STE WILLIAMS

Regular readers of Naked Security will know that we aren’t terribly prone to commercialism.

We don’t think we need to be.

The brand we represent is pretty obvious, what with the domain name nakedsecurity.​sophos.​com and the corporate logo on every page, where we say, “Award-winning news, opinion, advice and research from SOPHOS.”

Nevertheless, we’d like to use this article to offer you some free Sophos stuff.

Here’s why we’ve decided to do this right now:

1. It’s half way through National Cyber Security Awareness Month.
2. We’ve been urging you do DO THESE 3 things, including making sure you seek out and get rid of any malware lurking on your computer.
3. As a result, numerous people, from readers to journalists, have been asking, “Where would you sugggest that I start?”
4. We’ve been encouraging techies who act as unofficial home IT support to help their friends and family with item (2).
5. They’ve been asking, “Where would you sugggest that I start?”

So here is a brief and, we trust, unpushy list of four free tools you can find on our website.

Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Sophos Anti-Virus for Mac Home Edition

Yes, Macs get viruses too.

And even if you never see a virus that directly attacks your Mac, the chances are good that you’ll encounter malware from your Windows-using friends (or even from your own Windows partition, if you dual-boot your Mac).

Sophos for Mac stops threats for Windows and Mac alike, protecting you and those you share files with.

Choose from blocking viruses in real time (on-access protection), scanning at scheduled times, or running a check whenever you want.

Sophos Mobile Security for Android

Our Sophos Mobile Security app protects your Android device without reducing performance or battery life.

Using up-to-the-minute threat data from SophosLabs, we automatically scan apps as you install them.

As well as malware protection, you’ll also get: loss and theft protection with remote lock and wipe, a security advisor to alert you if you inadvertently activate risky configuration settings, and a privacy advisor to help you decide whether an app is asking for permission to do too much.

Sophos UTM Home Edition

You’ll need a spare computer to install it on, and you’ll probably want to get your unofficial home support techie to set it up for you, but if you do, you’ll have our award winning network security device for businesses, 100% free for home use.

That includes all the Sophos UTM features: email scanning, web filtering, a VPN, web appplication security, and everything you need to keep up to 50 devices on your home network secure.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.

You can get any or all of these tools free of charge from our website.

Only the UTM requires registration – we need an email address so we can send you a licence key. For the others, we don’t even ask who you are.

So, if you’ve been thinking, “I really ought to get more serious about cybersecurity,” just remember that there’s no time like the present.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/upChQmTD6T0/

It is Critical Patch Update (CPU) time for Oracle customers, which in one way or another is nearly everyone.

This is the first time Oracle is patching Java on the same quarterly cycle as other products, and perhaps the first time I have had something positive to say about Oracle security.

The October 2013 CPU covers fixes for:

All of these updates are important, but arguably Java is the most important of all of them.

51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication.

Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.

My advice?

1. Determine whether you have Java installed and enabled in your web browser. Visit http://java.com/en/download/installed.jsp and click “Verify Java version”. If your browser prompts you to install Java, close the tab; you’re Java-free. If it loads the applet, check your version. Be sure you are running Java 7 update 45 (1.7.0_45), Java 6 update 65 (1.6.0_65) or Java 1.5.0_55.

   

   If you must have Java installed you ought to be running Java 7 (1.7). All previous versions are not officially supported and present a greater security risk.

2. If Java is installed and out of date, be sure to update it. Windows users can open the Java Control Panel, select the Update tab and choose Update now. Mac users can check for updates using the integrated Apple updater. Linux users should follow normal procedures for system updates provided by their distribution.

   

3. Most importantly, if you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn’t belong in your browser. If you’re not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.

I heard that Oracle won the America’s Cup recently which leads me to give them some unsolicited advice.

Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.

3+ billion devices will thank you.

I asked a colleague and my wife how many of the 51 vulnerabilities they thought were remotely exploitable in this quarter’s patch. Their responses? 50 and 48.

If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly. Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average.

Oracle, it’s time to step up your game.

Follow @chetwisniewski

Photo of Oracle’s America’s Cup boat creative commons licensed from Donan Raven.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9naNaO-uDmM/

Supercharge your infrastructure

Web criminals have fired off Patch Tuesday-themed phishing emails to trick confused users into handing over their login details.

Their messages attempt to convince users into visiting a website masquerading as a Microsoft Exchange system, which tries to coax visitors into handing over their email accounts’ address and password. Marks are told they must provide the details to get an installer package supposedly needed after a failed Outlook security update.

The phishing text reads:

Windows Installer package update is required to automatically eliminate obsolete patches in your sequence of patches as a report on our server indicates an error code (0x700) as a result of a failed update Every installer sequence patch is being linked to an email account. Fill in the error code and other details to automatically fix this error.

The link is, of course, entirely bogus. It doesn’t even follow to an encrypted server. And Microsoft never delivers its security updates via email precisely in order to make this sort of subterfuge stand out.

In the scam, victims are asked to submit an “error code” as well as their email account access credentials, a nice touch that elevates the whole con from entirely implausible to “WTF, you’d have to be daft to fall for this”.

Last month some Microsoft updates were reissued after there were problems installing the software, and as net security firm Sophos notes, crooks may be seeking to exploit any confusion this may have caused.

This week’s phishing email was capture by Sophos’ spam filters. A blog post by the security biz, featuring screenshots of these emails as well as the bogus Exchange web server, can be found here.

The ultimate aim of the crooks behind the scam is unclear. However, compromised email accounts can be used to put together more plausible phishing attacks against their friends and colleagues, breaking into social networks and other web accounts, or for malware distribution among other malign tricks. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/15/ms_failed_update_phish/

The theft of Adobe’s source code from some of its most popular products will likely result in an increase in vulnerabilities found in those products, but security experts are currently debating whether the leaked code will also lead to a greater number of exploits in the coming months.

The answer likely depends on the product, says Dan Guido, chief technology officer for security consultancy Trail of Bits. Adobe Acrobat has a number of anti-exploitation technologies built into the software that will make any attempt to exploit known vulnerabilities much harder, he says. While Acrobat has more than 13 million lines of code — and likely a passel of undiscovered vulnerabilities — Adobe’s implementation of address space layout randomization (ASLR), a sandbox, and the broker process reduces the attack surface area significantly, he says.

“There is a security model and runtime security system that Acrobat has that are separate from the source code,” he says. “The effectiveness of ASLR, of the sandbox, and the other application-specific protections don’t get reduced by someone having access to the source code.”

On the other hand, the source code for ColdFusion, which lacks some of the same security features, could help attackers more easily produce attacks, he adds. ColdFusion “is a complicated Web application stack, and typically when we talk about Web applications, discovery of a vulnerability is nearly equivalent to exploitation,” Guido says.

On Oct. 3, Adobe announced that the source code for Adobe Acrobat, ColdFusion, and ColdFusion Builder had been stolen and found on the Internet. Security researcher and journalist Brian Krebs and security consultant Alex Holden had notified the company that the code had been found on servers connected with the group that breached information services firm Lexis Nexis and risk management firm Kroll.

[Financially motivated attackers could abuse stolen source code for broader attacks. See Hacking The Adobe Breach.]

Holden raised the possibility that the source code leak could lead to a surge in exploitation.

“While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data,” Alex Holden of consultancy Hold Security stated in a blog post.”Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.”

In many ways, the fact that a software development company loses its crown jewels should not make a difference to the security of the software, says Mike Armistead, vice president and general manager of enterprise security products at HP Fortify. While Armistead declined to comment on the theft of Adobe’s source code, he argues that developers should attempt to design their products in a way that disrupts attackers at each stage of their attempt to exploit vulnerabilities.

“What we are trying to do with our software security strategy is disrupt the adversary,” he says. “You need to think about your overall architecture when you are designing your software, and you have to have threat models.”

To a large extent, Adobe has done just that. The company, which declined to comment for this article, revamped its software architecture for its Reader software to include a protected mode that logically separates any PDF file in a sandbox, which can then only communicate with other operating system processes through a process known as the broker. The broker process acts as a firewall between the Adobe sandbox and the operating system, only allowing a very small subset of activities.

In its statement online, however, the company did say it was remaining vigilant. “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Brad Arkin, chief security officer for the firm, stated in a post online.

Given those efforts, the breach may be more embarrassing than threatening for Adobe, but the company still needs to assess the threat to its hundreds of millions of customers, says Rahul Kashyap, chief security architect for software security firm Bromium, whose products run untrusted software and files in isolated virtual machines to prevent system exploitation.

“This is a very tough situation for Adobe,” Kashyap says. “They have to continue doing their software development life cycle (SDL) process, but they might want to get a group of third-party auditors to check the code and find vulnerabilities.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/adobe-source-code-theft-unlikely-to-caus/240162665

The clock is ticking on Windows XP: Next April, Microsoft will cease support and patching for the aging operating system. But plenty of XP systems are still alive and running out there as the clock runs down.

Case in point: Nearly half of the 1 million machines managed by enterprise mobility management firm Fiberlink for its clients are XP systems.

Chuck Brown, director of product management at Fiberlink, says it’s like the XP SP2 countdown back in 2010. “When XP SP2 went out of date, we went through this” with the move to XP SP3, Brown says. “We’re seeing this happen again” with XP, he says.

Some 45 percent of the 1 million laptops and desktops managed by Fiberlink for its enterprise customers are still running XP. “I think what they are really doing is trying to squeeze as much as they can from a financial perspective. I think this stems back to the financial crisis of 2008,” he says. “People are keeping what they had in place as long as they could until they were forced to make a move.”

The good news is that Brown says he’s seeing customers moving off of XP each day. But so far, most are going to Windows 7, not the newer Windows 8 or 8.1. “They are going to Windows 7 for different reasons, but from the enterprise perspective, there’s no retraining really needed” versus with Windows 8, he says, plus some legacy internal applications rely on versions of Internet Explorer prior to IE 11, which currently runs on Windows 8 and 8.1.

Users who stick with XP beyond Microsoft’s support deadline risk getting hit with new malware, without any patches.

But Brown says he expects most of the XP machines to be updated by the time the April deadline rolls around. Somewhere around 3 percent XP stragglers will remain among his company’s customers, he says. “It will then take them another three months, I’ll bet, to migrate. But we’ll keep telling them [to],” he says.

Despite initial pushback on Windows 8, the new OS features some attractive security functions, such as BitLocker encryption for locking down hard drives.

“What I like with [Windows 8 and 8.1] is that Microsoft is providing an API set, something they really never did before,” Brown says. “Now they actually provide an API set that will kick off VPNs, and you’ll be able to create WiFi profiles and start to do blacklisting and whitelisting.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/windows-xp-holdouts-hold-on/240162684

As a penetration tester and long-time security professional, Sumit ‘Sid’ Siddharth is a big believer in the importance of practicing exploitation to gain better insight about vulnerabilities.

“The only way you can understand the true impact of vulnerabilities is by practicing exploitation. Even vulnerability identification goes hand in hand with exploitation,” says Siddharth, founder of NotSoSecure and a frequent Black Hat speaker and trainer. “Sometimes identifying the vulnerability is really difficult and its only when you know advanced exploitation techniques that you can do so. In my experience pen testing for ten years now, the biggest takeaway is that these two things feed into each other.”

Working as a frequent instructor of workshops for Black Hat and classes around the world teaching the art of injection exploits—including next month’s Black Hat Seattle–Siddharth felt students only got so much hands-on training during the class and very little opportunity to practice the principles he teaches once they were done.

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

“In a one-day class on SQL injection, there’s only so much you can cover,” he says. “We have some slides on advanced topics but we never have time to cover them through practical demonstration.”

It was something that bugged him enough that he set out to develop a real-world website and database environment simulator he calls SQL Injection Labs, a platform which gives anyone with a subscription access to wreak havoc via SQLi without worrying about legal trouble or client engagement issues. It’s like a virtual movie set where visitors are invited to smash up the storefront windows and pick the locks to learn the craft of breaking in.

Loaded up with the similar types of vulnerabilities, software set-ups and situations that have been exploited in high-profile compromises of years past, the platform will be available for public use in a free capture the flag (CTF) event Siddharth says hopes will raise awareness about the platform and the danger of SQLi vulnerabilities among IT professionals and the businesses they work for.

A frequent participant in other CTF events held across the industry, Siddharth says this one is designed to not be insanely difficult or easy, so that not everyone can get a flag but it won’t be limited to just one or two participants, either.

“Our intention is to put together a real-life simulation, something you would find in a an actual pen test, up for capture the flag, explaining that especially when CTF events are made too difficult they eliminate the reality of the scenarios. “It’s all good practicing and training in a capture the flag, but if your hacking of the systems doesn’t really mimic all the applications or scenarios in real life, then that really doesn’t appeal so much.”

With already more than 300 participants signed up the prizes will be hotly contested. Among them is one free ticket to Appsec USA, along with some subscriptions to SQL Injection Labs.

As for the platform upon which the event is built, Siddharth says it is already growing momentum. After just about two weeks online, it’s signed up approximately 50 users, many of which have already spent hours working problems, he says.

With more than 20 challenges, many including multiple objectives, the platform is being run in conjunction with SecurityTube. Within the environments, Siddharth covered MS-SQL, MYSQL, Oracle and Postgres, with plans to also add NoSQL databases like Mongo DB in the works. Because the idea is to help users of all ability levels learn more, challenges are broken up into three difficulty levels and there’s a built-in ‘answer key’ of sorts, he says.
“If people are starting out in their career and haven’t mastered the art yet, we provide them with a solution they can follow, along with screenshots of what they should see on the screen,” he says. “We also provide a full video walk-through of how a particular challenge can be solved.”

On the other end of the spectrum, there are also some real head-scratchers.

“We’ve also put together some really nice examples where identifying the vulnerability is really difficult and we’ve asked people to find the needle in the haystack, because that’s how websites get compromised at the end of the day,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/database/capturing-the-flag-sqli-style/240162685

REDWOOD CITY, California, October 15, 2013 – AVAST Software, maker of the most trusted and recommended antivirus in the world, today launched avast! 2014 – the latest version of the antivirus solution used by a quarter of all protected PCs worldwide. With the only boot-time scan in the antivirus market, the 2014 version improves performance, download and install times, privacy, and protection.

“The new avast! 2014 delivers on our commitment to provide faster, better protection to the market,” said AVAST Chief Executive Officer Vincent Steckler. “It’s the culmination of 25 years of research and the experience of protecting nearly 200 million devices – far more than any other antivirus product.”

The avast! 2014 solution offers a new Do Not Track function in the avast! browser plugin. This technology lets users decide which companies they will allow to track their online behavior. For AVAST subscription products, SafeZone provides additional security for financial transactions.

Additionally, avast! 2014 offers even stronger protection with DeepScreen technology. This allows avast! to clear away false code, misdirections, and other techniques malware creators use to mask the true intentions of their malware. By peeling away layers of obscure code, avast! 2014 is able to observe the binary level commands within the malware to better understand the hidden instructions embedded in it. New in avast! 2014 is the Hardened Mode feature, which lets users switch on a whitelisting mode that blocks files from executing when it is unclear whether they are infected or not.

The latest version also empowers users to create a bootable antivirus USB, CD or DVD. That way if anything happens to their PC, the user has the disk ready so they can clean and restore their PC to normal function. The Rescue Disk is built on Windows PE (pre-installation environment) which allows users to boot a PC even when there is no functioning OS. The Rescue Disk function is available in all avast! products and is an integral part of the new remediation module introduced by this new version.

AVAST has also redesigned the entire user interface based on input from its customers. Users will find it simple and straightforward, making it easy to find everything they need. Additionally, the interface puts everything in the same place for both the Free and Paid product lines, making migration easier.

“The avast! 2014 solution is a big step forward,” said AVAST Chief Technology Officer Ondřej Vlček. “We now stream more than 250 micro-updates to active devices each day to improve zero-day detection and prevention. By protecting the most devices we have the best insight into the threat landscape, and that translates into better protection for our users.”

In addition to releasing avast! 2014, AVAST will be conducting a contest in anticipation of its 200 millionth installation. Details will be announced soon.

The 2014 version is available in four consumer variations – avast! Free Antivirus, avast! Pro Antivirus, avast! Internet Security, and avast! Premier – and in more than 40 languages. AVAST also provides world-class protection for businesses and mobile devices.

ABOUT AVAST:

AVAST Software (www.avast.com), maker of the most trusted antivirus in the world, protects nearly 200 million people, computers and mobile devices with its security applications. In business for 25 years, AVAST is one of the pioneers in the computer security business, with a portfolio covering everything from free antivirus for PC, Mac, and Android, to premium suites and services for both consumers and business. In addition to being top-ranked by consumers on popular download portals worldwide, AVAST is certified by, among others, VB100, AV-Comparatives, AV-Test, OPSWAT, ICSA Labs, and West Coast Labs.

Article source: http://www.darkreading.com/endpoint/avast-releases-avast-2014/240162668

Austin, Texas, October 15, 2013 – Austin-based start-up Wisegate, a private, practitioner-based IT research service for senior technology professionals, released a new report today that shares how CISOs successfully gain executive buy-in on security budgets and strategically manage them.

Most CISOs face significant challenges communicating the value of security in business terms, winning budget approval and planning for unanticipated expenses-and find benefits from conferring with and learning from the experiences and successes of their peers. In this latest report, Wisegate makes available to the broader Information Security community veteran CISOs budget management tactics-that are typically shared only between Wisegate members.

Read Business Wire Press Release Here: http://www.businesswire.com/news/home/20131015006189/en/Wisegate-Report-Shares-CISO%E2%80%99s-Winning-Executive-Buy-In

Wisegate’s new report “CISOs Discuss Best Ways to Gain Budget and Buy-in for Security” includes data from Wisegate’s 2013 IT Security Benchmark Survey and focuses on 3 key areas to help CISOs successfully navigate the budgeting process.

Determining How Much Should be Spent on InfoSec-New strategies CISOs use to allocate budget along with critical factors to consider when using peer-based benchmarks and model-based approaches.

Budget Estimation and Spending Strategies-How company culture and CISO spending philosophies impact the budgeting process from estimating and justifying expenses to resource planning and preparing for emergencies.

5 Tips for Winning Budget Approval-CISOs share how they use risk-based approaches, collaboration, leadership changes and soft skills to build buy-in for security programs and budgets.

To view a copy of the report titled “CISOs Discuss Best Ways to Gain Budget and Buy-in for Security”, please visit a media only direct link: http://www.wisegateit.com/resources/downloads/wisegate-strategic-budgeting-report.pdf. For stories, please use http://www.wisegateit.com/resources/downloads-strategic-budgeting-report.

Article source: http://www.darkreading.com/management/new-wisegate-report-shares-how-cisos-are/240162686

Regular readers of Naked Security will know that we aren’t terribly prone to commercialism.

We don’t think we need to be.

The brand we represent is pretty obvious, what with the domain name nakedsecurity.​sophos.​com and the corporate logo on every page, where we say, “Award-winning news, opinion, advice and research from SOPHOS.”

Nevertheless, we’d like to use this article to offer you some free Sophos stuff.

Here’s why we’ve decided to do this right now:

1. It’s half way through National Cybersecurity Awareness Month.
2. We’ve been urging you do DO THESE 3 things, including making sure you seek out and get rid of any malware lurking on your computer.
3. As a result, numerous people, from readers to journalists, have been asking, “Where would you sugggest that I start?”
4. We’ve been encouraging techies who act as unofficial home IT support to help their friends and family with item (2).
5. They’ve been asking, “Where would you sugggest that I start?”

So here is a brief and, we trust, unpushy list of four free tools you can find on our website.

Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Sophos Anti-Virus for Mac Home Edition

Yes, Macs get viruses too.

And even if you never see a virus that directly attacks your Mac, the chances are good that you’ll encounter malware from your Windows-using friends (or even from your own Windows partition, if you dual-boot your Mac).

Sophos for Mac stops threats for Windows and Mac alike, protecting you and those you share files with.

Choose from blocking viruses in real time (on-access protection), scanning at scheduled times, or running a check whenever you want.

Sophos Mobile Security for Android

Our Sophos Mobile Security app protects your Android device without reducing performance or battery life.

Using up-to-the-minute threat data from SophosLabs, we automatically scan apps as you install them.

As well as malware protection, you’ll also get: loss and theft protection with remote lock and wipe, a security advisor to alert you if you inadvertently activate risky configuration settings, and a privacy advisor to help you decide whether an app is asking for permission to do too much.

Sophos UTM Home Edition

You’ll need a spare computer to install it on, and you’ll probably want to get your unofficial home support techie to set it up for you, but if you do, you’ll have our award winning network security device for businesses, 100% free for home use.

That includes all the Sophos UTM features: email scanning, web filtering, a VPN, web appplication security, and everything you need to keep up to 50 devices on your home network secure.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.

You can get any or all of these tools free of charge from our website.

Only the UTM requires registration – we need an email address so we can send you a licence key. For the others, we don’t even ask who you are.

So, if you’ve been thinking, “I really ought to get more serious about cybersecurity,” just remember that there’s no time like the present.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/upChQmTD6T0/

Supercharge your infrastructure

Web.com has promised to beef up its security and hire more staff after hacktivists hijacked its DNS records and diverted visitors away from various websites.

The websites for freebie antivirus firms AVG and Avira, computer security toolkit Metasploit, and mobile messaging outfit WhatsApp were all successfully targeted by a pro-Palestine hacking gang on Tuesday. In effect, the wags were able to point web surfers at a server other than the one they were trying to access.

The KDMS Team successfully changed the DNS records of the aforementioned sites to redirect people to a website playing the Palestinian national anthem and displaying a political message under the title “You Got Pwned”.

The hacktivists’ web page is not thought to have been booby-trapped with malware to infect vulnerable computers stumbling by, all thanks to the restraint shown by the KDMS crew. Infiltrating the PCs of people looking for an antivirus product would have been particularly embarrassing for the software firms involved – even though they were let down by what turned out to be a basic security screw-up by their DNS services supplier.

Only a vigilant staffer was able to prevent antivirus firm Avast from suffering the same fate as its competitors. Other firms in the firing line included Alexa and hosting firm Leaseweb: netizens attempting to visit their sites were also sent to a wall of web graffiti instead of the legitimate sites – a surprise diversion that potentially dented any of the firms’ reputations. KDMS boasted that its tactics allowed it to get their political message to 850,000 surfers.

In a statement, Web.com – which owns Network Solutions that manages the DNS for AVG and others – promised to hire new staff and improve its security practices:

We have been in contact with the limited number of affected customers and have since resolved the issue. We value every customer, appreciate the trust they place in us for their online needs and continue to work hard to eradicate the attacks that harm our customers and the web ecosystem.

The company has taken measures to address the persistent threat of cybercrime, including increasing personnel, implementing best-of-breed front-line and mitigation solutions, regularly engaging third party experts and partners and reviewing and enhancing critical systems.

While no business is immune to cybercrime in today’s web environment, our goal is to create a safe, secure and reliable environment for all of our customers.

The owners of the joyridden websites blamed Network Solutions and Web.com for basic security blunders that led to their collective pratfall. Specifically, it’s claimed the hacktivists were able to exploit weak security procedures using social engineering tricks to pull off the hijack, rather than a sophisticated compromise of systems.

For example, HD Moore of the Rapid7 Metasploit project feared* metasploit.com was hijacked after the miscreants faxed a password-reset request to Web.com-owned Register.com, which manages the DNS for his website.

Having tricked Web.com’s subsidiaries into handing over control of the targeted accounts, the domain joyriders were easily able to change the websites’ DNS records to redirect anyone who attempted visiting these sites to a web server the hacktivists controlled instead.

Normality was restored in a matter of hours in all cases and no customer data was exposed, we’re told, but the multiple hijackings, which could easily have been prevented, were hugely inconvenient for all concerned.

A statement by WhatsApp is typical of those from the owners of the targeted websites:

Our website was hijacked for a small period of time, during which attackers redirected our website to another IP address. We can confirm that no user data was lost or compromised. We are committed to user security and are working with our domain hosting vendor Network Solutions on further investigation of this incident.

AVG issued a similar statement on its blog. Meanwhile a blog post by Avira provides the most detailed explanation of how hackers pulled off the attack and its impact on victims:

It appears that several websites of Avira as well as other companies have been compromised by a group called KDMS. The websites of Avira have not been hacked, the attack happened at our Internet Service Provider “Network Solutions”.

The DNS records of various websites, including those of Avira, were changed to point to other domains that do not belong to Avira.

It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.

Our internal network has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again.

Our products were not affected at any point, including the update servers for product and detection updates. These servers are not registered at Network Solutions.

We can assure all our partners and customers that no data of any kind (customer data, source code, etc.) has been stolen during this incident.

No malicious code was delivered to the visitors of the website either by direct download or by drive-by downloads.

Avast only evaded the same problem by the skin of its teeth, as an update on the antivirus firm’s website explains:

“We ourselves received a notification from Network Solutions saying our email had been changed. We knew we had not requested that so we immediately took action and changed our passwords, which protected us,” said Vincent Steckler, Avast’s chief exec.

DNS hijacks in general are rare but far from unprecedented. Security watchers and inconvenienced customers previously criticised Network Solutions for poor crisis management in the wake of a distributed denial-of-service attack in July.

The provider came in for even stronger criticism this week. We can only hope Web.com follows through on its commitment to bolster security before another similar domain joyriding spree. ®

Updated to add

* Security biz Rapid7, which develops Metasploit, has since clarified “we have heard from Register.com that the attacker did NOT use a spoofed change request fax”.

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/12/dns_hijack_hack_analysis/