Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Turkish CA Issues Fraudulent Certificate for Google.com (securityweek.com)

wiredmikey writes: Google said that late on Christmas Eve, they detected and blocked an unauthorized digital certificate that was created for the "*.google.com" domain that was linked back to Turkish certificate authority, TURKTRUST.

“TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” Adam Langley, Software Engineer at Google wrote in a blog post on Thursday.

Microsoft on Thursday issued a security advisory on the incident and took measures to protect customers.

Because Intermediate CA certificates have the full authority of the CA, an attacker could use it to create a certificate for any website they want to impersonate. “The fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties,” Microsoft’s advisory said. “This issue affects all supported releases of Microsoft Windows.”

Google said that it may also take additional action after looking into the issue further.


Submission + - Microsoft Patches IE Zero Day, And Four Other Flaws (securityweek.com)

wiredmikey writes: As promised, Microsoft has patched Internet Explorer against the recently discovered Zero-Day that has made headlines this week. In addition, they also patched four other flaws that were privately disclosed, but unlike the main vulnerability, these were not being exploited in the wild. The vulnerability has been actively exploited and used to deliver various payloads including two Remote Access Trojans, PlugX and Poison Ivy.

When Wednesday’s announcement was made by the software giant, they promised that a full patch would be made available by the end of the week, and they delivered on that promise shortly after 1:00 p.m. EST today.

“The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically," Microsoft said. "For those manually updating, we encourage you to apply this update as quickly as possible... In addition to addressing the issue described in Security Advisory 2757760, MS12-063 also resolves four privately disclosed vulnerabilities that are currently not being exploited.”


Submission + - Microsoft Offers Advice on New IE Zero-Day (securityweek.com)

wiredmikey writes: In response to reports of a recently discovered Zero-Day vulnerability targeting versions of Internet Explorer 9 and earlier, Microsoft has confirmed the issue and has offered guidance to customers.

While a patch is developed, Microsoft says that using their EMET tool will mitigate the vulnerability. “Deploying EMET will help to prevent a malicious website from successfully exploiting the issue described in Security Advisory 2757760. EMET in action is unobtrusive and should not affect customers’ Web browsing experience,” Microsoft explained.

In addition, customers can set Internet and Intranet settings to high in order to block ActiveX and Active Scripting. Finally, customers also have the option to configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

The advice to use EMET won’t work in some organizations due to compatibility issues. But if switching browsers is an option, it’s a wise alternative, and EMET does have its uses if there are no compatibility issues. So the general advice isn’t wrong, it’s just not one size fits all.


Submission + - New IE Zero-Day Being Exploited in the Wild (securityweek.com)

wiredmikey writes: A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild, and affects IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system.

Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named “exploit.html” is the entry point of the attack, which loads “Moh2010.swf”

According to analysis by VUPEN, the exploit takes advantage of a “use-after-free vulnerability” that affects the mshtml.dll component of Internet Explorer.

Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems.

As mentioned, Romang's first found the new zero-day code on the same server that was initially used to spread the recent Java zero-day, making people think they if both codes were not created by the same group, they are at least related.

Internet Explorer users should be consider switching to other browsers, such as Chrome or Firefox for the time being.

From what has been seen so far, the in-the-wild exploit only targets IE 8 and 7 on Windows XP only.


Submission + - Microsoft Releases Attack Surface Analyzer Tool (securityweek.com) 1

wiredmikey writes: Microsoft has released the public version of Attack Surface Analyzer, a tool designed to help software developers and independent software vendors assess the attack surface of an application or software platform. The tool was pushed out of beta with Version 1.0 released on Thursday.

Since ASA doesn't require the original source code, managers and executives can also use the tool to determine how a new application or software being considered would affect the organization's overall security before deploying it.

The tool takes snapshots of the system before and after an application was installed, and compares them to identify changes made when new applications were installed. A stand-alone wizard guides users through the scanning and analysis process and a command-line version is available for use with automated tools.

Attack Surface Analyzer 1.0 can be downloaded from Microsoft here.


Submission + - The Myth Of That $1 Trillion Cybercrime Figure (securityweek.com)

wiredmikey writes: A recent article on ProPublica dissected two commonly quoted figures about cybersecurity: $1 Trillion in losses due to cybercrime itself and $388 million in IP losses for American companies. Both figures, have been scrutinized and challenged by many, and viewed as typical security vendor FUD.

NSA Director General Keith Alexander has recently been using the $1 Trillion figure in speeches, as has Senators Leiberman and Collins, whose Cybersecurity Act of 2012 failed to be passed by the Senate this week.

The $1 Trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, "The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman."

The problem with both of these figures — $1Trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report report fittingly titled "Sex, Lies, and Cybercrime", they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population.

The Microsoft researchers concluded: "Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not."


Submission + - Flame Malware Hijacks Windows Update (securityweek.com)

wiredmikey writes: As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing.

According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing.

The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how.


Submission + - Microsoft Certificate Was Used to Sign "Flame" Malware (securityweek.com) 1

wiredmikey writes: Microsoft disclosed on Sunday that "unauthorized digital certificates derived from a Microsoft Certificate Authority" were used to sign components of the recently discovered "Flame" malware.

“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center’s Jonathan Ness wrote in a blog post.

Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks.

In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.


Submission + - Microsoft Fixes Last of Duqu Vulnerabilites in Latest Update (securityweek.com)

wiredmikey writes: Security researchers are warning Microsoft customers to keep their eyes on the critical bulletins in this month’s Patch Tuesday update. All totaled, Microsoft issued patches to address 23 security bugs across its product line.

However, the company is recommending administrators turn their attention to two of the seven bulletins first — MS12-034 and MS12-029. MS12-034 includes 10 fixes across several product lines that were bundled together as part of an update meant to put the finishing touches on a vulnerability exploited by the infamous Duqu malware. Believed to be related to Stuxnet, Duqu was spotted in September exploiting a vulnerability affecting Microsoft Word. Though the company previously patched the bug with MS11-087, other Microsoft products were discovered to contain the same vulnerability as well.


Submission + - Microsoft Drops Chinese Firm From Active Protections Program (securityweek.com)

wiredmikey writes: DPTech Technologies, a security vendor in China, has been removed from Microsoft’s Active Protections Program (MAPP) for leaking proof-of-concept (PoC) code shared with them during the creation of the MS12-020 security bulletin. The leak violated the NDA they had signed with Microsoft, resulting in their expulsion from the program.

In March, Microsoft issued a patch in order to correct a flaw within Remote Desktop Protocol (RDP) (MS12-020). The patch was ranked as critical by the software giant, and security experts predicted that exploit code for the RDP flaw would arrive sooner rather than later. As it turns out, proof of concept code appeared within hours of the patch’s release, and Microsoft was indirectly responsible for the PoC code’s appearance.

When the PoC itself arrived on the Web, the researcher who discovered the vulnerability in the first place (Luigi Auriemma) recognized his own code within the source. Given that he turned his work over to ZDI, and ZDI quickly denied leaking the code, that left Microsoft as the only likely source.
This was later confirmed when elements of the PoC contained markers used by MSRC. Thus, the security industry quickly came to the realization that someone within MAPP committed a serious breach of trust.

On Thursday, Microsoft called them out by name as the ones responsible for disclosure of the confidential data.


Submission + - Conficker Worm is Alive and Well, Says Microsoft (securityweek.com)

wiredmikey writes: With the rise in complex threats and new advanced malware flooding headlines and causing a stir, it’s easy to forget about some of the sizable threats that have graced the security word over the years—threats that may be out of mind, but shouldn’t be.

In its Security Intelligence Report (PDF), Microsoft said the In the fourth quarter of 2011 alone, Conficker was detected on 1.7 million systems worldwide, Microsoft said.

Why is Conficker's still so prevalent in organizations? Microsoft cites research that shows 92 percent of Conficker infections were a result of weak or stolen passwords, and 8 percent of infections exploited vulnerabilities for which a security update exists.

Conficker emerged in late November 2008, about a month after Microsoft pushed out an emergency patch for a critical vulnerability in Windows. Exploiting this vulnerability, the worm quickly spread to unpatched computers around the world, and one month later was followed up with a "B" variant.

"Conficker is one of the biggest security problems we face, yet it is well within our power to defend against," said Tim Rains, director of Microsoft Trustworthy Computing. "It is critically important that organizations focus on the security fundamentals to help protect against the most common threats."


Submission + - Microsoft Plugs 11 Security Holes (securityweek.com)

wiredmikey writes: Microsoft patched 11 security vulnerabilities today, including a critical bug being targeted by attackers.

According to Microsoft, organizations should focus first on MS12-027 and MS12-023. Already, MS12-027 has come under limited, targeted attack. MS12-027 addresses a vulnerability affecting the MSCOMCTL.OCX ActiveX control that could allow remote code execution if a user visits a website with specially-crafted content designed to exploit the vulnerability. This particular vulnerability affects several pieces of software, including versions of Microsoft Office, SQL Server and BizTalk Server.

John Harrison, group product manager with Symantec Security Response, advised organizations to also pay attention to MS12-024, which patches a critical vulnerability in Windows that could permit remote code execution if a user or applications runs or installs malicious, signed portable executable files on an affected system.


Submission + - Microsoft Leads Sting Operation Against Zeus Botnets (securityweek.com)

wiredmikey writes: Today, Microsoft announced in what it called its “most complex effort to disrupt botnets to date,” the company in collaboration with partners from the financial services industry, have successfully taken down operations that fuel a number of botnets that make us of the notorious Zeus family of malware.

In what Microsoft is calling “Operation b71,” Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.

While the operation is a big win for the anti-cybercrime community, it does not mean that it’s the end of Zeus and Zeus botnets. Microsoft noted that the goal of the actions was not to permanently shut down all impacted Zeus botnets, but it is expected to significantly impact the cybercriminals' operations and infrastructure, and help victims remove the malware from infected systems.


Submission + - Ford Tests DIY Firmware Updates (securityweek.com) 2

wiredmikey writes: This month, Ford is borrowing something from the software industry: updates. With a fleet of new cars using the sophisticated infotainment system they developed with Microsoft called SYNC, Ford has the need to update those vehicles—for both features and security reasons. But how do you update the software in thousands of cars?

Traditionally, the automotive industry has resorted to automotive recalls. But now, Ford will be releasing thirty thousand USB sticks to Ford owners with the new SYNC infotainment system, although the update will also be available for online download.

In preparing to update your car, Ford encourages users to have a unique USB for each Ford they own, and to have the USB drive empty and not password protected.

In the future, updating our gadgets, large and small, will become routine. But for now, it’s going to be really cumbersome and a little weird. “Honey, I’m updating the car’s firmware right now.”

Play this forward a bit. Image taking Patch Tuesday to a logical extreme, where you walk around your house or office apply all the patches to all the gadgets you own.


Submission + - Microsoft Names Reputed Head of Kelihos Botnet (securityweek.com)

wiredmikey writes: Microsoft is not just taking down botnets; it is taking them down and naming names. In an amended complaint filed Monday in U.S. District Court for the Eastern District of Virginia, Microsoft named a man from St. Petersburg, Russia, as the alleged head of the notorious Kelihos bonnet.

Naming names can be a risky business. Previously, Microsoft alleged Dominique Alexander Piatti, dotFREE Group SRO and several unnamed “John Does” owned a domain cz.cc and used cz.cc to register other subdomains used to operate and control the Kelihos botnet. However, the company later absolved Piatti of responsibility when investigators found neither he nor his business was controlling the subdomains used to host Kelihos.

Whether naming Sabelnikov – who according to Krebs on Security, once worked as a senior system developer and project manager for Russian antivirus vendor Agnitum, will have the same effect as naming the Koobface gang remains to be seen.

Though Kelihos has remained defunct since the takedown last year, the malware is still on thousands of computers.

Slashdot Top Deals

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees