Mark Ciampa's Blog (Security+ 3ed)

On Tuesday (Aug 2 2011) the security firm McAfee released a report on "Operation Shady Rat". McAfee describes an operation that has been ongoing since 2006, which has infected 72 U.S. and foreign government agencies, defense contractors and international organizations (such as the U.N., the U.S. International Trade Organization and the World Anti-Doping Agency, but most organizations were not named by McAfee). McAfee says that it was "surprised by the enormous diversity of the victim organizations". The general news media has seized on the event and claimed that it is an "unprecedented" attack of epic proportions. Yet as more information is gleaned it may be that Shady Rat was not all that uncommon. What's missing in the McAfee report is any hard data on what may have been stolen, which organizations were the victims of attacks, and how many computers were involved. Without that data the claims that it is one of the "most sophisticated attacks in history"...

Need some extra pocket money to finish out your summer plans? Well, here's your chance--and in the process you can help reduce worldwide spam. Ever since the Rustock botnet {Chapter 2 Security+ 3ed} was crippled by Microsoft and others using the courts instead of technology (see Mar 19 2011 blog) the amount of spam coming from its zombies has decreased significantly. Yet because there are still hundreds of thousands of Rustock zombies {Chapter 2 Security+ 3ed} still out there, Microsoft has decided to keep the pressure on. In June Microsoft published notices in two Russian newspapers to service as notice to the individuals behind Rustock of the civil lawsuit that has been filed against them. And on Monday (Jul 18 2011) Microsoft maee an even bolder move. They are now offering a quarter of a million dollars for new information that results in the identification, arrest and criminal conviction of the Rustock operators. Microsoft says that "residents of any country are eligible for...

On Tuesday (Jul 12 2011) Microsoft's July Patch Tuesday {Chapter 4 Security+ 3ed} addressed 22 Windows and Office vulnerabilities. One of these was a Bluetooth vulerability in Windows 7 and Vista devices (Windows XP is not affected because it uses an older Bluetooth implementation). Bluetooth {Chapter 4 Security+ 3ed}, although originally designed as a way to replace wires with radio-based technology, has become very popular for connecting wireless keyboards and mice to computers, particularly laptops. This latest vulnerability (based on a memory corruption) could allow an attacker to establish a Bluetooth connection with a computer and transmit malicious data, allowing the attacker to gain access to the system. And this could occur before the user was notified that another computer requested a Bluetooth connection. This means that an attacker in a coffee shop 30 feet (10 meters) away from your computer could launch an attack before you could react. To protect yourself install the Microsoft...

Anyone who has purchased a new computer in the last 20 years has faced the same annoyance: tons of preinstalled software that comes with the system. Most users find themselves spending the first few hours with their new computer deleting this software (or even reformatting the hard drive to install a clean version of the operating system). Now even more devices come preinstalled with something even worse: malware. At a hearing in the U.S. Congress last week, an official with the Department of Homeland Security (DHS) acknowledged that there is a persistent threat of pre-existent malware on computers and other electronic devices imported and sold in the U.S. The problem is that the supply chain for electronic equipment has many stops (product development, manufacturing, assembly, etc.) with numerous middlemen all touching the equipment in locations around the globe. Protecting the security of a device as it moves through the chain is extremely difficult. And it does not include just computer...

The most intriguing security event in 2011 (so far) has been the emergence of a coordinated series of attacks against major large enterprises and government agencies by LulzSec. This may herald a major change in the types of attackers to expect in the future. The backstory from what we know is this: Lulz (a play on LOL or laugh out loud) Security (aka LulzSec) appears to be a small (6 person) group that split off from the larger group Anonymous. Many security researchers believe that Lulz is comprised of highly skilled programmers and creative multimedia artists. Similar (but not identical) to cyberterrorists {Chapter 1 Security+ 3ed}, their claimed ideology is, "We do things just because we find it entertaining." Yet in reality it's not "entertainment". LulzSec's attacks ranged from successfully attacking Sony several times (in retaliation for Sony suing a person for reprogramming his PlayStation 3 gaming console), PBS (for airing a documentary they considered...

How long after software is retired should the developer continue to patch {Chapter 3 Security+ 3ed} it by fixing security vulnerabilities? Microsoft, for example, provides security support for at least 10 years after their software is retired or replaced with a newer version. Yet a decision by Mozilla this week to drop support for its just-retired Firefox 4 has many enterprise users upset. And Mozilla says that's just too bad. Mozilla is releasing new editions of Firefox about every six weeks. The latest version, Firefox 5, was released on Tuesday (Jun 21 2011). Yet Mozilla is dropping any security updates to the previous version Firefox 4 (which has only been out for 3 months) effective immediately. For home users it can be an inconvenience to update that often. Yet for enterprises it can result in much more serious problems. IBM, for example, adopted Firefox as its default browser one year ago and currently has half a million users on Firefox 3.6. They have just completed testing...

USB flash drives have long been a vector by which attackers spread their malware {Chapter 1 Security+ 3ed}. Panda Software has reported that 1 out of every 4 worms were designed to replicate through USB flash drives, and this is in line with other data regarding how attacks are spread through USB flash drives (see Dec 7 2010 blog). One of the means that made this so easy was Microsoft Window's AuoRun feature. When you inserted a USB flash drive into an older version of Microsoft Windows XP or Vista the "AutoPlay" dialog box appeared with a list of standard choices ("Open folder to view files", "Speed up my system", etc.) that you could launch with a click of the mouse. And if you had an application on that device you would see the AutoRun option "Install or run program". Attackers crafted malware that displayed an option on the AutoPlay menu that looked similar to the normal "Open folder to view files", with the same yellow icon of a...

You may recall that RSA, who sells SecureID tokens {Chapter 8 Security+ 3ed} that generate time-synchronized one-time passwords (OTP), revealed back in March that it was the victim of an attack (see Mar 30 2011 blog). Yet at the time RSA only said that that attack occurred "recently" and "certain information" was stolen. Now it appears that the damage resulting from the successful attack is very severe. Last month the government contractor Lockheed Martin was attacked as a result of the RSA security breach. It appears that attackers who broke into RSA stole the "seed" numbers that are used to generate values on RSA's SecurID tokens and then used them to successfully attack Lockheed Martin. Although this caused the company to pull the plug on its virtual private network {Chapter 8 Security+ 3ed} Lockheed says that no customer, employee, or program data was lost. Last week RSA announced that it will replace all SecurID tokens for any customer that makes a...