly always started out as targeted – sometimes reported as affecting only one entity when they were discovered. The trend they have in common is that they broaden to more generalized use (eventually) and we find out about them sooner or later.

    • CVE-2010-0806 was a 0-day affecting Internet Explorer 6 and 7 on older operating systems (like Vista and XP) that was reported as being used in targeted attacks. A few days later, after the release of public exploit code, we saw those attacks escalate and they have remained a sizable part of exploit activity throughout 2011.
    • CVE-2010-3962, which we dubbed the Weekend Warrior for its peaks of activity in Korea on the weekends, was discovered in Nov. 2010 when it was used in targeted attacks. Attackers broadened the targets of their attacks near the end of the month.
    • Another example is CVE-2010-3962, the vulnerability that used malicious .lnk files that was found with Stuxnet. It took a matter of weeks before this one technique used in this very targeted, singular attack got picked up by many other families of malware like Sality, broadening the impact considerably.

    The point here is that although it’s true that “you don’t know what you don’t know,” our experience tells us that when it comes to 0-day activity, we find out, and often, we find out quite quickly. Things start to unravel rapidly the moment the 0-day affects either a target that’s really paying attention or when the attacks start to affect a broader, less targeted audience.

    So, even if our estimates for 0-day activity were off by 5 fold, the estimated activity for 1H11 would remain under 1 percent. That’s still pretty small.

    Most Frequent Exploits

    So, now that the question of 0-day is out of the way, let’s talk about the broader volumes of exploit activity that were revealed in SIRv11. Although there are many interesting trends in the chart below, I want to focus on a few of them in this blog: Java (and the age of vulnerabilities in general) and Operating System vulnerabilities. If you want details about the other categories in this chart, see the full Security Intelligence Report.

     

    Exploit activity over a one year period

    Chart 2 – Exploit activity over a one year period

    Java Exploits

    As we blogged a year ago, in 3Q10, the exploitation of Java vulnerabilities skyrocketed to new levels that we had never seen before. The analysis in SIRv11 shows that Java exploitation remains high and that the targeted vulnerabilities are quite old. The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867. These CVEs affect the Oracle Sun Java JRE or JDK, and all of them have updates available to fix them now. The most recent, CVE-2010-0094 and CVE-2010-0840, received updates in April 2010 after following a coordinated disclosure process with an external vendor.

    Operating System Exploits

    The jump in operating system exploits is primarily due to one technique: CVE-2010-2568 (the vulnerability mentioned earlier that was found with Stuxnet). This exploit was picked up by a number of families that were known to abuse Autorun. And, although CVE-2010-2568 has nothing to do with Autorun itself, the behavior is quite similar: the user connects to a USB device and browses the drive, the malware automatically executes (if the user hasn’t applied the update to fix the issue, that is). Malware authors must have found this exploit technique alluring. At least, the data certainly seems to indicate that they did. It’s also possible that attackers, after Microsoft released updates to harden the Autorun feature on older systems (which did appear to put a dent in their ability to infect users), were searching for ways to broaden their infection rate.

    Another interesting aspect in our exploit data on CVE-2010-2568 is the location of the targets. I recently did a talk at Virus Bulletin on the top exploits of 2011, and in that talk, I looked at geographical differences for regions that face the most exposure to exploitation attempts. Several regions that were at the top, Indonesia, Pakistan, and Vietnam, were there because of exploitation attempts for CVE-2010-2568. If you combine those three locations with two more, India and Mexico, those five together represent 52% of all the computers that have reported CVE-2010-2568 attack attempts in the first three quarters of this year. Although I don’t have update statistics for these regions, this data might indicate that there are large numbers of systems there that have not yet applied this very important update (MS10-046).

    Net Net

    I’ve talked about a lot of data in this post, and sometimes it’s hard to synthesize it. The key point of the exploit analysis in SIRv11 is that older vulnerabilities are what the vast majority of exploitation attempts target (90 percent are more than a year old). The special 0-day section of the report takes this concept even further – we look at how much of the malware infections are actually attributed to the exploit of vulnerabilities in general. (The answer: Less than 6 percent in 1H11.) To find out what the other 94 percent of infections are attributed to, download the report and keep your eye on this blog for more analysis to come.

    - Holly Stewart, MMPC

Digest powered by RSS Digest

Share

Microsoft security info

By derek | Filed in microsoft
  • MSRT October ’11: EyeStye

    This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison.

    EyeStye (aka ‘SpyEye’) is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called “form grabbing” which involves the interception of webform data submitted to the host through the client’s browser. By intercepting this data, authentication information can be stolen, and web content presented to the user can be altered to the malware author’s preference. In one recent EyeStye variant (for example SHA1 e36287d81770d583679be28d9a229f8363ab4cde) we came across, we observed that the following browsers were targeted, indicating that the malware authors are leaving few stones unturned: Internet Explorer, Mozilla, Chrome and Opera.

    The malware file contains obfuscated code, while the payload is injected into running processes. It also employs user-mode rootkit protection in an effort to prevent itself from being seen via Windows Explorer or the Command Prompt. This may be intended to make detection and remediation challenging for antivirus engines. As this bot is kit-based, the file names and mutexes it creates are variable, which makes identification (based on these factors) difficult.

    Towards the end of 2010, the release of EyeStye kit 1.3.X included a feature to avoid detection by Trusteer’s Rapport, a feature also offered by Zeus (Zbot). This release also removed a feature to kill Zeus if it was detected running on the affected machine, leading some to suggest that the two bots were being merged. However, by that time the Zeus code was already publicly available, which lead us to believe that those rumors were speculative in nature. We continue to monitor both of these bots for evidence of such a merger.

    As with much of the malware we see today, EyeStye is often spammed out to users or posted on open forums enticing users to click on a link, employing one of the increasingly common social engineering techniques. An example of such a spam email can be seen below: This spam mail was being posted in an open BSD forum; clicking on the link leads to a download of a file named “VIEW_EVENT_DOC.PIF”, which we detect as Win32/EyeStye (SHA1 df8a8483515dd0db3494d796ede33fddb369df10).


     

    For more information on this malware family, please refer to Win32/EyeStye.

     

    – MMPC

Digest powered by RSS Digest

Share

Microsoft security info

By derek | Filed in microsoft
  • New: Microsoft Security Intelligence Report Volume 11- Now Available

    Hi, again everyone!

    Today we released the 11th volume of the Microsoft Security Intelligence Report, also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially unwanted software.  We also cover third party products in the report.

    As part of SIRv11, we’ve included an in-depth analysis titled “Zeroing in on malware propagation.”

    The purpose of this study is to help customers better understand where malware was propagating and encourage the use of this information to prioritize where and how to focus risk management efforts.  In contrast to popular belief, this study found that zero-day vulnerabilities accounted for a very small percentage of actual infections.  In fact, none of the top malware families detected through our tools like the Malicious Software Removal Tool and Microsoft Security Essentials, and others propagated through the use of a zero-day.  And while some smaller families did take advantage of these types of vulnerabilities, less than 1 percent of all vulnerability attacks were against zero-day vulnerabilities – in other words, approximately 99% of attempted attacks impacted vulnerabilities for which an update was available.

    While these statistics may come as a surprise to some, the key takeaway is how malware was actually propagating and we found that to be through  user interaction-typically employing social engineering techniques, Autorun feature abuse, file-infection, various exploits (with updates available) and brute force password attacks. This study provides insight into the frequency in which these methods were being used to spread malware, and puts zero-day vulnerabilities into context against other propagation methods.

    The graph below outlines the areas I’ve mentioned and gives you a good idea of where we’re seeing malware propagate from – essentially the methods.

    Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

    We’ve always known the bad guys use multiple methods of malware distribution to compromise users, and they often build this functionality into the malware itself.  As an example, Conficker exploits vulnerabilities, abuses Autorun, and guesses passwords to infect users.  Other families, like Taterf, Vobfus, Ramnit, and Renocide focus on Autorun abuse and incorporate social engineering tricks that require user interaction.  However the report provides insight into the frequency in which these methods were being used to spread.  It also puts zero-day into context against the other propagation methods.

    Zero-day vulnerabilities tend to strike fear in the hearts of consumers and IT professionals, and for good reason. They combine fear of the unknown and an inability to fix the vulnerability, which leaves customers feeling defenseless. It’s no surprise that zero-day vulnerabilities receive enormous coverage in the press when they happen, and should be treated with the utmost level of urgency by the affected vendor and the vendors’ customers. Despite the level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape.

    The purpose of our featured story in SIRv11 was to put zero-day threats into context against the other malware propagation vectors and encourage IT Professionals to consider this information when prioritizing their security practices.  Zero-day threats are real and I don’t want to diminish the risk they represent.  However we hope that users will take this information into consideration when prioritizing their security efforts.  

    The study just scratches the surface on the intelligence contained in the SIRv11.  For more information on global or regional threat trends, check out the website.  As I said the report is huge and  contains data from over 600 million systems worldwide, over 280 million Hotmail accounts, billions of pages scanned by Bing each day and more importantly the report provides prescriptive guidance to help protect against the bad guys.

    I hope you enjoy this report.  If you would like to provide input on ideas for future reports, join the SIR Community where you can gain early access to upcoming announcements and SIR events, learn about early concept ideas and extended content as well as participate in feedback surveys that help to drive the direction of data analyzed.

    Thanks again and stay safe!!

    Vinny Gullotto 
    General Manager
    Microsoft Malware Protection Center

Digest powered by RSS Digest

Share