Just a quick note that 2 Mozilla Firefox Add-Ons were found to include a little more than bargained for in the form of Windows-based trojan malware. To be sure, these weren't the most popular add-ons in the catalog, with only around 4,600 downloads between the 2 infected offerings.

These add-ons were available for download from the Mozilla site. This only goes to underscore the importance of having your local scanners active and up to date. You shouldn't blindly download, install or run code from any website, vendor or media regardless of its intentions or reputation. "Trust but verify," seems to apply here.

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

At the Blackhat Conference in Washington D.C., David Litchfield revealed a privilege escalation session and scripts that could be used by anyone with basic session access to gain administrative privilege to a Oracle 11g database and administrative access to the operating system files.

One of the interesting topics in the beginning of the presentation was that of the amount of security vulnerabilities reported by Oracle or other researchers compared to the number reported against Microsoft SQL Server 2005 and 2008. Although I would have expected the complete reverse on the the number of vulnerabilities reported against each product. David used Java calls in Oracle Aurora to gain access.

Oracle and Java Stored Procedures

SOURCE: FORBES.COM

There is a interesting podcast on the 365.rsaconference blog
concerning large cybercrime organizations, originally broadcasted on NPR about Joesph Menn's new book, Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet.

NPR Broadcast Fighting Cybercrime, One Digital Thug at a Time

As we approach Black Hat Washington DC Conference next week there seems to be more and more unraveling about the vulnerabilities recently discovered in Internet Explorer. The security firm Vupen's Security in France has said it has confirmed code execution with Internet Explorer 8 even with Microsoft's DEP enabled. The company has said it has not released the exploit code to the general public but encourages all users to Disable Active Scripting. The firm also recommended using IE 8 on Wiindows 7 over even IE8 on XP SP3.

Let's see if there are more discussions or disclosures happening about Operation Aurora next week at Black Hat. Infragard Security Organization also announced that it is holding a Webinar on Feb. 2nd to review Aurora and some security initiatives with Adobe, one never knows.

There are other researchers pointing out that there are organization specializing in in gathering intelligence on corporate, and government entities vulnerabilities and weaknesses in their control environments and making that information sale to others that might seek to gain a competitive advantage either technically or politically over their rivals and even providing Cloud Bot Services to deploy their objective. Researchers maintain that there are organizations active today that actively are gathering information whether externally or internally about the infrastructure and the control environments of industries or individuals with the hopes of selling that information or leasing time on distributed servers with access to gain intelligence on their competitors.

For those of us that have been lucky enough to hear Gordon Smith from Canaudit speak about using social and technical engineering to collect information for pen testing and/or auditing, by gathering up as much information as possible to obtain access through both methods is worthwhile.

While this all sounds very Swordfish vogue, there is a lot of information scattered across the world that is very valuable or can gain access to valuable things. If 90% of the systems are running common code, that reduces the amount of unraveling. There was a presentation by "javaman" in New York at the 5th HOPE conference that outlined his thoughts on "Security through Diversity" that I thought was very interesting as well as his talk on parallelism, how individual systems and large enterprises can improve their tolerance to massive attacks through this principle. If you're under attack why would you fail over your control environment to the exact same mirror control environment that was already compromised?

The first time I saw mshtml being utilized for deployments of software by the user accessing a URL and the whole process would happen in the background without the user knowing, I thought to myself that it could only be trouble and that was probably about 2000 - 2001, thanks Jon R. you were always workin it. Jon and Bjorn always had some cool Windows stuff going no matter if it raised the hairs on the back of your neck.


Click here for more information

Google recently accused the Chinese government of hacking into the Gmail accounts of certain Chinese citizens unpopular with the communist leadership. Google has retaliated by threatening to cease filtering search results in China at the behest of the Chinese government. Certainly by now this is news to no one.

What's noteworthy about the details of the yet-unpatched IE 6 vulnerability that allowed this exploit is that it isn't really that noteworthy. IE 6 is outdated by 2 versions already. This vulnerability, while serious, doesn't strike me as anything usual for MS products of that vintage. The response has been typical - the exploit is posted publicly, and the vendor is working on a patch.

So the lessons here are exactly what security pros (and plenty of other folks) already know - keep your OS and key applications up to date and configure software to automate this process. If you're still using IE6 for some reason, do you really need to be told "to be highly vigilant until a patch can be developed[?]"

France and Germany have gone a bit further than necessary, warning folks off of IE completely rather than just old versions. While I personally use Firefox and Chrome for features and speed, I wouldn't necessarily tell folks to abandon IE (though I'd recommend version 8 if you are going to use it). I don't believe other browsers are inherently more secure. It's just that non-IE users represent a slightly more tech-savvy attack vector. Perhaps that's reason enough to avoid IE for some.

YC27UCFX9322

HP Software Universe 2009

Last day here at HP Universe in Hamburg, talking about integrating Information Security Management more closely into the enterprise architecture and the system development life cycle. Enterprise Frameworks including the new NIST guideline for Special Publication 800-37 Rev. 1 and six step Risk Management Framework, highlights ITIL V3 and COBIT 4.1 frameworks call for information security to be closely aligned with the enterprise for effective Risk Management.

We have been talking about the new Standards and Guidelines concerning the harmonization of IT and Information Security Governance. With netForensics Sim One, information security management enterprise software, HP uCMDB, and HP Operations Manager Software integration, we can provide the proof that IT Operations Management and Information Security Management are working on the same vision of Domain Services for continual monitoring of enterprise services providing IT Operations and Information Security the ability to monitor the effectiveness of the control environment, promoting near real-time risk management.

If your looking for solutions to help you manage risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, we already have it.

netForensics will be at HP Universe in Hamburg Germany this week.

On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.

nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.

HP UNIVERSE HAMBURG GERMANY 2009