Follow the money.
If you want to get to the bottom of something–whether it is a political scandal, a murder mystery, or the source of rogue AV scareware attacks against Mac OS X…follow the money.
Security reporter Brian Krebs did just that and he has connected the dots leading from MacDefender and the sudden plague of Mac malware back to a Russian payment processing company–ChronoPay.
Observant Mac users reported the domain names that the rogue AV attacks were being directed to for payment. Krebs did some digging into the WhoIs details to try and determine the owner of those domains to follow the money back to the source. It so happens that Krebs is also in possession of tens of thousands of pages of ChronoPay documents leaked in a data breach last year which allowed him to follow the trail back to ChronoPay.
It is unclear how that knowledge can be put to good use. Given the nature of international law enforcement, prosecuting attacks across national borders can be tricky.
In the meantime, Mac users should just be aware of the issue, and follow the guidance from Apple to address the threat pending an update for Mac OS X to guard against it.
Lockheed-Martin was the target of a ‘significant and tenacious’ cyber attack, and Sony has been plagued by attacks for a month now. However, the results of the two network attacks are completely different.
The attack on Lockheed-Martin has been linked to the attack earlier this year on RSA Security. That attack compromised the encryption keys of RSA’s SecurID tokens, and fake authentication tokens were apparently used in the attack on the defense contractor.
You would think that attackers armed with the keys to the vault would be able to clean house and walk out with all kinds of top secret plans for next generation military aircraft and weapons systems, but Lockheed-Martin says no. It claims the attack was detected, identified, and thwarted before any data was compromised, and that its network is locked down and secure.
Then you have Sony. We don’t know much about the details of the Sony attacks, but I have not seen any speculation related to RSA SecurID tokens. The attacks against Sony have yielded sensitive information on 100 million customers or so, and it seems like every other day there is a breach of some new Sony network that continues to lead to a data breach.
Following news of the Lockheed-Martin attack, the United States government apparently offered its assistance to handle the matter. It seems, though, that Lockheed-Martin has things under control, and that perhaps the United States should see if it can stop the hemorraging at Sony.
Your passwords are the keys to your personal data and sensitive information. You have passwords for various online sites like Facebook, or Twitter, or Amazon. You have passwords for your banking and credit card sites. Guessing your username is generally trivial, so the password is really all that stands between an attacker and your data.
There is plenty of guidance online explaining tips and tricks to create more secure passwords, yet somehow each new breach or mass exposure of passwords illustrates that a majority of users still rely on things like “password”, or “12345” to protect their valuable information.
Well, if you are interested in ensuring that your password won’t be guessed or cracked in a matter of seconds, try entering it into this Microsoft tool to verify just how strong it is.
For those who may be concerned about divulging passwords to the Microsoft tool, Microsoft provides some assurances: “This password checker does not collect, store, or transmit information. The security of the passwords typed into this password checker is similar to the security of the password you enter when you log on to Windows. The password you enter is checked and validated on your computer. It is not sent over the Internet.”
Windows 7 is more secure than WIndows XP. Period. Likewise, Office 2010 is more secure than Office 2007. It is not that WIndows 7, or Office 2010, or any other new OS or application is magical, it is just the natural evolution of things. New technologies are introduced. New attack techniques are developed. Newer software incorporates features to mitigate those attack techniques.
Microsoft understands, though, that many businesses can’t just jump on the latest software every time there is a new release. Microsoft also recognizes that third-party vendors may drop the ball on some areas of application security. So, Microsoft developed EMET–Enhanced MItigation Experience Toolkit–to give IT admins the tools to apply modern security controls and attack mitigation to legacy operating systems and applications.
Recently, Microsoft rolled out a new release of EMET. A Microsoft Security Research & Defense blog post describes what’s new:
EMET is an officially-supported product through the online forum “Bottom-up Rand” new mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation. Export Address Filtering is now available for 64 bit processes. EAF filters all accesses to the Export Address Table which blocks most of the existing shellcodes Improved command line support for enterprise deployment and configuration Ability to export/import EMET settings Improved SEHOP (structured exception handler overwrite protection) mitigation Minor bug fixes
Microsoft recently released Microsoft Security Intelligence Report v10. The report aggregates relevant computer and network security data from more than 600 million PCs across 117 countries–providing a comprehensive look at the threat landscape.
A Microsoft On The Issues blog posts describes some of the key findings of Microsoft SIR v10:
· Rogue Security Software – Rogue security software was detected and blocked on almost 19 million systems in 2010, and the top five families were responsible for approximately 13 million of these detections.
· Phishing – Phishing using social networking as the lure increased 1,200 percent – from a low of 8.3 percent of all phishing in January to a high of 84.5 percent in December 2010. Phishing that targeted online gaming sites reached a high of 16.7 percent of all phishing in June.
· Adware – Global detections of adware when surfing websites increased 70 percent from the second quarter to the fourth quarter of 2010. This increase was almost completely caused by the detection of a pair of new Adware families, JS/Pornpop and Win32/ClickPotato, which are the two most prevalent malware in many countries.
A rapidly increasing number of Mac users are learning just how pervasive the rogue AV threat is as well. Mac Defender has been plaguing Mac OS X to the extent that Apple finally had to admit it is an issue and commit to delivering a fix for Macs to detect and prevent the threat.
Your privacy while surfing the Web has been a hot topic of conversation in tech circles for the past few months. Government agencies, elected officials, and browser vendors all seem to consider “do not track” initiatives a top priority, but maybe there is a better–and easier–way.
Earlier this year, the FTC (Federal Trade Commission) issued a call for action to protect consumer privacy. It suggested that we need to implement a “do not track” framework for users to opt out of having their Web activity and surfing habits monitored, similar to the “do not call” list that lets consumers opt out of being solicited by telemarketers.
Mozilla and Microsoft jumped into the fray with possible browser-based solutions that seek to give consumers more control over whether or not their activity is tracked, and Congress seems to be aggressively pursuing legislation that might spell out the rules of engagement for online tracking efforts.
There is an easier way for the browser vendors to address the problem, though. I don’t know about Safari because I don’t use it outside of my iPhone and iPad, but Internet Explorer, Firefox, and Chrome all have a built-in privacy mode that lets users surf the Web without being tracked or leaving any traces of the Web activity on the PC. IE has ‘InPrivate’, Firefox has ‘private browsing’, and Chrome has ‘Incognito’. The problem with all three browsers is that you have to manually choose to enter the private surfing mode each time.
Granted, there are implications to always surfing in privacy mode. While you may not want just any random site tracking your Web surfing habits, many users enjoy the convenience, and the more interactive experience on sites that are able to recognize you and retain some idea of previous interactions. For example, when I visit Amazon.com it already knows who I am and makes suggestions for purchases based on my other recent purchases or searches on the site. If I only surf in privacy mode, Amazon.com will still work, but without the bells and whistles.
So, surfing in privacy mode by default has some usability tradeoffs, and may not be for everyone, but the browsers should at least make it an option. I should be able to go into the browser options and flip a switch to tell the software to automatically start in privacy mode, with an option to go back to normal Web surfing if I manually select it–essentially flip-flop the way it is currently.
As a side note, if you have Windows 7 and IE9, there is a way to create this for yourself. IE9 lets you pin sites to the Task Bar. If you pin a site to the Task Bar while using InPrivate browsing, the pinned site will open as an InPrivate browsing session by default. So, you could start an InPrivate session, go to your default home page, then pin that site to the Task Bar. Then, just use the pinned site as your default means of opening IE9 and your sessions will be InPrivate by default.
Australian security researchers at PureHacking wrote a blog post detailing a flaw in the Skype for Mac software. Skype and PureHacking seem to disagree on the potential effects of the attack, but Skype has a fix and will push an update out to users next week.
Only a few weeks after the revelation that the Skype for Android app left sensitive personal data on Android devices exposed for potential compromise, Skype has a new security issue to deal with in the form of a flaw in the Mac OS X client software which could allow an attacker to take control of a vulnerable Mac OS X system.
In the blog post describing the flaw, PureHacking notes that, “an attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac. It is extremely wormable and dangerous.”
While Skype does acknowledge the issue in a blog post of its own, the Skype blog post simply says that an exploit of the flaw could cause the Skype for Mac software to crash, and doesn’t mention anything about a worm. In fact, the Skype post seems to downplay the possibility of a worm by pointing out that an attack would have to come from a contact you know because the default security settings won’t display messages from contacts you haven’t authorized.
In the end, it doesn’t really matter for two reasons. First, although Mac OS X is creeping up in market share and may soon be a target worthy of the effort, the fact is that attackers are busy developing attacks for Windows PCs because the potential payoff is much larger from the platform that has 90 percent market share than it is from the platform that has less than ten percent.
The second reason is that Skype already has a hotfix available that addresses the problem, and as of next week it will push out an updated version of the Skype for Mac software that resolves the problem as well. So, whether you choose to rush out and get the patch, or wait a week and get the larger software update, odds are good the problem will be fixed before you need to worry about a Mac worm pwning your system.
Details are still a bit sketchy on the Sony Playstation Network data breach. At this point, it is stil hard to tell if Sony is not sharing details because it is trying to cover something up, or because an investigation is pending and it doesn’t want to give away what it knows, or because it simply has no clue.
Peter Schlampp, VP of Product Management for Solera Networks, commented, “Sony advised customers to be vigilant in keeping an eye on their credit card statements. If Sony had clear details of which customers had been affected by the attack, they would be able to work directly with them. Not knowing the details means that Sony now has to assume that all 77 million accounts were affected. In reality, it may have been fewer than a million, maybe only a few thousand. In fact, it could have been only 10.”
Schlampp added that without decent logging and network forensics, Sony may simply not know what was breached, or how, or when. Organizations need to proactively put network fornsics tools in place. After a data breach, it’s too late.
He summed up with, “Every organization should be waking up to the fact that we are in a new threat environment, and the methods and technologies needed to secure our networks have changed.”
Whenever a data breach occurs, the compromised company responsible for losing your data eventually reaches out to inform you that your sensitive personal information may have been exposed in some way. The message typically comes with assurances that the company values your privacy more than life itself, and cautions you to watch out for any phishing scams attackers might launch trying to appear as if they came from the company. And, that message usually comes…by email.
That standard response plays into the attacker’s hand to some degree. The user becomes used to the idea that they might receive email communications from the company related to the data breach. That opens the door for an attacker to follow up with a convincing email that appears to be from the company directing users to provide account details or change their password…in response to the breach of course.
I realize that email is fast, and easy, and is probably the best and most efficient way for companies to notify affected customers. It just seems like a bit of hypocrcisy to send an email from the company that tells users to watch out for emails that appear to be from the company.
Windows 7 has passed the rigorous testing required to be Common Criteria certified, along with Windows Server 2008 R2, and SQL Server 2008 SP2. The certification is a major milestone because it qualifies the Microsoft products for use by many US government agencies.
A Microsoft FutureFed blog post explains, “Common Criteria certification is an international standard for ensuring that IT products conform to stringent security requirements, is recognized by the 26 member nations of the CCRA, and used in procurement requirements by governments around the world. In particular, Common Criteria evaluation of operating systems and database management systems (DBMS) is a mandatory procurement requirement for U.S. defense and national security customers.”
That should open some doors and help Windows 7 leave Windows XP in the dust.