(ISC)2 adds new CISSP requirements

The International Information Systems Security Certification Consortium (ISC)2, which administers the CISSP exam, said Tuesday it’s adding some new requirements to the certification.

In a press release, the organization said its board of directors approved new professional experience and endorsement requirements. Starting Oct. 1, the minimum requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK — a taxonomy of infosec topics recognized by professionals worldwide — or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. CISSP candidates currently must have four years of work experience or three years of experience with an applicable college degree or credential from that list, in one or more of the 10 CISSP CBK domains.

Also effective Oct. 1, CISSP candidates will be required to obtain an endorsement exclusively from an (ISC)2-certified professional in good standing. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained.

Technorati Tags: Security+certifications, ISC, CISSP

Contractor loses IBM employee data

IBM has been heavily pushing its encryption and data management products of late, so this news is probably of extreme embarrassment to the company:

The vendor is trying to find missing computer tapes containing sensitive information about employees and records of customer transactions.

According to The Associated Press (AP), an outside vendor was taking the tapes from one IBM plant to another Feb. 23 when they fell out of a contractor’s vehicle in Westchester County, N.Y., near IBM’s headquarters in Armonk. IBM representatives went to the scene and couldn’t find the tapes, spokesman Fred McNeese told the AP Tuesday.

IBM has notified affected workers, mostly former employees. They received a letter from the company acknowledging that the tapes held such data as “your Social Security number, your dates of employment with IBM, birth date, contact information such as your address, and your IBM work history.”

IBM also took out an ad in a local newspaper seeking the return of the tapes.

Technorati Tags: Data+breach, identity+theft, IBM+breach, IBM

How to bypass Vista UAC in two easy steps

One of the security features in Vista that has gotten a lot of attention is User Account Control (UAC), but not necessarily for the reasons that Microsoft officials might have been hoping for. UAC was the subject of one of those clever Mac and PC commercials that Apple is running and now a researcher named Rob Paveza has released a new paper outlining a technique for bypassing UAC by abusing the shortcuts in the Vista Start menu. The attack is fairly simple, but has the potential to cause serious damage if it’s executed successfully.

In general terms, the attack works like this: The attacker somehow entices the target user to download a Trojan, either via an infected email message or through a malicious Web site. Once installed, the Trojan drops a piece of software the author calls the proxy infection tool, which then writes some malicious code to a location in the user’s Start menu folder. It then looks for a shortcut that is a good candidate for replacement, i.e., one that does not lead to a signed executable. Once it finds a suitable shortcut, it compiles a new executable stub that will launch both the original intended program and the malware and replaces the Start menu shortcut with a new one. Once the user launches that shortcut, the malware checks to see if the user has administrator privileges. If so, the malware launches.

When the program attempts to execute, the user will see one of the UAC prompts, asking whether the user wants to proceed and listing the name of the executable. Because the proxy infection tool has replaced a program that already has elevated privileges, the user should recognize the name and allow the program to run. Ideally, the malware then executes the original program that the user thought he was running, as well as the malicious program, and it’s off and running. Clever, eh?

The folks at Symantec have a good analysis of the technique on their blog.

Technorati Tags: Microsoft+security, Vista, UAC,

More on scrapping Patch Tuesday

My column last week on whether it’s time to get rid of Patch Tuesday generated an enormous amount of feedback and reaction, both here on SearchSecurity and across the web. The reactions ran the gamut from Hey, good idea, to Are you out of your mind. And that’s essentially what I hoped for. I wanted to provide a little background on the column and the thinking behind it. (Yes, there was thinking.)

The suggestion to revert to an as-needed patch program was not something that I just threw out there idly to stir the pot. I had thought quite a bit about this subject, and in discussions with IT managers, CIOs and others in the industry over the last few years I’ve heard a number of people talk about how difficult Patch Tuesday and the days following are for them. An organization with a large network has a lot of work ahead of it to deploy four or five patches, even with the help of a patch-management system. Certainly, Microsoft’s advanced notifications the week before the patch release help, but there’s only so much an IT staff can do before the patches are available. The question is whether you’d rather do that work all in one batch on a monthly basis or in smaller pieces whenever a patch is ready. Reasonable people can disagree on that point.
The main point of the column was that the monthly patch schedule by nature leaves customers vulnerable to attacks against known vulnerabilities longer than is strictly necessary. Microsoft has shown that it can produce patches within a week if need be and in the days before the monthly cycle was instituted, the company often did so. That doesn’t mean that Microsoft can or should do that for every flaw, but to me it makes more sense to produce and release patches as soon as possible rather than wait for an arbitrary date.

Given that Microsoft started the monthly release schedule to appease angry customers, it will likely stick with the plan unless those same customers say it’s time for another change. But it’s worth examining the reasoning from time to time to see if it still holds water.

Technorati Tags: Microsoft+security, Patch+Tuesday, Microsoft+updates

Was report on blogging threats a bunch of FUD?

There’s been some interesting reaction to last week’s story about the security risks of blogging on mobile company devices. Some readers weren’t convinced that this poses a real threat, and one person even called the whole thing a bunch of FUD.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells, told security executives during a lunchtime presentation on emerging threats in Newton, Mass., Wednesday that “many people blog from work and mobile platforms and that’s very bad.” Blogs, he said, are one of the bad guys’ tools.

He noted there are approximately 100 million blogs across cyberspace and many of them are used by organized criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages, he said.

One of the most vocal critics of this notion is Alan Shimel, chief strategy officer for StillSecure, who wrote in his blog that Ulsch should “keep his FUD to himself.”

He was particularly annoyed that Ulsch used the Gary Min-DuPont case as an example of the threat. “The funny thing here is the DuPont case has nothing to do with blogging at all,” Shimel wrote. “A disgruntled employee downloaded and stole trade secrets. What does that have to do with blogging?”

A few points are in order here.

First, Shimel is right that the DuPont case has nothing to do with blogging. But in Ulsch’s defense, the presentation he gave was about the larger topic of emerging threats, particularly the dangers posed by malicious or careless company insiders. Blogging on mobile company devices was one of several examples he offered, and he brought up the DuPont case not as an example of the blogging threat, but of the consequences a company can suffer when it doesn’t pay attention to what its employees are doing. He argued that DuPont was asleep at the wheel as Min stole trade secrets. In the case of blogging, he cautioned companies not to be lax when employees mix business and personal pursuits on their work machines.

I didn’t see the blogging example as FUD, but as a potential problem worth further discussion.

Technorati Tags: Blogging+threats, blog+security

For IT, the Soviet menace is alive and well

Ever since the collapse of the Soviet Union more than 15 years ago, some of the brightest minds in the former regime have gone underground in their never-ending search for cash. You’ve heard plenty about former nuclear scientists working for the highest bidder. But the underground has also become home to IT specialists who are now using their talents to aid organized criminal organizations.

The fact that online fraud is driven by organized crime has been well established for the last few years. But as more of these organizations are tracked, it’s becoming increasingly clear that a lot of our troubles are coming from the former Soviet block, says Don Ulsch, technology risk management director in the Boston office of Jefferson Wells International Inc.

During a lunchtime presentation on emerging threats Wednesday with a group of IT security execs in Newton, Mass., Ulsch noted that there are thousands of active criminal groups in Russia, and they are determined to steal trade secrets from whatever company networks they are hired to infiltrate. They’ve been particularly successful at infiltrating company IT systems in New York, Pennsylvania, California and Massachusetts, he said.

Meanwhile, a majority of online child porn is coming from former Soviet states, as well as South America and Southeast Asia.

“Russian organizations are a growing threat to national security,” Ulsch said. “And they are hiring the services of more and more IT communications pros.”

Technorati Tags: Organized+crime, Russian+security, botnets

Microsoft: MOICE will secure Office 2003

Microsoft Senior Software Development Engineer David LeBlanc has a very detailed entry in his blog this week about the new MOICE (Microsoft Office Isolated Conversion Environment) tool the software giant is preparing to release.

I recently sat down with Microsoft Office Technical Product Manager Josh Edwards to discuss this and other developments on the Office front, and he told me MOICE has been designed with businesses in mind.
MOICE is designed to convert Office 2003 files to the new Office 2007 Open XML format with the goal of squeezing malicious exploits from the file. It creates a “sandbox” with a restricted tolken where documents are scrubbed for malware. Once the malware is ejected, the file can be opened as it normally is in Office 2003, he explained.

LeBlanc offered more detail in his blog this week: “The reason this process ends up stripping out exploits is that the older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file,” he said. “It seemed like a good idea back in 1995 or so, but isn’t something we want to do now. Because the new file format is meant to eliminate security problems and has a goal of simplicity, that information often just does not make it across the conversion process.”

He said it’s also true that the converter itself is composed of the same code used to process the older formats by Office 2007, and “that code has the benefit of improvements we’ve made in Prefast (known in Office as OACR, for Office Automated Code Review), a huge amount of fuzzing, and many other improvements … all in all, the new code is going to be safer.”

He admits there are some downsides to how the tool works:

“Converting a file twice before you can open it adds a performance penalty,” he said. “Whether it’s something you’ll notice depends on the size of the files … larger documents could take a noticeable amount of time. We’re also stripping out things like macros and VBA projects … sure, it’s a big app-compat hit, but this is a security feature.”

MOICE was supposed to be released May 8, but Microsoft has delayed it for some more tweaking.

UPDATE: A Microsoft spokesman said by email May 21 that MOICE is now live and available for download on the Microsoft Web site.

Technorati Tags: Microsoft, MOICE

How the bad guys are using Windows Update

Windows Update, a popular tool for patching computers, is now being used by the bad guys to push malware onto targeted systems.

According to Symantec’s Security Respose Center blog, a Trojan detected as Downloader used an “interesting technique” to download files involving a Windows component named BITS (Background Intelligent Transfer Service), the main service used by Windows Update to download patches and keep the operating system updated.

“Why does malware use BITS for downloading files? For one simple reason: BITS service is part of the operating system, so it’s trusted and bypasses the local firewall while downloading files,” Symantec researcher Elia Florio wrote in the blog. “Malwares need to bypass local firewalls but, usually the most common methods found in real samples are intrusive, require process injection or may raise suspicious alarms.”

At the moment, Florio said, there’s no immediate workaround against this type of attack. “It’s not easy to check what BITS should download and not download,” Florio added. “Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs.”

Technorati Tags: Windows+update, malware, Trojan

CA patches security flaws

Those who use CA’s security products should be aware that the vendor has just fixed some critical flaws attackers could exploit to cause a denial of service or hijack a targeted machine.

Here are the details as told by the French Security Incident Response Team (FrSIRT):

“Two vulnerabilities have been identified in CA Anti-Virus, CA Anti-Spyware and CA Threat Manager, which could be exploited by attackers or malware to cause a denial of service or take complete control of an affected system. The first issue is caused by a stack overflow error in the Console Server when processing malformed login credentials sent to port 12168/TCP, which could be exploited by remote unauthenticated attackers to execute arbitrary code with elevated privileges. The second vulnerability is caused by a stack overflow error in ‘InoCore.dll’ when handling file mapping contents, which could be exploited by local attackers to gain elevated privileges.”

The problems affect CA Anti-Virus for the Enterprise (eTrust Antivirus) r8, CA Threat Manager (eTrust Integrated Threat Management) r8 and CA Anti-Spyware (eTrust PestPatrol) r8.

Fixes are available through CA’s automatic update feature.

Technorati Tags: CA+flaw, CA+update, CA+Anti-Virus, CA+Anti-Spyware, CA+Threat+Manager

Microsoft to hackers: Take your best shot

Security experts will criticize Microsoft over how long it takes to patch certain flaws or how effective or ineffective its security offerings are, but you have to give the company credit for trying.

One example the company is taking security more seriously is its latest Blue Hat conference, where security researchers are invited to tell Microsoft reps about the various security holes they’re finding in the company’s products. It’s a big change from the days when the company used to ignore such researchers.

The latest Blue Hat conference started Wednesday at Microsoft’s Redmond, Wash., campus with discussions on Microsoft’s latest security tools, threats to hardware and mobile security.

The list of speakers at the latest event include Rob Thomas of Team Cymru, David Maynor and Robert Graham of Errata Security an John Hering of Flexilis Inc.

Technorati Tags: Microsoft+security, blue+hat, Blue+hat+conference