Is Antivirus Becoming Obsolete?

"If you pick the average person off the street and ask them about information security, most of them will likely associate the term with the antivirus software on their computers. Most "civilians" are unfamiliar with terms such as "HIPS," "IDS," "IPS" and the vast assortment of other security products commonly in use. Those sorts of things operate behind the scenes. But, AV packages are widely deployed and are often offered free of charge when you buy a new computer -- at least for the first 30 days.

But, as the malware war continues to escalate, it is reasonable to question the level of effectiveness that antivirus software, as a category, brings to the table.

"When last I looked, there were 78,500,000 unique instances of malware, according to AV-Test.org," said Paul Henry, security and forensic analyst at Lumension, a Scottsdale, Ariz.-based endpoint security company. "How in the world is anyone going to keep up with the signatures to inspect that large of a database?

According to a survey released by FireEye, a Milpitas, Calif.-based company that specializes in defense against advanced targeted threats, malware that can slip through signature-based detection has nearly quadrupled in the past year alone.

"The problem with signature-based defenses is a scaling issue," explained Ali Mesdaq, security researcher at FireEye. "There are so many new exploits coming out every day that the signature databases can't scale to that level. Some sort of technology development will be needed before they will be able to handle the rapid increase in volume."

Meanwhile, a separate survey, conducted by Carbon Black, a Sterling, Va.-based vendor that focuses on security-related data collection, suggests that in most cases, just about any bug will be able to be detected by at least one of 43 antivirus packages on the market today. The bad news is that an effective matchup between the specific bug and the specific AV package on your customers' systems is nearly coincidental.

The Carbon Black team then tested how long it would take for the individual AV packages to catch up with the ones they had missed. "The results were a big surprise to us," said CEO Mike Viscuso. "What we found was that if an antivirus package did not detect the virus within the first week, it probably never would."

Carbon Black's Viscuso estimates that virus traffic is growing at a rate of 783,000 new samples each day. Therefore, whatever signatures are missed on any given day will have to compete with all the new ones coming online tomorrow and the next day. Viscuso added that even if you could somehow keep up with the growth, the resulting performance hit on the individual machines would be far worse than the market would bear.

"That leads us to believe that customers should leverage the signature databases of multiple AV packages, as opposed to just one," said Viscuso. "In many cases, the AV products don't allow you to run more than one on a single machine. So, channel partners and customers should use a service that can scan all those binaries so that even if your particular antivirus isn't catching it, maybe the other one will."

Henry, from Lumension, argues that many machines are not adequately protected because we are relying on failed technologies that are erroneously considered to be a best practice.

"Firewalls are another example," he said. "For the last 20 years, we've used things like port-centric firewalls. If they wanted to block somebody from going to the Internet, we would block port 80. So, that just means the bad guys need to reconfigure their software to use port 79 because they left port 79 open."

Henry suggests that enterprises move towards a positive model for security in which they identify what is allowed to run, as opposed to a negative model for security in which they identify what is not allowed to run -- as is the case with antivirus.

"In a white-listing environment you have to approve a given piece of software, or even a script, to run in this environment," he said. "Beyond that, you also have to validate that nothing is changed with that piece of software. In other words, the signature for that software needs to be trusted. If it's not trusted, then it's not allowed to run. It's more work to deploy software in an environment like this. The administrative burden is a lot higher than just turning on antivirus. But, the level of security is much improved."

Henry added that, despite his point of view, the market for antivirus products will remain strong because AV technology is typically required by standards bodies. "If they went out and just did white listing, they would be non-compliant," he said.

"I'm not saying throw away antivirus," Henry added. "I'm saying complement antivirus with white listing. It's simply a smarter way to go."

Meanwhile, Cameron Camp, a security researcher with AV vendor ESET, says that antivirus might not solve the complete needs of IT security, but it is one more component in a strategy of defense in depth.

"Endpoint security is not a silver bullet, but that does not mean that you shouldn't put a lock on your front door," he said. "You really have to get inside the mind of this kind of attacker and understand what it is that they are after. Look for uncharacteristic exfiltration -- especially exfiltration that peaks during non-business hours that are probably business hours in the country to which the data is going."

Camp points to IDS and IPS devices as an important component in defense in depth. "Most people don't need super-fast deep packet inspection. But, even less expensive IDS and IPS devices provide a level of security, just like endpoint products provide a level of security. By having these sprinkled throughout your environment, you stand a vastly superior chance of detecting problems and collecting evidence. You want to demonstrate that you've done due diligence, and that goes very far with investors."

PUBLISHED OCT. 3, 2012 "

Source

QR code: A new frontier in mobile attackability

"A single poisoned link is all it takes to expose an entire organization to a full-scale attack.

Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they're going after our mobile phones, which are soon to be the number one way we access the web.

As QR codes have evolved, they now can offer users – and thieves - unlimited information within seconds of scanning.

And we scan them voluntarily.

We've already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it's embedded in looks tempting enough.

The experiment

Over a three-day security conference in London, I created a small poster featuring a big security company's logo and the sentence "Just Scan to Win an iPad." Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.

The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers. Remember, this was a conference for security professionals.

As I'm a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated.

To make a long story short: QR codes are becoming more and more prevalent. And most of us don't have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.

The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.

Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.

Think before you scan.

• Does this QR code seem to come from a reliable source?
• After scanning the QR code and seeing the link, is the link really from whom it claimed to be?
• Would I click on this link if it came through my email?

Even if you miss out on the iPad or the free ice cream cone, you're probably better off."

Source

Virtual Keyboard

I’ve just realized there’s actually a significant number of online banking sites using virtual keyboards as part of the authentication process for the banks customers.  So, instead of using your keyboard to enter the password a virtual keyboard appears on the screen where the user is FORCED to enter his/her credentials by clicking on the virtual keys.  And just to add some more security every time you click on one of the virtual keys the  positions of the virtual keys on the keyboard are shuffled randomly (I’m assuming this is present to thwart an attack where the keylogger malware is also logging the mouse click positions as well).

I’ll go over the claimed security advantage that a virtual keyboard  prevents a spyware (such as a keylogger) from recording your password when you’re typing it.  Since the user is clicking on the mouse over random areas on the screen the attacker will not be able to determine what the keys are.  If the scenario here is to protect against a keylogger device (i.e. a hardware keylogger) then this might be true.  But keep in mind that most keyloggers come in the form of malware infecting your computer.  That is, they are just another software installed on your system.  If the attacker is able to install a keylogger on your system, what is to stop the attacker from installing another software that basically does screen captures once you’re on a e-banking site ?

Sometimes it is a given that you’ll be trading off some usability in return for extra security.  We just need to make sure that the trade-off is worth it.

The trade off here is in the convenience of entering the password.  It goes without saying that it is easier for a user to type a string in a field than use a mouse to click on a virtual keyboard.
I’ve enrolled in one of the online banking services where a virtual keyboard is required.  I have to say it is not the most pleasant experience in terms of data entry.  Naturally, I try to complicate the banking password a bit to protect against password guessing (Of course I usually try to apply some of the concepts I wrote about here but online banks usually impose a limit on what you can enter as a password).  In any case, entering the password using a virtual keyboard takes a long time (sometimes close to 30 seconds or even more), especially when you have to hit the shift key multiple times.  Also, since the password is masked when I’m typing it, I can’t really verify whether or not I’m entering the right thing.  The randomization of the positions of the virtual keys every time I click on the mouse further increases the error rate.  More than I would like, I find myself having to re-enter the password because I have entered the wrong value.

There might even be a chance that we’re actually less secure when using a virtual keyboard.   Since the clicks on the screen are visible, you’re basically riskingshoulder surfing in a public place.  It is very easy for a passer-by to look at the screen and take a glance at what you’re entering.  Banks do not usually allow long passwords, so, it is probably within reach of a surfer’s memory.

I would just say the trade-off is just not worth it.  I haven’t really seen a statistic that discloses the number of victims of keylogging malware.  Even if a statistic existed, a key logging malware can easily be transformed into one that captures screenshots.

One would think there are other more effective ways of protecting bank customers from keyloggers.  For starters, customers might want to avoid using public computers.  Maybe the bank itself should check if the customer is accessing the e-banking site from a more familiar location/browser, if not maybe enforce a further authentication barrier. As for virtual keyboards, all what they seems to do is make it more difficult for a legitimate user to access the site.

Source

"Gauss malware: Nation-state cyber-espionage banking Trojan related to Flame, Stuxnet"

Kaspersky Lab researchers have discovered a “complex cyber-espionage toolkit” called Gauss which is a nation-state sponsored malware attack “closely related to Flame and Stuxnet,” but blends nation-state cyber-surveillance with an online banking Trojan. It can steal “access credentials for various online banking systems and payment methods” and “various kinds of data from infected Windows machines” such as “specifics of network interfaces, computer’s drives and even information about BIOS.” It can steal browser history, social network and instant messaging info and passwords, and searches for and intercepts cookies from PayPal, Citibank, MasterCard, American Express, Visa, eBay, Gmail, Hotmail, Yahoo, Facebook, Amazon and some other Middle Eastern banks. Additionally Gauss “includes an unknown, encrypted payload which is activated on certain specific system configurations.”

“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation,” Kaspersky wrote. “The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.” The malware copies itself onto any clean USB inserted into an infected PC, then collects data if inserted into another machine, before uploading the stolen data when reinserted into a Gauss-infected machine.

The main Gauss module is only about 200k which is one-third the size of the main Flame module, but it “has the ability to load other plugins which altogether count for about 2MB of code.” Like Flame and Duqu, Gauss is programmed with a built in time-to-live (TTL). “When Gauss infects an USB memory stick, it sets a certain flag to ‘30’. This TTL flag is decremented every time the payload is executed from the stick. Once it reaches 0, the data stealing payload cleans itself from the USB stick.” Kaspersky Lab senior malware researcher Roel Schouwenberg said, "It may have been built with an air-gapped network in mind."

There were seven domains being used to gather data, but the five Command & Control (C&C) servers went offline before Kaspersky could investigate them.International Business Times has already laid the blame for creating Gauss at the feet of the U.S. and Israeli governments. Kaspersky said, “We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.” Kaspersky also reported, it’s “hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation.”

So far Gauss has infected more than 2,500 systems in 25 countries with the majority, 1,660 infected machines, being located in Lebanon. The researchers believe Gauss started operating around August-September 2011. “After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’ All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware’.” You can read more about the “abnormal distribution” on theKaspersky blog and or the full technical paper [PDF].

Meanwhile FinFisher lawful intercept malware used by government organizations for intelligence and surveillance activities was discovered in the wild and analyzed by Rapid7. Gamma International claimed it didn’t sell its FinFisher spyware to Bahrain even though Bahrain activists were targeted. Instead the company suggested it might be a “demonstration copy of the product stolen from Gamma and used without permission.” Bloomberg then reported the FinFisher spyware can secretly monitor computers, intercept Skype calls, turn on Web cameras and record every keystroke has now spread to five continents.

After an in-depth analysis of the “governmental malware,” Rapid7’s Claudio Guarnieri concluded, "The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use. That said, once any malware is used in the wild, it's typically only a matter of time before it gets used for nefarious purposes.”

According to CitizenLab's research and WikiLeaks cables, following should be the supported features:

• Bypassing of 40 regularly tested Antivirus Systems
• Covert Communication with Headquarters
• Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
• Recording of common communication like Email, Chats and Voice-over-IP
• Live Surveillance through Webcam and Microphone
• Country Tracing of Target
• Silent extracting of Files from Hard-Disk
• Process-based Key-logger for faster analysis
• Live Remote Forensics on Target System
• Advanced Filters to record only important information
• Supports most common Operating Systems (Windows, Mac OSX and Linux)

This is also an increase in other multi-platform malware infections such as the ethically questionable backdoor monitoring tools, virtual force for remote searches, sold to law enforcement and intelligence agencies. Russian anti-virus firm Dr. Web discovered a Trojan that could control Mac and Window machines and dubbed it ‘Crisis’. F-Secure found it lurking in a Colombian Transport website. It would "check if the user's machine was running in Windows, Mac or Linux and then download the appropriate files for the platform." It has been called DaVinci/Morcut/Crisis/Flosax, but it's definitely a commercial espionage Trojan sold by The Italian Hacking Team which just happens to be a Gamma/FinFisher competitor. The Hacking Team also brags of being able to get around encryption and specializes in selling services that allow intelligence agencies to monitor 100,000 targets at a time. 

Last but not least of things to worry about on the cyber horizon, there is Rakshasa a “perfect, persistent and undetectable hardware backdoor.”

Source

"FinFisher Spyware Reach Found on Five Continents: Report"

The FinFisher spyware made by U.K.- based Gamma Group likely has previously undisclosed global reach, with computers on at least five continents showing signs of being command centers that run the intrusion tool, according to cybersecurity experts. 

FinFisher can secretly monitor computers -- intercepting Skype calls, turning on Web cameras and recording every keystroke. It is marketed by Gamma for law enforcement and government use. 

Research published last month based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by what looked like the software, sparking a hunt for further clues to the product’s deployment. 

In new findings, a team, led by Claudio Guarnieri of Boston-based security risk-assessment company Rapid7, analyzed how the presumed FinFisher samples from Bahrain communicated with their command computer. They then compared those attributes with a global scan of computers on the Internet. 

The survey has so far come up with what it reports as matches in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the U.S. 

Guarnieri, a security researcher based in Amsterdam, said that the locations aren’t proof that the governments of any of these countries use Gamma’s FinFisher. It’s possible that Gamma clients use computers based in other nations to run their FinFisher systems, he said in an interview. 

“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,” he wrote in his report, which Rapid7 is publishing today on its blog at https://community.rapid7.com/community/infosec/blog. 

The emerging picture of the commercially available spyware’s reach shines a light on the growing, global marketplace for cyber weapons with potential consequences. 

“Once any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes,” Guarnieri wrote in his report. “It’s impossible to keep this kind of thing under control in the long term.” 

In response to questions about Guarnieri’s findings, Gamma International GmbH managing director Martin J. Muench said a global scan by third parties would not reveal servers running the FinFisher product in question, which is called FinSpy. 

“The core FinSpy servers are protected with firewalls,” he said in an Aug. 4 e-mail. 

Muench, who is based in Munich, has said his company didn’t sell FinFisher spyware to Bahrain. He said he’s investigating whether the samples used against Bahraini activists were stolen demonstration copies or were sold via a third party. 

Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio. 

Muench says that Gamma complies with the export regulations of the U.K., U.S. and Germany. 

It was unclear which, if any, government agencies in the countries Guarnieri identified are Gamma clients. 

A U.S. Federal Bureau of Investigation spokeswoman in Washington declined to comment. 

Officials in Ethiopia’s Communications Minister, Qatar’s foreign ministry and Mongolia’s president’s office didn’t immediately return phone calls seeking comment or respond to questions. Dubai’s deputy commander of police said he has no knowledge of such programs when reached on his mobile phone. 

Australia’s department of foreign affairs and trade said in an e-mailed statement it does not use FinFisher software. A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions. 

Violating Human Rights? 

At Indonesia’s Ministry of Communications, head of public relations Gatot S. Dewa Broto said that to his knowledge the government doesn’t use that program, or ones that do similar things, because it would violate privacy and human rights in that country. The ministry got an offer to purchase a similar program about six months ago but declined, he said, unable to recall the name of the company pitching it. 

The Estonian Information Systems Authority RIA has not detected any exposure to FinSpy, a spokeswoman said. Neither has Latvia’s information technologies security incident response institution, according to a technical expert there. 

Bloomberg News reported July 25 that researchers believe they identified copies of FinFisher, following an examination of malware e-mailed to Bahraini activists. Their work, led by security researcher Morgan Marquis-Boire, was published the same day by the University of Toronto Munk School of Global Affairs’ Citizen Lab. 

The new study builds on those findings, using the same samples of malicious software. 

Guarnieri’s study found, among other things, that the Bahrain server answered anyone connecting to it with the message, “Hallo Steffi.” 

The investigators then found this pattern in other computers by searching data from an Internet survey research project, Critical.IO, which has been cataloging publicly accessible computers around the world. 

The researchers then developed a map that shows the location of the servers, along with their unique IP addresses on the Internet. 

Gamma’s Muench said none of its server components sends out strings such as “Hallo Steffi.” 

The earlier Citizen Lab research linked the malware sent to the activists to FinSpy, part of the FinFisher spyware tool kit. 

The Citizen Lab research showed the malware took screen shots, intercepted voice-over-Internet calls and transmitted a record of every keystroke to a computer in Manama, the capital of Bahrain, which has been gripped by tension since a government crackdown on protests last year. 

Muench said the computer found in Manama isn’t a FinFisher product. Instead, the server very likely runs custom-built software used to forward traffic between two or more other systems, he said.

Source

Could Your Blog Cause You Big Problems?

Could Your Blog Cause You Big Problems?

Blogging has become so common that it seems as if everyone is at it. It is not hard to see why – it is a cheap, easy way to connect with people, and anyone can do it. Blogs are read by millions across the world. In Britain, more than half of people who use the internet spend some of their time reading blogs. Everyone, from teenagers killing time in their bedrooms, to multi-national corporations, has got in on the blogging act.


There is nothing wrong with that, of course. Blogging is engaging and informative for readers. However, it is not always safe. Inevitably, the growing popularity of blogging has meant that it has attracted the attention of people up to no good, as well as those just looking for a good read.

Blog Risks
You probably put a lot of time and energy into your blog – so imagine if a hacker got in, and locked you out? Once in, there are several things they might want to do. If it is a business blog, they might be keen to embarrass you by posting inappropriate material. They might look to steal personal information from you and others who access the blog. They might mercilessly spam your readers, or just use your blog to link to their own site to get themselves more hits. The more popular your blog, the more likely you are to be targeted. If you do not know how to protect yourself, it is time to find out.

Staying Safe
There are a few things you should do to keep your blog safe from hackers. Remember that if anyone else has access to the blog, they immediately become a security risk, as they might take risks that you would not. Make sure they work to keep your blog safe too. Choose a unique, strong password for your blog and any email accounts associated with it, and change them regularly. Make sure you have good virus protection, and do your research when choosing a hosting service – not all have the same commitment to virus protection that you might. Finally, do not allow spam comments; as well as looking bad, the links in them can be viruses. Do all that, and whilst you cannot be sure your blog is safe, you can rest assured that it will be much safer than it would have been if you’d done nothing.

Source

Security Predictions for 2012

"The Top 5 Auth Predictions for 2012" Confident Technologies of San Diego predicted these five things were going to happen in 2012 with respect to securit and authentication . You can read their entire post here:   http://www.net-security.org/secworld.php?id=12107 It's roughly halfway through the year and we thought it was a good time to review these predictions about authentication security and see if they have (or will) come true or not. What do you think? Let us know your thoughts on Twitter @liveensure.   Prediction #1:  BYOD (bring your own device) will spell big trouble for businesses in terms of data loss in 2012.   Is it risky to use your mobile device for security?  Smart solutions are clever enough to turn any BYOD risk into a positive, cost-saving security weapon for trust. By embracing the pervasiveness of mobile devices and leveraging their unique characteristics for secure, private user authentication, an innovative solution such as LiveEnsure® affords businesses, web sites and applications the ability to strengthen user security and immunize against data loss in the face of this growing trend.   Prediction #2:  There will be a large data breach which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.   Absolutely. Relying upon the user to manage their authentication security has been the failure of many products, providers and solutions in the past. The most egregious example of this is when sites and networks employ just a simple username and password for user access security.  A solution like LiveEnsure® which exploits natural factors (device, session, context) vs. man-made or recalled factors provides the strongest, simplest,  elegant and cost-effective way for businesses to “fix” the existing user login gap across websites, applications and services. Sites and apps merely mashup the service with their existing login process, while users simply leverage their smart device in a private and seamless way to enforce and protect their identity online. Unlike traditional solutions, there are no passwords, SMS messages, cookies, certificates, secret images, JavaScript, tokens or dongles with LiveEnsure®.   Prediction #3 Targeted variations of Zeus-in-the-Mobile style attacks will grow.   The hackers are always busy. Key-loggers, screen-scrapers, trojans, viruses and traditional social engineering hacks rely upon the user personally transmitting their private credentials either on-screen or via the keyboard. Existing multi-factor authentication solutions rely upon user skill to protect private information when taking it from the secure channel (i.e. out-of-band, their own recollection) and placing it back into the vulnerable “channels” of the browser, keyboard or existing communication paths where hackers are waiting to capture it. LiveEnsure® revolutionizes that flow by taking authentication information from the insecure channel and verifying it in an external secure channel through a mechanism called triangulation. Hackers are unable to see, capture and replay security login information when LiveEnsure® is used to protect authentication process.   Prediction #4: Smart devices will enable smart authentication via image-based authentication, biometrics and more.   There is nothing unique about mobile devices that makes their biometric or image-based authentication techniques any more effective, secure, impervious, immutable or private than they were before on the desktop or other proprietary devices. They just make them more pervasive. Is that a good thing? LiveEnsure® leverages the unique and powerful capabilities of smart mobile devices without adopting the inherent privacy risks often associated with them. LiveEnsure® is able to provide hack-proof authentication for users, sites and apps via line-of-sight authentication. LiveEnsure® proves the user is who they are, where they are and when they are - without any of the privacy risks associated with NFC (near field communication), cookies, certificates, out-of-band messages, special on-screen encoded values and browser-based Javascript fingerprint harvesting and transmission. LiveEnsure® is a blue-water innovation in a sea of red-water challenges with respect to user and device authentication.   Prediction #5: Retailers and mobile payment providers will lead the adoption of new mobile authentication techniques in 2012.   Authentication is for everyone. LiveEnsure® recognizes that user trust and defense-in-depth security measures are no longer reserved for major corporations, top-tier websites and expensive applications and networks. Usable security is a right and a requirement for all who participate online, whether via mobile commerce and gaming, social networks or private user-to-user chats, messaging and information exchange. Strength, simple deployment, lower cost and elegant usability are the key factors for ensuring market and customer adoption of any authentication solution. LiveEnsure® provides those benefits tailored to the safe, high-volume, low-barrier user experience so critical to the satisfaction with and success of online businesses, services and applications.   If you don't believe us, simply grab your iPhone, iPad, Android or Windows Mobile device and try it now at http://experience.liveensure.com. In addition, we invite you to follow us on Twitter and Facebook for the latest updates and news from LiveEnsure®.

Were you "Flamed" ?

Flame Attackers Used Collision Attack to Forge Microsoft Certificate

The attackers behind the Flame malware used a collision attack against a cryptographic algorithm as part of the method for gaining a forged certificate to sign specific components of the attack tool. Microsoft officials said on Tuesday that it's imperative for customers to install the update issued for the problem on Sunday, as it's possible for other attackers to exploit the same vulnerability without using the collision attack.

Cryptographic hash algorithms are designed to produce unique results for each input. If an attacker is able to find two separate inputs that produce the same hash as outputs, he has found a collision. Two of the more popular hash algorithms, MD5 and SHA-1, both have been found to be vulnerable to collisions. SSL certificates, like the one that the Flame attackers forged to sign the malware, use digital signatures, which can be vulnerable to hash collisions.

Microsoft officials said that there is still quite a bit of danger to customers, outside of the Flame malware itself.

"The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack," Mike Reavey of the Microsoft Security Response Center, said.

The Flame attackers used the forged Microsoft digital certificate to perform a man-in-the-middle attack against victims, impersonating the Windows Update mechanism and installing malicious code instead. Reavey said Microsoft is preparing to change the way that Windows Update works in response to the attack.

"To increase protection for customers, the next action of our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that update’s worldwide deployment. We will provide more information on the timing of the additional hardening to Windows Update in the near future," Reavey said.

The possibility of attacks against Windows Update have been a serious concern for Microsoft officials and customers for many years now. Real-world attacks had not surfaced until the information about the Flame mechanism surfaced. But the way that the Flame attackers used their forged certificate was interesting. They used it to create a fake update server inside an organization that's been compromised, and then downloading the malicious code to other machines, spreading the malware.

The way that Flame spread among machines had been a mystery until researchers discovered the use of the forged certificate.

Source

Resilient is the New Secure

"Resilient is the new secure - the evolution of business-relevant thinking

Every 10 years or so, technology undergoes a shift so fundamental that it changes the way we work, think, and behave.  The last couple shifts in technology brought us the personal computer, the Internet, the mobile revolution, and now the move to elastic (cloud) computing.  The shifts in technology have caused shifts in shifts in the way organizations and individuals think about security as well, and I believe right now we are at an interesting inflection point which has opened (albeit for a short time) a tremendous opportunity.  Security professionals have a limited opportunity to make sizeable changes in the way we behave and impact the businesses we serve ...the question is can we recognize this opportunity and execute on it.

Essentially, can we get out of our own way long enough to become meaningful?

A few months ago as I was writing slides for a conference I was speaking at, and in reviewing my deck I realized that I was stuck.  Everything was based around the idea that security was a goal ... when I really didn't believe it, and I got the feeling my audience wouldn't either.  Then like Newton's apple, it hit me.  I went through my slides and did a simple search and replace for security -> resilience.  Think about it for a second.

Security as a topic is very limiting with corporate audiences.  Obviously you and I care about security ... but the same level of passion doesn't extend into the business world where the goal is to, not surprisingly,grow the business.  In the last 4 years here, I can count on one hand the number of organizations we've presented to where security was one of the organization's core goals.  Rightly so - good security should be a component of what makes the organization successful but you can't expect 'security' to be a core goal.

Resiliency, on the other hand, speaks to core business needs much better than security ever could.  Resiliency speaks to availability, incident response, business continuity and disaster recovery,and security all rolled into one.  Resiliency is a measure of preparedness against  failure - a component of which is security.  I'm starting to think I should have changed my vocabulary years ago.

What does my lightbulb moment about resiliency have to do with the shift in technology we're undergoing right now?  I believe its the key to engaging in the new technology landscape.

For example ... cloud computing presents new capabilities in resiliency - from failure, from attack, and from general disaster.  What could have been a failed conversation about securing the cloud can be a successful conversation about making your business more resilient through the move to cloud computing.  Maybe it's just a a subtle change in terminology, but it's making a difference in the conversations I have and maybe it'll be effective for you.

In fact, I'm going to spend some time writing about Enterprise Resiliency and the components thereof over the next few weeks.  I'm curious what you think, and if think the simple change in the word we use can make any difference in how 'security' is perceived, understood, and accepted. "

Source 

The Rise of "Security as a Service"

The Virtualization of Security and the Rise of Security as a Service

In the same way, the cloud emerged from software virtualization, cloud security can only emerge from the process of virtualizing security itself. As virtualization separated software from hardware, allowing enterprise software to freely move first across servers and eventually to external cloud infrastructures, security must now be separated from enterprise applications so themselves can be replaced with new cloud applications and eventually move to specialized clouds. Enterprises worldwide are already embracing the cloud for email, CRM, file sharing, collaboration, HR and other functional business applications. To properly manage cloud risk and compliance, IT needs a consistent way to inject its own security policy across cloud applications. Since these applications are operated by different cloud providers with different security capabilities, distinct security frameworks and diverse APIs, the security needs to be implemented outside these cloud applications. 

That separation or virtualization of application security is the raison d'etre ofSymantec O3: the creation of a security control point outside the application and under the governance of IT. The cloud security gateway integrates with the legacy security infrastructure that it fully leverages to externalize application security. In doing so, the cloud security gateway separates the security infrastructure from the application infrastructure. The application software is then free to move to the cloud. The complex security infrastructure does not need to follow it. All IT security controls remain in place. This approach of security virtualization can be applied to any type of application, internal or external, whether it is running on a private or a public infrastructure. This allows CIOs to morph their cloud strategy overtime. An enterprise can start with SaaS and virtualized application running on a private corporate cloud. These private clouds can then transform into semi-private clouds (virtual private clouds or hybrid clouds). Eventually the whole IT infrastructure for application can be replaced with public clouds such as IaaS or PaaS. The security infrastructure, on the other hand can persist. The same security policies can be enforced. There lies the true benefit of cloud security virtualization: a single security infrastructure independent of the cloud providers. 

What happens next? As CIOs become increasingly comfortable with not running the infrastructure, the complex security infrastructure must also go to the cloud. Security becomes its own cloud. The cloud transformation is complete. First the cloud security gateway, then security infrastructure as a service. Like virtualization was the catalyst for infrastructure as a service, the application security gateway becomes the catalyst for security as a service.

Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.

Source

From Premium to Chromium security, by Google

Google Paid Out Over $700K For Security Flaw Detections 

Google expanded its Chrome Security Rewards program, which has earned security researchers more than $300,000 in the past two years. The Web app security program is also alive and well, with Google paying out more than $400,000 for that program. 

Google (NASDAQ:GOOG) has paid more than 700,000 to researchers who have detected hundreds of bugs in its Chrome browser and is expanding its security rewards program, the company announced Feb. 9. 

Since launching its Chromium Security Rewards Program in January 2010, Google has paid out more than $300,000 of rewards for the detection of hundreds of bugs that posed moderate to critical levels of security threats. 

While the flaw finds have ranged from Windows kernel to Chromium Webkit code, Google thinks the program can do better. 

The company is expanding its program to cover high-severity Chromium OS security bugs. These include renderer sandbox escapes via Linux kernel bugs, memory corruptions or cross-origin issues inside the Pepper Flash plug-in, violations of the verified boot path, and Web or network vulnerabilities in system libraries, daemons or drivers. 

Google is paying a base reward of $2,000 for well-reported, significant cross-origin bugs, such as a Universal XSS flaw. 

Google reserves the right to issue bonuses from $500 to $1,000 on top of base rewards if a bug reporter fixes a bug they find. Security researchers seeking bonuses might work with the Chromium community to produce a peer-reviewed patch. 

Finally, Google wants Chromium OS security reported in the Chromium OS bug tracker, but bugs affecting the desktop Chromium browser should be reported in the Chromium bug tracker. 

Google in 2010 followed its security rewards program with another vulnerability reward program that spurs researchers to detect bugs in Google's Web applications, such as YouTube and Gmail.  

Since this program was launched in November 2010, Google has shelled out more than $410,000 for researchers finding Web application vulnerabilities. Google also donated $19,000 to charities of their choice. 

Since that time, there have been 1,100 bugs hunted—ranging from low to high severity and 730 of which warranted a financial reward. 

In a sign that companies that acquire other companies can get more than they paid for, Google noted that half the bugs that received a reward were detected in software written by approximately 50 companies that Google acquired. The rest were detected in apps written by Google software engineers.   

Chrome has had a busy week. Google just launched Chrome 17 into the stable channel, which included the detection of 20 flaws, for which Google paid $10,500. 

Google also introduced Chrome for Android beta, a mobile version of the mobile app, and revealed its Chrome Screentest to gain more data on Chrome usage.

 Source 

By: Clint Boulton 

Our take: In my opinion, this approach of paying "researchers" to find vulnerabilities pays back highly in the form of improvement in the quality of the browser and also, it saves the company a lot of money. The usual approach of acquisitions of security company to include their services as part of a product costs in the range of millions, while these awards combined did not pass the 1 million USD. I'm not forgetting here the cost of the in-house engineering team but still even if I throw 5 million in salaries and allowances per annum, it's still a smaller number compared to acquisitions . 

Another point to be noted is that the researchers, who find the vulnerabiliries and report them, are of different shades of hackers. This community will add different exploitation perspectives in the pot and stir with the possibility of supplying the patch for a higher reward. This community does what they love with the possibility that they might get paid for it. It will build brand loyalty and take them away from the other open source browsers communities. This approach is smart, cost effective, raises the quality-bar higher and increases the competition. For security consultants like myself, it gives me another reason to trust Chrome over other browsers.

Rise of Printers

Print Me If You Dare - the Rise of Printer Malware

The recent 28th Chaos Communications Congress has produced a number of interesting ideas, but a presentation of two hacks that turned printers into rogue machines was an eye opener for both programmer and IT manager.


In his hour-long talk "Print Me If You Dare", Ang Cui demonstrated two printer hacks that are a clear sign that printers are no longer dumb enough to be ignored as part of the security problem. He showed that it was possible to load a program into the printer by embedding code into a document, or by direct connection to an infected PC. The first exploit downloaded as part of a document and then set the printer up to email any future print jobs to a specified IP address. The second used the printer to scan for vulnerable PCs connected to the same network.

The attacks were all on HP printers and were the fruit of reverse engineering the firmware update mechanism. No doubt other printers could be attacked in the same way. Cui gave HP a month to issue patches to the firmware before making the details public and in theory the printers targeted should now be secure. However users should check because it is possible that a printer that was infected before the patch update will falsely report that it has been updated.

You can see the full presentation here: 

http://www.youtube.com/watch?feature=player_embedded&v=njVv7J2azY8

Previously the same exploits were misreported as being able to make a printer operate in such a way as to make it burst into flames or at least overheat. In practice, safety cutouts restrict the damage to singeing a piece of paper.

So it seems exploding printers aren't a real threat but printers that make copies of all of your printed documents and send them to a public website are.

Written by Mike James   

Source