[SecurityRatty] tag: download

Firefox update fixes Mac security issue

Fri, 18 Jul 2008 20:00:00 +0000

Mozilla has released an update to Firefox, its popular Web browser. The update is available for download either from the Firefox Web site or through Firefox itself, if you select "Check for Updates" from the Help menu.

Wormlike malware transcodes MP3s to try to infect PCs

Fri, 18 Jul 2008 09:00:00 +0000

A new variety of malicious software could pose a danger to those who download music files on peer-to-peer networks.

New worm transcodes MP3s to try to infect PCs

Thu, 17 Jul 2008 20:00:00 +0000

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

A backup tape is stolen from Greensboro Gynecology Associates

Wed, 16 Jul 2008 12:16:26 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Greensboro Gynecology Associates

Contractor/Consultant/Branch:
None

Victims:
Physicians, staff members, and patients

Number Affected:
Unknown

Types of Data:
"names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members"

Breach Description:
"GREENSBORO - Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May."

Reference URL:
News & Record

Report Credit:
Ryan Seals, News & Record

Response:
From the online source cited above:

In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen.
[Evan] Does "their computer database" include billing information and other confidential information other than personally identifiable information?

The letter was dated June 16, but some letters weren't postmarked until July 9.

The medical practice said a backup tape of patient information was stolen on May 29 from an employee who was taking the tape to an off-site storage facility for safekeeping.
[Evan] I wonder what type of off-site storage facility. Some of the small businesses that I have encountered consider an employee's home to be an "off-site" storage facility.

The stolen information included patients' name, address, Social Security number, employer, insurance company, policy numbers and family members.

The tape did not include treatment or specific medical data.

"We are very concerned about this theft, as we too are victims," Pat Higgins, the practice's administrator, wrote in an e-mail Tuesday. "We are notifying our present and former patients. ..."

The practice at 719 Green Valley Road Suite 305 said personal information for its physicians and other staff members also was on the stolen tape.

the case is under investigation

did not respond to inquiries about how many patients were affected, how the theft occurred and whether anything else was taken

The practice's letter said the theft had been reported to police. However, officials with the Greensboro Police Department and the Guilford County Sheriff's Office said they had no such report on file.
[Evan] This is interesting news.

The data was not encrypted, but Greensboro Gynecology Associates said the stolen data isn't likely to be accessed.

"We have consulted with several computer security experts, and they have advised it is highly unlikely the tapes can be accessed because of the program used and the language (the information) is written in," according to a recording on a hotline set up to address patients' concerns.
[Evan] Who are these several computer security "experts'? I hate to disagree, but... The assessment is based on "the program used and the language" that the archived information is written in. Really? How hard is it to obtain the necessary hardware and software to access the information? Someone interested in accessing the tape could conceivably flip the data protection tab on the tape (to prevent data corruption through inadvertent writes), download some of the more popular backup software programs, buy a compatible drive (stolen or on eBay), and go to town. Couldn't they? Backup Exec is a very popular backup program. Anyone can download a 60-day trial for free. More talented professionals have even more sophisticated methods of accessing data on tape.

Greensboro Gynecology Associates said they are consulting with computer security experts to prevent similar thefts in the future.
[Evan] I kind of hope that they are not consulting with the same computer security "experts" referenced above.

"We sincerely regret and apologize that this incident occurred," the letter said

Commentary:
Many backup software solutions include the option to encrypt the written data built-in. Why not use it?

Greensboro Gynecology Associates has established a hotline for concerned patients. The phone number is (336) 544-4590. The hotline asks patients to leave their name and telephone number for a staff member to return their call.

Past Breaches:
Unknown

Are you using the latest web browser?

Wed, 16 Jul 2008 09:24:00 +0000

Written by Thomas Duebendorfer

In view of mass defacements of hundreds of thousand of web pages - with the intent to misuse them to launch drive-by download attacks - security researchers from ETH Zurich, Google, and IBM Internet Security Systems were interested in looking at the other side of the attack: the web browser. By analyzing the web browser versions seen in visits to Google websites, they have shown that more than 600 million Internet users don't use the latest version of their browser.

Slow migration to latest browser version
The researchers' paper, entitled "Understanding the Web Browser Threat", shows that as of June 2008, only 59.1% percent of Internet users worldwide use the latest major version of their preferred web browser. Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the latest major version before the recently released 3.0. Only 52.5% of Microsoft Internet Explorer users have updated to version 7, which is the most secure according to multiple publicly-cited Microsoft experts (among them Sandi Hardmeier). The study revealed that 637 million Internet users worldwide who use web browsers are either not running the latest version of their preferred browser or have not installed the latest patches. These users are vulnerable to exploitation due to their web browser's "built-in" vulnerabilities and the lack of more recent security mechanisms such as improved phishing protection.

Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox users were using the latest major version of the web browser and also had all current patches installed (i.e. latest minor version). Only 56.1% and 47.6% of Opera and Internet Explorer users, respectively, were similarly utilizing fully-patched web browsers. Apple users are no better: since the public release of Safari 3, only 65.3% of users operate the latest Safari version.

Maximum measured share of users surfing the web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.

Obsolete browser warning
The study's most important finding is that technical measures now in place do not sufficiently guarantee browser security, and that users' security awareness must be further developed. The problem is that most users are unaware that they are not using their browser's latest version. It must be made clear to web browser users that outdated software is associated with significantly higher risk. The researchers therefore suggest that, as a critical component of web software, a visible warning be instituted that warns the user of missing security patches in a way analogous to the 'best before' date in the perishable food industry. Software updates must also be made easier to find. The resulting transparency would go far in contributing to end user awareness of software weaknesses, and allow users to better evaluate risks.

Example "best before" implementation on a Web browser

As a side effect, having users migrate faster to the latest browser version would not only increase security but also make the lives of webmasters easier, as they would need to test and optimize websites for fewer older versions of web browsers.

The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit

Tue, 15 Jul 2008 13:18:32 +0000

Raising Symantec's ThreatCon based on a newly introduced exploit within a (random) copy of a popular web malware exploitation kit? Now that's interesting given that there are other modified versions of the publicly available malware kit empowered with exploits as they get released, the single most logical move a administrator of such kit would do is diversity the exploits set as often as possible, keeping it up to date - like they do. ThreatCon is raised already :

"Symantec honeypots have captured further exploitation of the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this event, this exploit was known to be used only in isolated attacks. Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the neosploit exploit kit, it will very likely reach a larger number of victims. This version will compromise vulnerable English versions of Microsoft Windows by downloading a malicious application into the Windows Startup folder. Computers that have Microsoft Access installed are potentially affected by this vulnerability. Customers are advised to manually set the kill bit on the following CLSIDs until a vendor update is available: F0E42D50-368C-11D0-AD81-00A0C90DC8D9 F0E42D60-368C-11D0-AD81-00A0C90DC8D9 F2175210-368C-11D0-AD81-00A0C90DC8D9"

Why based on a random copy of the kit? Well, the Neosploit malware kit itself is a commodity despite it's publicly announced varying price in the thousands, it leaked for public use just like MPack and Icepack did originally, making statements on the exact type of the vulnerabilities included within a bit pointless, since it will only cover the the exploits included in a particular version only. Web malware exploitation kits are very modular, namely, anyone can introduce new exploits, and tweak them, which is what they've been doing for a while, mostly converging third party traffic management systems with the malware kits in order to improve both, the metrics, and the evasive practices used for making a particular campaign a bit more time consuming to analyze.

Just like the innovations introduced within open source malware, and their localizations to native languages, the open source nature of web malware exploitation kit can result in countless number of variants whose new features make it sometimes difficult to assess whether or not it's a modified kit or an entirely new one - depending on the sophistication of the features of course. The introduction of new exploits within a copy of a particular malware kit should be considered as something logical, and if it's that big a deal, there are many other web malware exploitation kits whose features turn Neosploit into the "outdated choice" for malicious attackers.

Related posts:
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Tue, 15 Jul 2008 12:22:35 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!

MANY thanks for all the offers of audio production assistance – getting it organized now

Ingate SIP Trunking webinar now available (and a note about participating in things like this)

VOIPSA blog site hacked

Voice of VOIPSA: Quarterly VoIP Vulnerabilities Summary

VoIPshield list of vulnerabilities

Cisco Advisory

Cisco Advisory about Disaster Recovery Framework

Voice of VOIPSA: VoIPshield announces discovery of over 100 vulnerabilities along with a YouTube video

Washington Post: Reach Out And Hack Someone

Voice of VOIPSA: GNUcitizen research discovery: Default key algorithm in Thomson and BT Home Hub routers

VoIP News: The Essential Guide to VoIP Security

Information Week: Securing VoIP with SecureLogix – includes YouTube video with Mark Collier

Voice of VOIPSA: VoIP and the International Space Station

Voice of VOIPSA: Xplico Network Forensic Analysis Tool

Voice of VOIPSA: Australians falling victim to foreign phone hackers

VoIP News Australia: How ACMA Plans to Regulate VoIP

Network World: Government agencies rejecting VoIP?

Linux Professional Institute to develop enterprise-level security exam

Net neutrality and Bell Canada

ZDNet: Attacks escalate on critical U.S. government networks: Will a Manhattan Project work?

Google XSS Attack (interesting as it shows the complexity of such attacks)

The Economist: Special Report: The New Nomadism

VoiceBiometrics – May 14-15, New York

IP Telephony University – June 23-24, Alexandria, VA

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

44:22 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Speaking of Security Podcast #113

Sun, 13 Jul 2008 20:00:00 +0000

Click to Download/Listen (11:11)

With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft. Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley.

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 13:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, every Simpsons fan with net access immediately added Chunkylover53 to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control.

We detect this as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

iPhone 2.0 Software Adds 802.1X for Enterprises

Thu, 10 Jul 2008 11:51:30 +0000

Apple adds secure enterprise logins for iPhone: The iPhone 2.0 software, available through a download link for existing 2G iPhones today, adds promised support for the 802.1X port-based authentication required in any company that's even remotely serious about its network security. 802.1X isolates connecting to an access point from gaining access to the network to which the access point is connected. A special client, known as a supplicant, must provide the right credentials for a device to be approved for access. Cryptography binds the process. (Instructions for manually installing the software are over at Wired. The update will likely be pushed out via iTunes to current owners tomorrow, and is included on the iPhone 3G, which goes on sale starting today over the international dateline and tomorrow in the U.S., Europe, and elsewhere.)

Apple splits its 802.1X support into two pieces. There's basic support built into the iPhone 2.0 software, found in the Settings application's Wi-Fi section. Click Other. Click the None label next to Security, and the WPA Enterprise and WPA2Enterprise options appear. Select either, and the main login screen lets you enter the network's name (SSID), a user name, and a password. This basic method is limited to WPA Enterprise and WPA2 Enterprise, the two most common (and most secure) forms of 802.1X.

Most enterprises will want much more control over this process, and Apple provides the iPhone Configuration Utility, currently available in its most complete form only as a Mac OS X application, and in more limited forms as Web 2.0 applications for Windows and Mac OS X.

The utility serves two purposes: creating configuration profiles, including for multiple Wi-Fi networks and VPN connections; and allowing iPhones in an enterprise to run internally developed iPhone software. The Wi-Fi profiles allow you to create WEP or WPA/WPA2 802.1X configurations, and include support for choosing allowed EAP messaging types, configuring authentication elements associated with a given EAP type, and adding server certificates and names for better authentication control.

Once created, these profiles can be distributed throughout a company via email or as a direct download to the iPhone via an intranet Web server. Apple chose not to encrypt them, which means that certain information that's not secured--such as the shared secret for certain VPN connections--could be disclosed to someone who had access to the profile or could download it off the local network.