These add-ons were available for download from the Mozilla site. This only goes to underscore the importance of having your local scanners active and up to date. You shouldn't blindly download, install or run code from any website, vendor or media regardless of its intentions or reputation. "Trust but verify," seems to apply here.
Google recently accused the Chinese government of hacking into the Gmail accounts of certain Chinese citizens unpopular with the communist leadership. Google has retaliated by threatening to cease filtering search results in China at the behest of the Chinese government. Certainly by now this is news to no one.
What's noteworthy about the details of the yet-unpatched IE 6 vulnerability that allowed this exploit is that it isn't really that noteworthy. IE 6 is outdated by 2 versions already. This vulnerability, while serious, doesn't strike me as anything usual for MS products of that vintage. The response has been typical - the exploit is posted publicly, and the vendor is working on a patch.
So the lessons here are exactly what security pros (and plenty of other folks) already know - keep your OS and key applications up to date and configure software to automate this process. If you're still using IE6 for some reason, do you really need to be told "to be highly vigilant until a patch can be developed[?]"
France and Germany have gone a bit further than necessary, warning folks off of IE completely rather than just old versions. While I personally use Firefox and Chrome for features and speed, I wouldn't necessarily tell folks to abandon IE (though I'd recommend version 8 if you are going to use it). I don't believe other browsers are inherently more secure. It's just that non-IE users represent a slightly more tech-savvy attack vector. Perhaps that's reason enough to avoid IE for some.
Here's an interesting story about the second worm detected for Apple's iPhone platform. While the worm itself seems rather limited in its target audience (Dutch banking customers with a "jailbroken" iPhone running SSH with the default password), there are 2 interesting points here:
The first is that this worm enables the infected devices to act as a botnet. PC-based botnets have long been a problem on the Internet, but I am not aware of any other major platform to support a botnet until now.
The other point is that the popularity of the iPhone is making it a more desirable target for malware. I am not going to use this opportunity to take sides in the quasi-religious debate about the inherent security of Windows v. Mac v. Linux, but it does give some credence to the argument that Windows is not less secure than other operating systems but is simply targeted more due to its ubiquitous deployment.
To what degree does malware follow a platform's popularity? Time will tell.
The mission and function of the task force will be to provide advice to the Attorney General for the investigation and prosecution of cases of banks, mortgage, loan, lending fraud; securities and commodities fraud, mail and wire fraud, retirement fraud, tax crimes, false claims, unfair competition, discrimination, and other financial crimes and violations.
Federal Register Executive Order 13519--Establishment of the Financial Fraud Enforcement Task
Force
"That the nation faces unprecedented challenges in responding to the financial crisis that has gripped the economy for the past year. Mortgage, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."
Recently in the Brazilian Power outage events, even an implied weakness in the controls of Critical Infrastructure could be used to destabilize the financial stability in markets, subverting the controls that are involved in financial trading. There have been conflicting reports about whether the attack was caused by an attack on the controls of its Dam's systems. Employees and Contractors of the system complained that their pay checks and statements had been modified to include a message from the attackers.
With all of this talk on financial fraud and critical infrastructure vulnerabilities, I could not help but be reminded of the 1983 movie Superman III where Robert Vaughn's character sites "Computers rule the world today and the fellow that rules the computer, rules the world." and Richard Pryor hacking into secret defense systems to ruin the coffee crop for the next 5 years, Superman III: Tornado Scene.
While it all may seem very tongue and cheek and some what unrealistic, the simultaneous collapse of the financial markets due to fraudulent transactions combined with the failure of major Scada Systems would have a serious effect on a nation's stability. In 2002 the U.S. Naval War College conducted a study that concluded it would probably take about 5 years to plan and cost about 290 million dollars to plan a significant electronic attack.
Digital Stenography: The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves.
Infosectoday's article: Digital Steganography Threat or Hype: by James E. Wingate - Summary:
Use of steganography will never be detected if no one ever looks for it.
On 11/2/2009 Microsoft published it's Security Intelligence Report.
Microsoft published that Windows XP users experienced significantly more security violations compared to Window Vista users and that the Conficker infections is the top threat in enterprise environments but not even in the top 10 in home computing environments.
Microsoft from their statistical data points out that there are differences in the types of threats per country while the U.S. and UK seem to have a high presence in Win32/Alureon and Win32/Vundo while some EU countries saw Win32/Wintrim as most active and in China Win32/BaiuSobar, Win32/Frethog also in Brazil it is Win32 Bancos.
Client side and Server Side Polymorphic Viruses seem to account for the large amount of the Virus Misc variations, polymorphic viruses can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.
There is a lot of interesting data published in this report that is about 232 pages long with information about organizations that are actively involved in mitigating exploits.
Brian Krebs from Security Fix at the Washington Post cautions business users to use LIVE CD Operating Systems to to perform online banking. Live CD distributions are generally free, Linux Based operating systems that one can down load and burn to a CD-Rom.
This allows the user to boot the operating system off of the CD everything is just run in memory and when your done with your transactions everything that was performed is now not available on any disk. The advise is just to use the LiveCD for Online Banking transactions and not to visit other sites.
Brian Krebs also points out that this is not only his recommendation but the recommendation of the Financial Services Information Sharing and Analysis Center
(FS-ISAC)
I just want to point out that one needs to be sure where you are acquiring these distributions, simply obtaining one from a download or from an expert does not verify the validity of the distribution make sure that you can verify the distribution before running it.
A response noted by "neversaylie"
"Some Windows malware perform DNS spoofing/ARP poisoning/DHCP spoofing, so even a LiveCD won't help you if you're on a network with some infected Windows machines."
So if you are using Live CD but your DNS or DHCP servers are spoofing IP's your still resolving fake addresses to your on line banking institution and not free of man in the middle attacks.
It seems that a bank accidentally sent this user a file containing sensitive information. They asked the user to destroy it without reading it, but didn't receive an answer. At that point the bank sought legal action.
Again, I am left with questions and thoughts:
- How did this happen? Did someone intend to send this sensitive file via email to a different address and simply mistyped? If so, was the sender not aware of the inherent risks in sending unencrypted email?
- Does the bank have a policy regarding sending unencrypted sensitive information over the Internet using an insecure protocol like SMTP? If so, do they have any tools to enforce it?
- How did the bank discover this mistake? Did the sender realize his or her mistake and informed the compliance / security group, or was some automated detection system in place?
- What legal responsibility does the innocent email recipient have? Sure the data is sensitive, but it was freely given to him. Can't he do what he pleases with it (short of committing crime, such as theft)?
- As much as I would like to see the prevention of information leakage, I am still disturbed by the legal precedent set here. What if they send it to a corporate email system next time? Does the government have similar authority to disrupt the business of a private organization by forcing a shut down of their Internet connection?
The onus of correcting this problem should fall 100% on the bank. They should have to compensate the affected customers. They should have to compensate the email recipient for any harm they cause him. And most importantly, they should learn their lesson and prevent this type of leak from happening again.
Here's an interesting story making the rounds today about an Ohio man who used a commercial spyware program on an (ex?) girlfriend. He expected it to track her activities on her home computer, but instead ended up getting an ongoing screenshot feed from a computer in a hospital pediatric cardiac surgery department, where she works. He sent the file to her Yahoo! Mail account. She opened it and unknowingly installed the software on a work computer.
Needless to say, instead of getting juicy details on her online activities a la Joey Greco, he ended up with a feed of sensitive data, including PII and ePHI. While this was indeed an unintended result, he is still on the hook for big fines and possible jail time.
There is a lot of blame to spread around here for sure. There are also many questions (some rhetorical) that popped into my head as I read this:
- How did he convince her to run the installer and infect the PC? Obviously, he had an advantage over a random malware spreader since she knew the sender. Still, it must have required at least a small amount of social engineering skill. She didn't even know she had infected the system (or didn't think it wise to tell anyone).
- Does the hospital have a webmail policy? Do they have the tools to enforce it? Blocking access to Yahoo! Mail at the gateway would have nipped this problem in the bud, at least for the hospital.
- Did the PC in question have adequate anti-malware protection? By the looks of things, whatever they were using was insufficient.
- What else could the hospital have done to prevent the leak of ePHI in accordance with HIPAA regulations? Of course SIM comes to my mind, but SIM would need to rely on feeds from web gateways, AV servers, DLP systems, firewalls, etc.
- The hospital is actually lucky here in that the person who stole the sensitive information had no nefarious plans for it. They were shown the weakness of their defenses without having to pay for an audit and without the need to pay ransom or experience worse consequences. They should view this incident as a gift and use it to improve their security stance.
- The stalker / boyfriend was clearly in the wrong no matter how you slice things. I imagine it's just as illegal to spy on a private citizen this way as it is to do it to a hospital. To borrow from an old saying: Spyware doesn't steal information - people do.
Protecting classified information and secrets pertaining to national security is nothing new for those in the military. The practice dates back thousands of years, and is probably as old as organized defense and warfare. "Loose lips sink ships," etc.
Social networking sites such as Twitter, FaceBook, and MySpace present interesting new challenges and concerns around the problem of securing privileged military information. While most military personnel would be very careful about posting secret or classified information on a site like Facebook, there are less obvious ways that a malicious individual, organization, or nation could use information on social networking sites. A US Marine Corp order issued recently does a pretty good of describing the risks:
"[Social networking sites] in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries," the order reads. "The very nature of SNS [social networking sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage that puts OPSEC, COMSEC, personnel and MCEN at an elevated risk of compromise."
One only needs to do a quick Internet search for recent exploits launched through social networks to see the real risk they pose through malware infection. But the old tried and true tactics of web reconnaissance and educated password guessing are no less serious threats. In the case of military organizations, the risk becomes that much greater due to the value of the information on those networks and the stakes involved.
It is also interesting to contrast how the US Army and US Marine Corps have recently changed policies on this issue. The Army, after initially lifting a ban on social networking sites, has since considered re-blocking them. The Marines, on the other hand, just enacted a ban on social networking sites. Meanwhile, the Pentagon is now reviewing a possible ban which has the potential to set policy across the US Military.
I, for one, support the efforts to limit access to these sites from military networks. While social networking may be an increasingly important part of the way we all live and use the Internet, I'd just as soon err on the side of caution as it pertains to the military.
Here's a good reminder that the security of a system is only as good as its weakest link. In this case, a hacker claims to have broken into numerous accounts belonging to Twitter's CEO Evan Williams.
As Download Squad's Lee Matthew's points out, the fact that the account(s) were initially breached through "password recovery mechanisms" underscores the inherent weakness in using "secret questions" for account security.
If you've created even a few accounts on the Internet, you are familiar with secret question security. The idea is that if you forget the password for a particular account, you can request that the site reset it (and/or send it to an email address) if you can correctly answer a secret question. The question was selected by you when you created the account, and the answer was already provided by you at that time. For example, "What is my mother's maiden name," or "What is the name of the elementary school I attended," etc.
The weakness, of course, is that a hacker might be able to figure out the answer to this question and gain access to your account. This assumes that either the hacker has access to your email account already, or the account password mechanism doesn't rely on email.
But wait, you say - Williams is a public figure. It can be easy to find all kinds of information on public figures and celebrities. Maybe so, but as regular folks like you and I start sharing more of our personal lives on sites like Facebook, LinkedIn, personal blogs, and, yes, even Twitter, it becomes a simple matter for a hacker to find the information necessary to gain access to anyone's online accounts.
Consider how long I would have to search to guess your mother's maiden name by looking through your Facebook friends (surely you must have some maternal relatives there). Do we talk about our kids and our pets on our blogs and tweets? Is it that hard to use Classmates.com to find out who went to what elementary school?
The odds of being specifically targeted in an attack like this are definitely higher for celebrity types. Still, we should all mind the private information we make available to other folks on the Internet, even those who claim to be our friends (Do you know if that Facebook friend really is your long lost BFF from junior high?). And if you must use a secret question to protect an account, try to find one that will be harder to research through public records, or make up a fake answer and make sure you remember it!
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=38b28080-f365-4033-8e92-aee7b9f168bd)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=43ac39d1-ffc7-4d28-88b0-5dd7c52924ba)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a62363bc-497f-4d21-a8bc-d8da436859ff)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=fbe5f967-d571-4335-8d02-4ce37e182c1f)
