Aug 17 2007 9:58AM GMT
Posted by: Dennis Fisher
Microsoft Security,
Security Vendor News
Microsoft has released to the public two SDKs for its Windows Live ID authentication technology, enabling third parties to use the system for their own applications. In case you missed it, Windows Live ID is The Technology Formerly Known as Passport, and is designed to be a Web-wide single sign-on service. Microsoft has been using WLID for some time as the authentication mechanism on its Live sites and other Microsoft-related Web properties. By releasing the SDKs to the public, Microsoft is hoping to spur other developers to integrate WLID into their own sites and applications.
Here’s what Microsoft’s Angus Logan had to say about WLID’s functionality:
By creating Web sites and applications that combine user authentication with other Windows Live services, you can offer your users new and unique online experiences that include the following:
- Rich functionality that is possible only when an authenticated user moves seamlessly among multiple Windows Live services
- True “anytime, anywhere” scenarios for Web-based applications
- Deep, computer-independent personalization
- Smooth transfer of the user’s authenticated state between client-based and Web-based applications
Redmond also is making available code samples for ASP.NET, Ruby, Perl, PHP, Java and Python.
Aug 17 2007 5:35AM GMT
Posted by: Bill Brenner
Security Management,
Data Breaches and Identity Theft
TJX was back in the news this week, reporting that its bottom line took a second-quarter beating because of the massive security breach that exposed more than 45 million customers to identity fraud.
The retail giant says it has spent $256 million dealing with the breach, which was first disclosed in January. That’s more than 10 times the $25 million figure TJX cited in May.
If anyone feels sorry for TJX, they’re not expressing themselves in the blogosphere. Instead, security bloggers are expressing a hope that I share — that maybe, just maybe, corporations in general will look at TJX’s plunging profits and be scared into taking security more seriously.
Carlo Longino noted in the Techdirt blog that while personal data leaks continue to occur on a regular basis, few companies or government agencies seem to be taking the problem seriously. “This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place,” he wrote. “Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized.”
He said that while it doesn’t appear that TJX was paying much attention to security, a 25 cent per share loss will surely make investors take notice and “hopefully, [that] will force companies to take data leaks and security more seriously.”
Or, as some suggest, it’s likely nothing will change.
Blogger Evan Schuman noted in his Storefront Backtalk blog that the TJX numbers can be sliced, diced and spun to look worse than it initially appears or better. It’s all in the spin.
“First, the optimistic side. TJX did not, in fact, say that it actually has spent—or necessarily will spend—anything more than a tiny fraction of those dollars,” Schuman wrote. “The overwhelmingly largest charge—a $107 million after-tax figure for the chain’s second 2008 fiscal quarter—was merely a ‘reserve, a nest-egg for what TJX fears its costs may be. Theoretically, its costs might be much lower.”
Continuing on the bright side, he wrote, those costs are not causing severe financial strain on the $17 billion company, “especially given the fact that its revenue is still soaring, meaning that consumers have strongly embraced TJX and their retail choices are presumably not being impacted by the breach.”
On the downside, he wrote, the price may still prove high for a company that may ultimately be proven to have done no wrong.
Still, he wrote, “Courts and juries typically wouldn’t hold TJX accountable for its security quality as long as it was within the range typical for that size and type of a retail organization. That means that as long as there are plenty of examples of similarly-sized retailers whose security is every bit as lax—or, for that matter, strict—as TJX, they’re likely to emerge unscathed.”
Indeed, TJX is such a massive company that this financial hit may in the end prove to be a mere drop in the bucket. And that’s sad, because credit card holders will still be hurt and the message is that if you’re large enough a company you can get away with hurting people.
Of course, if you look hard enough, you’ll find examples of companies that do pay the ultimate price for lax security. Dave Jevans noted in his Privacy and Identity Theft blog that IT contractor Verus Inc. was forced to fold after being blamed for security breaches at five or more hospitals across the country. The headline of his entry, “The high cost of data breaches,” says it all.
Now for my two cents:
Companies only learn from their mistakes when customers, investors and major partners threaten to walk away. Take the case of CardSystems Solutions.
In 2005, CardSystems disclosed that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more, and in the aftermatch Visa and MasterCard threatened to terminate it as a transactions processor. As my colleague Mike Mimoso noted in his story on companies that cleaned up after a data breach, “The death watch was on, something CEO John Perry confirmed before Congress where he said his company faced ‘imminent extinction’ because of Visa and MasterCard’s action.”
But CardSystems came back from the brink, hiring AmbironTrustWave to perform a forensic analysis and consult on compliance, among other things. Eventually, the company improved the security of its systems just enough that they became a viable candidate for acquisition. In October 2005, Pay By Touch announced it was acquiring substantially all of CardSystem’s assets.
Had MasterCard and Visa not threatened to dump CardSystems, it’s a reasonable bet that the company would have kept chugging along with no motivation to better its security.
In the final analysis, the big guys like TJX and others will only do as much as they are forced to do to take security more seriously. Maybe the costs to date mean nothing to TJX. But if investors and customers turned up the heat and kept it going, the potential losses would simply be too much to ignore.
In the kingdom of commerce, the people rule — when they feel like it.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.
Aug 16 2007 7:51AM GMT
Posted by: Bill Brenner
Microsoft Security,
Network Security,
Application Security,
Information Security Threats,
Security Management
There are a few notable security flaws to report on this morning in Yahoo Messenger, Cisco’s VPN Client and Windows. Here’s a roundup:
Yahoo Messenger
According to Wei Wang from McAfee Avert Labs, researchers from his operation were able to confirm a flaw in Yahoo Messenger 8.1.0.413 attackers could exploit to compromise a Windows PC. “It seems like a classic heap overflow which can be triggered when the victim accepts a Web cam invite,” Wang wrote in the McAfee Avert Labs blog. He added that the Yahoo security team has been notified, and that there are steps users can take to protect themselves until a fix is developed.
“We recommend the following to users using Yahoo Messenger Web cam: Don’t accept Web cam invites from untrusted sources [and] it’s advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability,” Wang wrote.
Cisco VPN Client
Cisco has released security advisory cisco-sa-20070815-vpnclient to address two flaws attackers could exploit in the Cisco VPN Client for Microsoft Windows to gain elevated user privileges.
The first problem is an error when using a VPN profile configured for Microsoft dial-up networking to launch a dial-up networking dialog box. Attackers could exploit this to gain system privileges by enabling the Start Before Logon (SBL) feature and configuring a VPN profile. The second problem involves insecure default file permissions being set on the “cvpnd.exe” file, which attackers could exploit to replace the affected file with a malicious binary and gain system privileges.
Bad timing for Windows admins
As you can see, both issues are a problem for IT administrators in Windows-based environments. The timing is particularly bad for them since this is also the week where everyone is trying to deploy the latest security updates from Microsoft. Tuesday, the software giant released nine security updates for flaws in Internet Explorer, Excel and other programs within the Windows OS.
Aug 15 2007 3:34PM GMT
Posted by: Dennis Fisher
Information Security Threats,
Platform Security
A number of Ubuntu servers maintained by so-called Local Community teams around the world have been compromised and had to be shut down over the weekend to prevent them from attacking other machines. Ubuntu community leaders said that five of the eight LoCo servers, which are sponsored by Canonical, a services firm that caters to open-source projects, had been actively attacking other machines on the Internet and an investigation revealed a number of serious security problems with the servers. The servers all were running out-of-date versions of Ubuntu and were missing security patches. The machines also were accepting unsecured inbound FTP connections and had not been upgraded past a nearly two year-old version of Ubuntu, which “probably allowed the attacker to gain root,” Canonical administrator James Troup wrote in an email detailing the Ubuntu attack.
As a result of the attacks, Canonical is encouraging the LoCo teams to migrate their servers to Canonical’s data center, which would entail some tighter security restrictions, including: no root access; access by per-user SSH key only; and restrictions on the kinds of software run on the server. The Ubuntu team is still working to bring all of the servers back online.
Aug 15 2007 12:55PM GMT
Posted by: Bill Brenner
Information Security Threats,
Security Management
Opera Software has updated its browser to fix a “highly critical” flaw attackers could exploit to run malicious code on targeted machines. Like Firefox, many use Opera as an alternative to Microsoft’s Internet Explorer browser, which has suffered countless attacks over the years.
According to the Opera security advisory, “A virtual function call on an invalid pointer that may reference
data crafted by the attacker can be used to execute arbitrary code.” Danish vulnerability clearinghouse Secunia put it this way in its SA26477 advisory: “The vulnerability is caused due to an unspecified error when processing JavaScript code and can result in a virtual function call using an invalid pointer. This can be exploited to execute arbitrary code by tricking a user into visiting a malicious Web site.”
The flaw has been fixed in Opera 9.23.
In its advisory, Opera tips it hat to Mozilla.org for providing their JavaScript fuzzer during the mitigation process.
Aug 15 2007 7:22AM GMT
Posted by: Bill Brenner
Information Security Threats
In an email to customers of its DeepSight threat management service, Symantec warned that its ThreatCon is at Level 2 as it tracks some malicious Web site activity. The heightened alert is also in response to Microsoft’s mega security update Tuesday.
Hours after raising the ThreatCon in response to Patch Tuesday, Symantec sent out another warning that a
group operating under the pseudonym “clpwn” has been publicizing high-profile XSS vulnerabilities on a variety of Web sites.
“The current proof -of -concept attacks involve embedding an IFRAME on the target site which contains a URL that points to a HTML page hosted in the clpwn.com domain,” Symantec said in its DeepSight alert.
One clpwn.com HTML page contains an embedded applet and a recently added shockwave-based port scanner that scans open ports on localhost, Symantec said, adding, “The port scanner appears to be based on some recently released research regarding port scanning with Active Script 3. Customers should be aware that this group has been observed modifying the behavior of the proof-of-concept HTML page over the past few days. In its current form the exploit should be considered malicious.”
Symantec advised customers to browse with caution and block access to the clpwn.com domain at network perimeters.
Aug 14 2007 1:49PM GMT
Posted by: Dennis Fisher
Security Vendor News
After several years of legal wrangling, civil suits, asset sales and negotiations, Sanjay Kumar, the former CEO of CA, finally will report to jail on Tuesday to begin serving a 12-year sentence for his role in the company’s accounting scandal. Kumar was the head of CA at a time when the company was infamous for high-pressure sales tactics and, as came out in his prosecution as well as other related cases, the practice of sometimes extending months or quarters beyond their closing dates in order to book more revenue. He was convicted of a number of counts of securities fraud, obstruction of justice and making false statements. In addition to his jail term, Kumar was f
orced to sell of $50 million of his own assets in order to pay restitution and will be on the hook to pay a portion of his future wages once he’s released, as well.
Kumar is only the latest CA exec to head off to prison as a result of the accounting scandal. The company’s former VP of sales, Stephen Richards, is already serving time and a number of other former high-ranking officials have entered guilty pleas, too. The accounting scandal erupted in 2002 and resulted in more than $2 billion in shareholder losses, federal prosecutors said. For a while it looked as though Kumar would come through the investigation unscathed, but he eventually left the company in 2004 and was indicted shortly thereafter. He pleaded guilty and got the 12-year sentence last fall. CA has gone to great lengths to distance itself from the Kumar regime, changing the company’s name from Computer Associates and bringing in an entirely new senior management team. According to a story in Newsday, which has done some of the best reporting on this story since the beginning, Kumar has said he will cooperate with authorities on the ongoing investigations into the scandal.
I interviewed Kumar a couple of times several years ago and the word that kept popping into my head during those conversations was: smooth. And I don’t necessarily mean that in a negative way. He was just one of those execs who was unfailingly polite and polished, no matter what the subject was. He had the ability to turn just about any conversation back to whatever positive message he wanted to get across. He also struck me as someone who always had a plan, and I wouldn’t be surprised to see a second act from him whenever he gets out of prison.
Aug 14 2007 8:17AM GMT
Posted by: Bill Brenner
Security Vendor News
With a lot of security vendors being acquired and merged into the operations of larger IT infrastructure companies these days, Kaspersky Lab appears to be making plans for a slightly different direction, with a possible IPO and acquisitions of its own.
According to the Monsters and Critics Web site, company founder Eugene Kaspersky is starting a new company in the Kaspersky name and is preparing for a “stock exchange listing.” Monsters and critics cited comments Kaspersky board member Vitalij Besrodnych made to the Deutsche Presse-Agentur news agency. Besrodnych also suggested Kaspersky was mulling a stock exchange listing in the “foreseeable future” while also pondering the possible purchase of other companies.
Meanwhile, co-founders Eugene and Natalya Kaspersky are switching roles, with Eugene becoming CEO and Natalya becoming board chairman. Other board members include Alexey De Mont De Rique, Vitaly Bezrodnykh, Evgeny Buyakin, Garry Kondakov, Andreas Lamm, Stephen Orenberg, and Harry Cheung.
And so for now, at least, Kaspersky seems ready to buck the trend of the big guys gobbling up the independent security vendors.
Aug 13 2007 4:59AM GMT
Posted by: Bill Brenner
Information Security Threats
Friday, I reported on a wave of pump-and-dump spam. According to the SANS Internet Storm Center (ISC), reports of massive spamming runs continued through the weekend.
Handler Tony Carothers wrote on the ISC Web site that “some of our friends in Canada have been pounded … by a series of emails from a number of destinations.” He added, “It’s quite clear these destinations are spoofed, this much we can be sure of.” And, based on some of the language used in the spam messages, he said it would appear the spammers are not from North America.
Some of the names attached to the onslaught of spam emails are MattiequartermasterSterling, LindseyswitzerlandRichie, AdamicrographyHelton, AdaanodicSorensen, OlgaprototypicHo, BethflubMccabe, LindseydiscoveryBurrell, BrandipreviousSutherland, MallorybrimstoneNava, sabrinaheadquartersingh, and LetitiasorghumGold.
The Storm Center offered this advice for those trying to protect their mail servers:
“Emails for non-existent users should be rejected at your MX server. This rejection should happen during the SMTP session (in other words - don’t put Exchange there), right after your server received the RCPT TO: command. If everything is configured properly you will not see the email at all. Also, this is very cheap for your server — a decent server should be able to reject hundreds of these per second.”
The ISC has asked others who have had spam trouble this weekend to let it know. “We’ll see what we can do to contact the right people and get this stopped at the source,” Carothers said.
Update, Aug. 23 at 7:44 a.m. ET:
A week after my original post, the deluge of Storm-laced spam continues. Here are a couple links to security organizations that continue to track the latest action:
Marshal blog: New Storm ‘Confirmation’ spam
F-Secure blog: Zhelatin/Storm changes yet again
