The Security Detail

April 22, 2011  10:21 PM

Ashampoo Customer Data Compromised by Hackers

Tony Bradley Tony Bradley Profile: Tony Bradley

Ashampoo–a German software vendor–is the latest to fall victim to a breach of customer data resulting from hackers. An announcement on the Ashampoo site explains, “Hackers gained access to one of our servers. We discovered the break-in and interrupted it instantly. The security gap through which the hackers gained access was closed immediately.”

Troy Gill, security analyst with AppRiver, provided some expert insight on the breach. “Since it does not appear that any credit card or financial information was taken, the risk here is that these individuals will be targeted going forward.”

Gill notes that the real threat, just as in the recent exposure of customer email addresses from Epsilon, is that the contact information, combined with the known relationship with Ashampoo, will enable attackers to create much more convincing precision phishing attacks

Anup Ghosh, founder and chief scientist at Invincea has a more ominous take on the matter. Ghosh says that the string of data breaches and the general information security news over the past year or so should alarm everyone from Wall Street to Main Street. 

Ghosh explains that the end user, rather than a PC operating system or vulnerable software, has become the primary target for attackers, and is the real root of the problem. “The adversary targets the user because they know that regardless of all the patches applied to technology, one cannot apply a patch to Layer 8–the human brain. Attachments will always be opened if they look to be coming from a reliable source; curiosity has always and will always kill the cat.”

Ghosh suggests that security needs to adopt a new model that seeks to protect the entire PC environment from the actions of the user rather than focusing on identifying and patching vulnerabilities.

April 21, 2011  10:02 PM

McAfee Report Finds Critical Infrastructure Woefully Insecure

Tony Bradley Tony Bradley Profile: Tony Bradley

It is called the “critical” infrastructure for a reason.

If the country were ever to fall prey to a physical attack, a cyber attack, or even a biological epidemic, it might not matter if we can’t see this week’s episode of Glee in HD, and it won’t be the end of the world if the corner store runs out of Redbull, but there are some things that are crucial to the continued productivity and sustenance of the nation even in the face of a disaster that must be protected: power, communications, and clean water to name a few.

Why is it, then, that this infrastructure we have deemed “critical” seems so ill-prepared to actually survive an attack–at least a cyber attack? Dr. Phyllis Schneck, Vice President of Threat Intelligence for McAfee, explains, “Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only one percent.”

Schneck’s blog post also lays out the key findings of the McAfee report:

  • Eighty percent of respondents have faced a large-scale denial of service attack
  • Twenty-five percent of respondents have been victims of extortion attempts
  • More than 40 percent of executives believe that their industry’s vulnerability has increased
  • Almost 30 percent believe their company is not prepared for a cyberattack
  • More than 40 percent expect a major cyberattack within the next year
  • Energy sector increased its adoption of security technologies by only a single percentage point, at 51 percent
  • Oil and gas industries increased by only three percentage points, at 48 percent
  • Nearly 70 percent of respondents frequently found malware designed to sabotage their systems
  • A quarter of respondents reported daily or weekly DDoS attacks

Click here to download the full McAfee report: In The Dark: Crucial Industries Confront Cyberattacks

April 18, 2011  4:01 PM

Message Labs Reports Rise in ZIP File Spam

Tony Bradley Tony Bradley Profile: Tony Bradley

The first quarterly report from Message Labs for 2011 sends mixed signals about the state of spam. With the Rustock botnet being killed off in March (followed by the Coreflood botnet this month), spam email distribution is down, but accoridng to Message Labs the amount of data traffic attributed to spam is on the rise.

The reason, it seems, is a spike in the use of ZIP file attachments as a vector for distributing malware in spam email messages. So, even though there are fewer spam email messages overall, more of those messages have ZIP file attachments making them consumer more network bandwidth.

Check out the full Message Labs March 2011 Intelligence Report for more about the rise in ZIP file spam, and to learn more about current trends in spam and malicious email.

April 14, 2011  10:47 PM

Sophos Offers Free Data Protection Toolkit

Tony Bradley Tony Bradley Profile: Tony Bradley

Unless you’ve been living in a cave on a remote mountain somewhere, you’ve probably noticed that there have been a number of high-profile data breaches lately. There was the breach at RSA, then the breach at Epsilon, then the breach in Texas…the list goes on, and that is just the list of the big data breaches that actually made the headlines.

If you want to protect your data, you need a plan. You need to understand what data needs protection, and implement policies to govern how sensitive data is handled, and put the right tools in place to monitor the data and protect it from being leaked or compromised.

You’ve got those bases covered, right? Well, whether you do or not, you should download the free Data Protection Toolkit from Sophos and check out what it has to offer. The ZIP file is filled with resources including videos, best practices checklists, sample data policies, and information to help educate users about data security threats.

It’s free. What have you got to lose?

April 14, 2011  9:58 PM

Skype for Android Exposes Your Personal Data

Tony Bradley Tony Bradley Profile: Tony Bradley

Got Skype on your Android smartphone or tablet? You may want to reconsider. Engadget reports that the Android Skype app fails to encrypt data or enforce permissions–leaving all of your Skype contact info and chat logs exposed.

The Android Police developed an app called Skypwned to demonstrate. The app only requests basic Android permissions when it installs, yet it can access and display your full name, phone number, email addresses, and list your contacts without even asking for a username.

Skype is investigating the issue, but in the meantime I would suggest uninstalling the Skype for Android app. Now that the information is public and the Skypwned proof-of-concept app is out there, it is probably a matter of hours until more apps hit the wire to “test” this flaw out.

April 13, 2011  7:47 AM

All Software Needs a “Patch Tuesday”

Tony Bradley Tony Bradley Profile: Tony Bradley

Microsoft often takes a fair amount of heat and ridicule for its Patch Tuesday–especially ones like this month where Microsoft published 17 new security bulletins and patched 64 separate vulnerabilities. However, instead of focusing on the volume of flaws addressed by Microsoft, IT admins should be considering how many vulnerabilities remain unpatched on other software applications that don’t have a dedicated patch management program and regular cycle of updates.

Microsoft used to release security bulletins and patches ad hoc as they arose, but switched to the Patch Tuesday monthly release cycle to make it easier for IT admins. The regular, predictable release of updates enables IT departments to be prepared and have the appropriate resources allocated to analyze and deploy the batch of patches.

Most software doesn’t have any such patch management framework, though–putting the burden on IT admins to try to keep up with vulnerability details and patch releases. The lack of a consistent patch release and deployment schedule results in vulnerabilities that fall through the cracks and remain unpatched.

Some attacks leverage previously unknown zero-day vulnerabilities, but many viruses, worms, and other types of malware often attack vulnerabilities which are already known, and for which patches have already been published. Norman–a security and patch management company–claims that nearly two dozen new vulnerabilities are discovered on average each day. 

Paul Henry, Forensic & Security Analyst at Lumension, points out, “Time and time again, we’re finding that spear phishing exploits are taking advantage of the weaknesses in third party applications,” adding, “While the rest of the world is focusing on Windows, the bad guys are taking advantage of the applications we aren’t patching with free patch software that Microsoft makes available.”

“IT departments should make patch and remediation a priority,” said Audun Lodemel, vice president, Norman Marketing, “Remember to look into all your OS platform and applications vulnerabilities, not just focus on Microsoft issues around Patch Tuesday.”

Bottom line: Microsoft makes it easy because Patch Tuesday is reliable, and predictable, and Microsoft provides the tools to download and implement the latest updates for both consumer and business systems. But, don’t get lazy and forget that you have a wide variety of software installed on those systems, and that those applications are just as likely to contain exploitable flaws.

April 10, 2011  10:08 AM

Invalid Certificates Threaten to Make SSL Useless

Tony Bradley Tony Bradley Profile: Tony Bradley

Have you ever tried to visit a website and instead been greeted by a browser window letting you know that “There is a problem with this website’s security certificate“?

Ideally, that would be a red flag indicating that something suspicous or malicious is going on. If the website security and authentication provided by SSL certificates worked as intended, receiving a warning that an SSL certificate is invalid would be reason to avoid that site.

But, the reality is that most of the time you encounter expired or invalid certificate warnings, it is because the website owner has allowed the SSL certificate to expire, or has not properly configured it for the domain you are visiting. So, people just click the “Continue to this website (not recommended)” link next to the alarming red shield icon, and proceed–ignoring the invalid certificate warning, and invalidating the concept of SSL certficates at the same time.

There are so many expired and invalid SSL certificates on otherwise legitimate sites that users are numb to the warning message. If and when a user encounters an actual malicious site attempting to utilize a stolen or forged SSL certificate, they will happily ignore the warning and continue on at their own peril.

April 4, 2011  8:55 PM

RSA’s Achilles Heel Was…Adobe Flash

Tony Bradley Tony Bradley Profile: Tony Bradley

When RSA announced that it had discovered a network infiltration that allowed attackers to gain access to crucial information that could lead to the compromise of SecurID two-factor authentication tokens, it dubbed the attack “extremely sophisticated.” In the wake of the discovery, the speculation was that the attack was an APT (advanced persistent threat). New information, though, suggests that RSA was simply the victim of a common phishing attack exploiting a zero-day flaw in Adobe Flash.

Adobe issued a security advisory on March 14 warning users that a vulnerability had been discovered in Adobe Flash, as well as the authplay.dll function included in Adobe Reader and Adobe Acrobat. The flaw was being exploited in limited attacks which included a malicious Flash (SWF) file embedded within a Microsoft Excel (XLS) file attachment. Apparently, someone within RSA received that email attachment, opened the Excel file, and clicked on the Flash file–compromising his PC and giving the attackers complete access to the system.

Adobe released an update for Flash, Acrobat, and Reader (except for Reader X for Windows because the sandbox security already mitigates the threat) about a week after announcing the zero-day threat. I don’t know if RSA has implemented those updates yet, but hopefully it has.

The lesson here is that even if you are RSA–a company virtually synonymous with security, the namesake of the biggest security conference of the year, provider of two-factor authentication solutions relied on to protect systems and data around the globe–one well-timed social engineering attack, and a little human error is all it takes for an attacker to get inside and gain access to sensitive information.

The bonus lesson is that it is bad PR to call an attack “extremely sophisticated”, and then have to face the embarrassment when it is discovered that it was just an average, ordinary phishing attack–especially for a security company.

April 3, 2011  9:46 AM

Researchers Propose a New Twist on Password Security

Tony Bradley Tony Bradley Profile: Tony Bradley

I’m sure you’ve heard the password mantra–don’t use details from your personal life, don’t use any word that can actually be found in a dictionary, make the password long, use multiple character types, etc. The problem is that the more secure and complex the password is, the more difficult it is to remember. Security that has the same odds of locking out the legitimate user as it does for preventing unauthorized access is not effective. Instead, users choose simple passwords, or write the complex passwords down on a sticky note for easy recall.

Security researchers in Germany are proposing a new twist on the password dilemma that could change things, though. The scientists from the Max Planck Institute for Physics of Complex Systems are at work on a method that breaks a strong, complex password into two parts. The first part is a simple password that is easy for the user to recall, and the second part is converted to a CAPTCHA-like image based on a chaotic lattice system algorithm.

The net result would be a more secure password that amounts to a sort of variation on two-factor authentication. What do you think? Can this password strategy work? Would you use it? Or, is that sticky note method working out OK for you?

March 26, 2011  6:54 PM

Microsoft Says Hotmail HTTPS Glitch Resolved

Tony Bradley Tony Bradley Profile: Tony Bradley

Yesterday, I wrote a post deriding Microsoft for disabling HTTPS on Hotmail accounts in regions where encrypted communications can literally be a matter of life and death. The EFF (Electronic Frontier Foundation) reported that Microsoft had turned off HTTPS encryption in a number of countries including Iran, Bahrain, Syria, Nigeria, and other nations across Africa and the Middle East.

In nations where political dissidents are commonly imprisoned, tortured, or even killed, the ability to keep communications secret from the prying eyes of the reigning tyrants is crucial. I had developed a subsequent theory that perhaps Microsoft was responding to a request from the US intelligence community. It just so happens that many of the nations where political unrest and rebellion are brewing are also the same nations where terrorist actions often originate.

I asked Microsoft for an explanation for why it chose to disable HTTPS in these specific nations, though, and found out that the reality is much less sinister or insidious. This is the statement I received from Microsoft:

We are aware of an issue that impacted some Hotmail users trying to enable HTTPs.  That issue has now been resolved.  Account security is a top priority for Hotmail and our support for HTTPS is worldwide – we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world.  We apologize for any inconvenience to our customers that this may have caused.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: