Microsoft Issues Patch to Close Zero Day Hole

Microsoft has issued an unscheduled patch to close the security hole in IE in its MS08-078 Security Bulletin.

---

A Security Park report states that according to Panda Security, there has been as much malware in the first months of ‘08 as the last 17 years combined.

Related links:
SANS published a 61 page whitepaper by Mark Baggett, GCIH, on the Effectiveness of Anti-Virus vs Metasploit Payloads
Anti-Virus Rants Blog

---

Computerworld Security lists 3 simple ways to protect from Social Networking Malware: 1. Have a stronger password, 2. Be wary of 3rd party apps 3. Beware of user generated SPAM.

Now I’m wondering if there are tips out there regarding Friendster since they obviously have a problem with the SPAM I’ve been getting from a couple of users.

---

CDW has a 2 page whitepaper on Making the Case for Security Spending

---

UPI.com Homeland and National Security Editor Shaun Waterman wrote about the questionable effectiveness of FISMA in real world use. The article states that the US Justice Dept got a grade of A-, because FISMA is primarily concerned with “ensuring that all agencies ‘have policies and procedures to enhance the security of information in their IT systems. [however FISMA does] ‘not assess whether the Department has actually implemented these processes, nor did it assess the actual security of the Department’s IT systems.’”

---

The US Center for Strategic and International Studies (CSIS) recommends a Cybersecurity model based on Nuclear Nonproliferation. This is because of the seriousness and complexity of cyberthreats, which require a coordinated approach that spans agency jurisdictions, borders and sectors.

See earlier Post for the CSIS report

---

Update on Browser Password Management Security

In the test by Chapin Information Services (CIS) Opera and Firefox each passed seven of 21 tests, IE passed five tests, and Safari and Chrome each passed two tests.

(The Register) Browser Password Security Test
(Chapin Info Services) Google Chrome receives lowest Password Security Score

---

Other Security News.
(Bank Info Security) Where the Jobs Are: 5 Hot Career Tips for 2009
(Bank Info Security) Top Certifications for Industry Pros

Info Sec News, Dec 8, 2008 Updated

Upcoming details for this month’s Patch Tuesday can be found in Heise Online’s Microsoft wants to close six critical holes and PC World’s Microsoft readies Eight New Security Patches.

A Secunia blog states that 98% of all PC’s aren’t fully patched as was also reported in The Register and SCMag UK. No doubt this contributes to the millions of PC’s out there that are used as zombies unbeknownst to their owners. This happens mostly because people have too much confidence in their Anti Virus in stopping all threats. I’ll write about this more in another post, as for now, you might want to check out Secunia’s freely available Personal Software Inspector to check for patches their PCs may need.

Trend Micro researchers though, say that vulnerabilities only play a minor role (5%) in attacks. And that most attacks (53%) come in the form of Social Engineering attacks wherein the user is duped into downloading malware. An example of this would be fake anti-virus products that take up the top three positions in BitDefender’s Top e-threats (Heise Security also gives the list here). Which reminds me of what Zot O’Conner said in his talk at the Renaissance Makati in late October… that you cannot design a security product to defend against a user that just clicks and accepts anything.

In related news, Security Park reports that Human error continues to be the top cause of IT security breaches primarily because individuals are given the option to bypass them.

---

Other Security News
Center for Strategic and International Studies publishes report on Securing Cyberspace
Distributed SSH attacks bypass blacklists
New variant of DNSChanger in mass DNS hijack
The debate resumes over Mac Security
Identity Theft breaches on the increase in the US
(Security Focus) US Commission calls for Cybersecurity Czar
(Security Park) Free malware search tool helps financial institutions identify web attacks targeting their websites
SANS Webcast on December Threat Update
SANS Webcast on What Works in Security Information and Event Management
(Linux Security) New Wireshark Packages fix Vulnerabilities
(Linux Security) Never Installed a Firewall on Ubuntu? Try Firestarter
(Linux Security) Debian: New Linux 2.6.24 packages fix several vulnerabilities
(NY Times) Thieves Winning Online War, Maybe Even in Your Computer
(Translated by Google) 21 Million German Citizen’s Account Numbers in Circulation

Info Sec News, Dec 4, 2008

In a series of twists, Apple has pulled out its quietly released Anti-virus technote, stating that it was old. Noted exploit hunter Charlie Miller said that it was much to do about nothing (take note that this is the same guy that won the $10k who hacked the MacBook Air in under two minutes). On the same day that story went out, a new Apple malware was announced in SecurityPark.com. I’ll take the same line as Apple spokesman Bill Evans in saying, “Since no system can be 100% immune from every threat, running anti-virus software may offer additional protection”.

Related Apple Recommends Anti-Virus stories:
Apple anti-virus advice was nothing new
Security Focus
Heise Security
Apple’s antivirus advice ‘big to-do about nothing,’ says researcher
New Apple Mac OS X malware discovered

 

---

 

CSO Online Interviewed Gary Hinson a few weeks ago on the future of ISO 27000

‘Dumbing down’ the security profession

Bot-wielding hackers crash eBay holiday giveaway

SonicWALL licensing snafu short-circuits protection

Online payment site hijacked by notorious crime gang

Pentagon hacker tries one more time to avoid extradition

Botnet master sees himself as next Bill Gates

U.S. report sees major terror attack by 2013, ignores cyberattack risk

Lenovo arms ThinkPads with Intel’s built-in security

High tech attacks need high tech response

---

Computer systems are supposedly attacked a few minutes after going online. Here’s just another story about it: IBM in New Zealand did an experiment which resulted in an unprotected system that was rendered useless in around two hours.

Info Sec News, Dec 2, 2008

A rootkit was found in an Enterprise Information Security software, reports Heise Security and The Register.

Another vulnerability was found in the popular VLC media player. So if you can, update.

The Chicago Tribune reports that a new round of cyber attacks has the Pentagon worried. They normally get a whole number of attacks per day, however, the magnitude and way the new attacks are being done are apparently designed to specifically attack military networks. Heise also covers the same topic here and here.

The Linux on iPhone project has released the first results of its project.

Anti-virus seems to be ineffective versus new malware that makes zombies out of PCs. Stuart Staniford talks about it in his blog.

WordPress update fixes XSS vulnerability.

Google denies security hole in GMail.

Microsoft adds malware detection to its Webmaster tools. Speaking of Microsoft, a new windows worm builds a massive botnet worth around half a million computers and growing.

For the first time, Apple quietly recommended Anti Virus software in a technote. About.com has Mac Anti-Virus recommendations. iAntivirus and ClamXav are free.

Info Sec News: Nov 11, 2008

Maybe we should revisit our Cybercrime Bill, which hasn’t been approved and is in our congress for a second reading after a scant 8 years. Why? because Pakistan’s version of the bill, includes cyber-terrorism being punishable by death.

If you’re interested on articles on the Philippine version of the Cybercrime bill, there’s one from MB.com.ph from Nov 2007 by Melvin Calimag, “Cybercrime Law for RP long overdue.” Another article by the same author came out in April of this year on, “NBI exasperated over delay of cybercrime bill, hits CICT.”

News about the former Intel employee who works for AMD, that stole information with an estimated cost of over $1 billion in R&D development, can be found in CNET, and USA Today.

“A New York man has been charged with aiding the alleged leader of the hacking gang accused of stealing more than 40 million credit and debit card numbers from stores owned by TJX Companies and other companies.” reports this article from The Register.

On the Mobile Security front, a researcher says Google’s Android may not need antivirus software. Btw, older versions of G1’s software were vulnerable to an exploit that allows telnet root access discussed here and here.

The New York Times reports that DDOS attacks have been growing more potent, increasing from around half a megabit 7 years ago, to around 40 gigabits.

Three people pleaded guilty to hacking Citibank ATM cards who were able to steal $2 million in a span of four months. Maybe Manny Pacquiao should think about learning how to hack when he retires, especially since the Philippines has no Cybercrime bill, hehehe

Two Los Angeles traffic engineers admitted to hacking related to contract negotiations. Aren’t we just happy in Manila that our traffic light system uses 60’s technology?

The Financial Times and SC Magazine US, have reported to computers that were breached in the White House. The prime suspect are Chinese hackers.

Other News:

Security experts reveal details of WPA hack, their 12 page paper can be downloaded in pdf format here.

Vietnamese teams won the first and second prizes in a contest called “Capture The Flags”, part of the Hack in the Box Security Conference 2008 (hackinthebox.org) in Kuala Lumpur, Malaysia in late October

Australian Federal Police have launched a high-level investigation into a security breach involving confidential Australian diplomatic cables and police documents that were left in open files on a computer and read by guests at a hotel in Nepal.

Wouldn’t our government employees wish they have a DRP Site like this on in Bermuda?

A former prison inmate has been arrested and charged with hacking the facility’s computer network, stealing personal details of more than 1,100 prison employees and making them available to fellow inmates.