STE WILLIAMS

Email delivery: 4 steps to get more email to the inbox

Microsoft delivered no fewer than eight bulletins to mark the tenth anniversary of Patch Tuesday, including a fix covering two zero-day vulnerabilities in Internet Explorer.

A critical patch for all supported versions of IE covers a well-anticipated fix for the CVE-2013-3893 vulnerability, which has been associated with cyber espionage-style attacks against targets in Japan, Taiwan and elsewhere in Asia since late August.

Microsoft also released a bonus extra fix for another in-the-wild browser bug. The same MS13-080 bulletin also covers the CVE-2013-3897 vulnerability that has become the target of attacks over the last two weeks or so. FireEye was the first to discover a malware campaign (dubbed Operation DeputyDog) linked to the CVE-2013-3893 security bug, while Trustwave SpiderLabs is claiming the credit for fingering the CVE-2013-3897 flaw.

“MS13-080 also addresses CVE-2013-3897 in an interesting case that illustrates the concurrent discoveries of vulnerabilities,” explains Wolfgang Kandek, CTO of cloud security firm Qualys, in a blog post.

“The vulnerability underlying CVE-2013-3897 was found internally at Microsoft and would have been fixed in MS13-080 as part of the normal security engineering and hardening that the product undergoes constantly. However, in the last two weeks, attacks against the same vulnerability became public – again, limited and targeted in scope – but since the fix was in the code already, it enabled Microsoft to address the vulnerability, CVE ID CVE-2013-3897, in record time.”

Microsoft explains that the MS13-080 bulletin “fixes multiple security issues, including two critical vulnerabilities that haven’t been actively exploited in limited targeted attacks.”

All versions of IE, from 6 to 11, need patching with updates that tackle 10 vulnerabilities in total.

The MS13-080 bulletin is by far the most important of the October batch but Redmond is also releasing three other critical fixes and four “important” security bulletins. The batch, which marks the tenth anniversary of Patch Tuesday, collectively grapples with 26 vulnerabilities.

The critical MS13-081 update addresses seven vulnerabilities in the Windows kernel, including problems in font handling, and can be triggered remotely through malicious web pages and maliciously formatted Office documents. Bugs in Microsoft’s .NET Framework and finally a vulnerability in Windows Common Control Library (64 bit only) occupy the remaining two berths on the critical list.

The upshot is that everything from Windows XP up to and including Windows 8 and Windows RT will need patching to defend against security bugs that are more problematic for desktop systems.

Noteworthy “important” vulnerabilities MS13-085 and MS13-086, both cover remote code execution-type vulnerabilities in Microsoft Excel and Microsoft Word, respectively. Security watchers are more worried about the potential for mischief from these bugs than Microsoft itself.

The two other “important” updates cover lesser security bugs in Microsoft Silverlight 5 and Redmond’s Sharepoint portal server software.

Microsoft’s advisory and an easier to understand graphical overview from the SANS Institute’s Internet Storm Centre provide more information.

Adobe – fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers – separately delivered a patch for its Acrobat and Reader software. Adobe also patched its RoboHelp software. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/09/patch_tuesday_double_ie_trouble/

If you’re a security professional who’s regularly telling IT and the business side what they’re doing wrong with security, you’re doing it wrong.

Click here for more articles from Dark Reading.

That’s what John Pironti, president of IP Architects LLC, told attendees at Interop New York last week. “They have no incentive to spend time with you if you [only] tell them what they are doing wrong,” he says. Security pros should serve as risk advisers to the company, he says.

“As security people, we are better at talking about threats and vulnerabilities than we are about risk,” Pironti said. But it’s time to shift that mindset, he says, and to embrace the security risk profile approach.

“We need to differentiate between risk and security: risk is part of enterprise risk management, and security is the enabler,” he says. That will help remove the “friction” that often comes between security and IT, he says, where the security pro is all about protection and the IT pro is all about availability and efficiency.

First, you must discern the organization’s risk “appetite,” he says. Drill down on what they care most about and why. “Security is the output, and risk defines” where you are going, and security determines how, he says.

If you don’t know what the organization’s key business processes are, he says, take a look at the business continuity disaster recovery plan.

A risk profile entails deciding and agreeing on what’s acceptable risk, and classifying data (public or confidential, for example). “What’s the material business impact? That’s different for every organization — some do it by revenue or reputation or regulatory. When does [a security incident] become material?”

A security incident may not be “material” to a business if it only resulted in a few lost data records, for example. “The cost to protect the data should not exceed the value of the data,” Pironti says.

When security helps facilitate a risk profile, it then fits with “the enterprise conversation,” he says.

Ensure the business side physically signs off on the risk profile, too, Pironti says. “If you want this thing to work, leadership has to buy in …They have to understand we are not making decisions for them any longer. We are empowering them.”

“No longer are we the people they don’t want to see … now they’re asking us questions,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/embrace-your-inner-risk-adviser/240162419

All communications coming from visitors and athletes at the 2014 Winter Olympics in Russia will be monitored by newly strengthened telephone and internet spying technologies.

Investigative work to document Russia’s massive surveillance ramp-up was undertaken by a team of Russian journalists looking into preparations for the Games, The Guardian reports.

According to a dossier compiled by the journalists, their country’s powerful security service – the Federal Security Service of the Russian Federation (FSB) – has been taking the steps to install near-ubiquitous monitoring.

Documents compiled by the journalists – Russian security services experts Andrei Soldatov and Irina Borogan – track government procurement and tenders from Russian communication companies showing that newly installed telephone and internet spying capabilities will give the FSB “free rein to intercept any telephony or data traffic and even track the use of sensitive words or phrases mentioned in emails, webchats and on social media”, The Guardian’s Shaun Walker writes.

Walker reports that the Russian journalists have collated dozens of open source technical documents published on Zakupki, the Russian government’s procurement website, as well as public records of government oversight agencies.

The duo’s investigations show that while surveillance technology is being modernized throughout the country, particular attention has been paid to overhauling telephone and Wi-Fi networks in the Black Sea resort of Sochi, where the Games will be hosted.

Walker describes how “major amendments” to the infrastructure have focused on SORM – the nation’s interception system for phone and internet communications.

At this point, SORM is so tied into Russian communications architecture that, Edward Snowden revelations aside, it makes the US National Security Agency’s (NSA’s) level of surveillance seem almost like an afterthought.

The Guardian quoted Ron Deibert, a professor at the University of Toronto and director of Citizen Lab, which co-operated with the Sochi research, as calling the Winter Games SORM upgrades “PRISM on steroids”.

The difference in the two countries’ surveillance infrastructures can be found where the communications providers’ rights intersect with the government’s pre-emptive power to force its will upon them, he said:

The scope and scale of Russian surveillance are similar to the disclosures about the US programme but there are subtle differences to the regulations… We know from Snowden’s disclosures that many of the checks were weak or sidestepped in the US, but in the Russian system permanent access for Sorm is a requirement of building the infrastructure.

In fact, Russia has been beefing up SORM for some time, as Soldatov and Borogan, writing for Wired in December 2012, described.

In the article, the journalists delve into the difference between where the US and Russian governments insert surveillance into their countries’ respective communications infrastructures:

In the U.S. and Western Europe, a law enforcement agency seeks a warrant from a court and then issues an order for LI [the Western term LI, short for lawful interception, as used in press releases from SORM equipment providers] to a network operator or internet service provider, which is obliged to intercept and then to deliver the requested information.

In Russia, an FSB operative is also required to get an eavesdropping warrant, but he is not obliged to show it to anyone. Telecom providers have no right to demand that the FSB show them the warrant. The providers are required to pay for the SORM equipment and its installation, but they are denied access to the surveillance boxes.

Thus, the FSB does not need to contact the ISP’s staff; instead the security service calls on the special controller at the FSB HQ that is connected by a protected cable directly to the SORM device installed on the ISP network. This system is copied all over the country: In every Russian town there are protected underground cables, which connect the HQ of the local FSB department with all ISPs and telecom providers in the region

The FSB since 2010 has been upgrading SORM to ensure it can cope with extra traffic during the Games, the journalists have discovered.

The work has included laws that require all telephone and ISP providers to install SORM boxes in their technology.

Technically, the FSB requires a warrant to intercept a communication, but it’s not obliged to actually show it to anyone.

Once a SORM box is in place, the FSB can get at any and all phone calls or internet communications, without any of it being logged and without the provider ever knowing, Walker writes.

This will enable Russia to not only track suspected foreign spies, but also possibly to immediately break up any type of rally for gay rights amidst the controversy over Russia’s crackdown on such rights, Walker comments.

The US State Department’s Bureau of Diplomatic Security earlier this year warned those traveling to the Games to take precautions with communications and devices, The Guardian notes.

It sent out a brochure that read, in part:

“Business travellers should be particularly aware that trade secrets, negotiating positions, and other sensitive information may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.”

Or as Naked Security’s Mark Stockley puts it, “Sochi is a surveillance trap set by one the globe’s experts in surveillance. So the only sensible advice is don’t do, say or bring anything you aren’t prepared to share with the Russian Federation.”

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9kE0Zx5awCA/

The US National Security Agency (NSA) really, really hates Tor, the anonymising service.

If we had any doubts on that point, the issue was clarified by a top-secret NSA presentation leaked by Edward Snowden and titled, plainly enough, “Tor Stinks”, published by The Guardian on Friday.

Also on Friday, the US Director of National Intelligence, James Clapper, posted a statement explaining just why, exactly, the NSA loathes Tor so much.

It’s simply because that’s where the bad guys are, Clapper wrote:

The Intelligence Community’s interest in online anonymity services and other online communication and networking tools is based on the undeniable fact that these are the tools our adversaries use to communicate and coordinate attacks against the United States and our allies.

The Guardian also reported on Friday that the NSA has for at least the past two years teamed up with the United Kingdom’s electronic eavesdropping and security agency, Government Communications Headquarters (GCHQ), to analyse Tor, figure out where they can crack its anonymity, and even attack, with some degree of success, users’ computers.

At the time of the presentation, dated June 2012, the agencies apparently were fairly frustrated at how difficult the job of peeling apart Tor’s layers had proved.

Here’s how the presentation put it:

We will never be able to de-anonymize all Tor users all of the time.

The presentation outlines a gamut of attack methods, including using what it called “manual analysis” to “de-anonymise” a small fraction of Tor users, operating a network of Tor-enabled relay servers in order to get access to other relay servers, and poisoning the Tor network itself by degrading the network’s stability.

In spite of such revelations, Clapper insists in his statement that the intelligence community has pure motives and that they’re all working strictly within a legal framework:

The Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens.

As AllThings3D’s Arik Hesseldahl pointed out, Tor is like any anonymising technology: it can be used for both good and bad, by both terrorists and political activists struggling against repressive regimes.

Any Tor user will likely feel a sense of relief that the NSA hasn’t cracked the network – at least, not yet, as far as we can tell from the documents that have been released thus far.

It would be wonderful if we could take solace in Mr. Clapper’s reassurances that all this surveillance is happening in a “strict legal framework” that protects the online activities of innocent US citizens (it would be better still, of course, if that strict legal framework protected all innocent citizens of all countries).

But news like that of last week, when NSA inspector general Dr. George Ellard detailed 12 investigations into “intentional and and willful misuse” of spying tools by civilian and military NSA employees, undercut such claims.

If the NSA can’t stop one employee from, for example, serial snoopery on the telephones of nine foreign women over the course of five years, then it’s difficult to swallow Clapper’s claims that this supposedly strict legal framework within which the NSA operates isn’t actually mottled with flab.

Follow @LisaVaas

Follow @NakedSecurity

Image of sliced onion courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ngStalWerss/

Email delivery: 4 steps to get more email to the inbox

Japan has an 80,000 shortfall in infosec professionals, and needs to provide extra training for more than half of those currently in the industry, if it’s to protect key IT systems from attack, according to the government.

A government panel of information security experts met back in June to draw up a long term plan to address Japan’s chronic shortage of trained infosec pros, according to Kyodo news agency.

The panel apparently concluded that aside from the 80,000 new recruits, some 160,000 of the 265,000 currently in the industry need additional training to bring them up to speed on the latest threats.

The strategy calls for a review of the current qualification system for info-security professionals as well as an update to university and other courses in the field.

The aim is apparently not only to boost numbers but to find “manpower with outstanding abilities” – which is easier said than done, especially when budgets are tight and graduates continue to favour other careers.

One way Japan is trying to overcome the shortage is through hacking competitions and training camps, according to Kyodo.

The Information-Technology Promotion Agency, overseen by the Ministry of Economy, Trade and Industry, is responsible for these and has also apparently been given budget to hire a dozen info-security grads every year.

It’s unclear how the government plans to encourage the tens of thousands more needed into the industry.

Cyber security skills shortages and gaps are endemic pretty much all over the developed world.

Certifications body ISC2 interviewed over 12,000 members to compile its sixth annual Global Workforce study, published in February. Some 56 per cent said there is a workforce shortage, compared to 2 per cent that believe there is a surplus, with “security analysts” (47 per cent) most in demand.

In the UK, the National Audit Office said in its Landscape Review report earlier this year that “it could take up to 20 years to address the skills gap at all levels of education”. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/09/japan_infosecurity_skills_shortage/

Email delivery: 4 steps to get more email to the inbox

Intrusion prevention’s a hot topic in the world of security, as reflected in the $2.8bn price tag Cisco has paid to complete the acquisition of network security specialists Sourcefire.

The purchase – which was announced in July – is the largest security firm purchase since Intel’s $7.7bn acquisition of McAfee in 2010. And it’s a huge personal payday for Marty Roesch, creator of the open-source intrusion protection system Snort. He took Snort’s basic technology and built commercial code under the Sourcefire brand since 2001.

“I’d be lying if I said I wasn’t sentimental. When I think back when I was in my spare bedroom writing Snort, I never imagined it would be foundational to building a great company followed by an acquisition by one of the largest technology companies in the world,” Roesch said in a blog post.

It’s the second time the company has tried to get bought out. Israeli firm Check Point tried to purchase the company in 2005 for $225m, but the deal was dropped after it looked as though the US government was going to block the deal on national security grounds. There have been no such problems for homegrown firm Cisco however.

“To truly protect against all possible attack vectors, our focus is to examine the nature of modern networked environments and devices and to defend them by deeply understanding and analyzing the mindset of the attackers,” said Christopher Young, senior vice president of Cisco Security Group.

There are no changes planned at Sourcefire at the moment – the firm’s headcount and headquarters will remain the same and it’s business as usual, Roesch promised. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/09/cisco_completes_sourcefire_buy_to_beef_up_network_security_skills/

If you’re a security professional who’s regularly telling IT and the business side what they’re doing wrong with security, you’re doing it wrong.

That’s what John Peronti, president of IP Architects LLC, told attendees at Interop New York last week. “They have no incentive to spend time with you if you [only] tell them what they are doing wrong,” he says. Security pros should serve as risk advisors to the company, he says.

“As security people, we are better at talking about threats and vulnerabilities than we are about risk,” Peronti said. But it’s time to shift that mindset, he says, and to embrace the security risk profile approach.

“We need to differentiate between risk and security: risk is part of enterprise risk management, and security is the enabler,” he says. That will help remove the “friction” that often comes between security and IT, he says, where the security pro is all about protection and the IT pro is all about availability and efficiency.

First, you must discern the organization’s risk “appetite,” he says. Drill down on what they care most about and why. “Security is the output, and risk defines” where you are going, and security determines how, he says.

If you don’t know what the organization’s key business processes are, he says, take a look at the business continuity disaster recovery plan.

A risk profile entails deciding and agreeing on what’s acceptable risk, and classifying data (public or confidential, for example). “What’s the material business impact? That’s different for every organization — some do it by revenue or reputation or regulatory. When does [a security incident] become material?”

A security incident may not be “material” to a business if it only resulted in a few lost data records, for example. “The cost to protect the data should not exceed the value of the data,” Peronti says.

When security helps facilitate a risk profile, it then fits with “the enterprise conversation,” he says.

Ensure the business side physically signs off on the risk profile, too, Peronti says. “If you want this thing to work, leadership has to buy in …They have to understand we are not making decisions for them any longer. We are empowering them.”

“No longer are we the people they don’t want to see … now they’re asking us questions,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/embrace-your-inner-risk-advisor/240162419

The silence has been deafening out of Russia since the reported arrest of the author of the infamous Blackhole exploit kit — no official announcement came of a bust akin to how botnet takedowns or indictments are typically trumpeted here in the U.S. Meanwhile, security researchers have noticed gaps in Blackhole activity during the past couple of days that appear to corroborate a disruption in the crimeware kit’s operations.

Word got out yesterday via social media that “Paunch,” the Russian malware writer behind the popular and user-friendly Blackhole exploit kit, had been apprehended in Russia. TechWeek Europe today reported that Troels Oerting, head of the European Cybercrime Centre, confirmed there had been an arrest, but he wouldn’t elaborate.

Some security researchers say they’ve witnessed chatter about Paunch’s arrest in underground forums, and one source who requested anonymity confirmed the arrest. Arrests of cybercriminals are still relatively rare, especially in Russia, where cybercrime organizations are known to operate relatively freely as long as they don’t target their own citizens. So the prospect of the bust of a major player in cybercrime is big news: “This speaks volumes that this is now viewed as an international problem,” says Will Gragido, senior manager of RSA First Watch. “I don’t know where the arrest originated, but what I read within the forums was that it was orchestrated out of the Russian Federation. So that’s pretty significant” if it proves to be true, he says.

Tom Kellermann, vice president of cybersecurity at Trend Micro, says the reported arrest bodes well for improved cooperation among global law enforcement agencies. “This indictment speaks volumes to the organization of the shadow economy,” Kellermann says. “This unprecedented collaboration has been years in the making. Interpol and Europol have stepped up their game.”

Among the signs that something’s up: The service that encrypts the Blackhole exploit kit, crypt.am, had gone offline and remains so as of this post, and Sophos noticed a rare decline in Blackhole infection detections in its lab during the past 24 hours or so since word of an arrest broke. “We did see a decline in detections, which is abnormal,” says Chester Wisniewski, senior security adviser at Sophos.

RSA’s Gragido says the fact crypt.am is down is significant. “[Crypt.am] allows you to encrypt the Blackhole exploit kit,” he says. “That it’s not been updated in two or four days is pretty telling. It had been updated on a daily basis since the arrival of Blackhole on the open market.”

Blackhole has been a mainstay in malware since it first emerged on the scene nearly two years ago. The crimeware kit serves up browser-based exploits via infected websites, with the ultimate goal of planting ransomware, financial data-stealing Trojans, or other malware on machines that visit the sites. “Blackhole gave virtually anyone the ability to become a botnet master. When you stop to think about it, it’s pretty powerful and probably more ubiquitous than its competitors because it was easy to manipulate,” Gragido says.

[Tales from the trenches show that even small organizations are in the bull’s eye . See 5 Lessons From Real-World Attacks .]

So what does a bust mean for Blackhole? Customers who rent the kit won’t get updates, so their exploits eventually will become “stale,” says Jerome Segura, a senior security researcher at Malwarebytes, who today also confirmed that crypt.am was down.

The dip in threats may provide only a very temporary respite in kit-driven cybercrime attacks as Blackhole cybercriminal customers move their businesses to other crimeware kits. Like a botnet takedown, the decline will be short-lived; the bad guys will just retrench and re-emerge elsewhere. According to a French security researcher known as Kafeine, the Reveton ransomware gang was seen migrating away from another of Paunch’s malware kits, Cool EK, to a Whitehole exploit kit.

“The interesting thing about this is if, in fact, [Paunch] was arrested, we are going to see a surge in the use of other kits in lieu” of Blackhole, Gragido says. Cool, Stix, and Poison Ivy are prime candidates, he says. And older tools like Liberty and Eleonore could re-emerge, he says.

Even so, Blackhole had lost some “market share” during the past few months to other kits. Sophos’ Wisniewski says last year Blackhole made up about 70 percent of infections in websites — No. 1 — but today it’s somewhere around the fourth or fifth most common infection of websites.

As of August, Blackhole and sister Cool made up only 4 percent of website infections, according to new data released today by Sophos, and had dropped to just 2 percent during the past seven days. Glazunov/Sibhost (48 percent) is now leading the pack by far, followed by Neutrino (35 percent), Stix (3 percent), Sweet Orange (3 percent), and Cool (2 percent). Whitehole is responsible for 1 percent of website infections.

Wisniewski says Blackhole has basically been a victim of its own success. “Any time we see successful criminal techniques, you see other criminals come in and improve on it,” he says. “Blackhole was the first exploit-as-a-service … people buying it loved it, and it was always up to date with the latest exploit. But you saw a lot of copycats.”

Curt Wilson, ASERT research analyst with Arbor, says exploit kits are a key component in the cybercrime economy. Even with new crimeware kits taking center stage, there are ways to defend against them, including “robust” patching of applications– especially major targets like Java and Adobe Acrobat and Reader — and Microsoft’s EMET tool, as well as network monitoring.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/blackhole-activity-dips-amid-reports-of/240162409

As security gurus and professional surveys try to examine the stumbling blocks that lay ahead for organizations seeking to mature their security analytics programs, the complaints by enterprises seem to be at odds with one another. On one hand, organizations complain that they have too much security data and too many types of data to sift through and analyze in a timely fashion. At the same time, they also say they don’t have enough data on hand to make analytics-based security decisions.

So, what gives? According to some experts, the seeming contradiction may well be the cracks showing in the old model of collecting security information and aggregate analysis through traditional tools like log management and security information and event management (SIEM).

“I remember the days where as security professionals we would have to go out and specifically ask for more and more data. Well, now we have it,” says Dave Shackleford, principal consultant for Voodoo Security and a SANS analyst. “We have a lot of types of data. You have all these various formats, not all of which are natively compatible with your SIEM platform.”

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

In Just recently SANS released the results of its security analytics survey, an iteration of what was once its annual log management survey. As per results of those surveys of years past, it found organizations rely heavily on log management and SIEM platforms that can’t handle the deluge of data now fed into them, Shackleford says . At the same time, when the survey asked participants what their biggest challenges were in discovering and following-up on attacks.

“Hands down, it was not getting some of right data. So we still feel like we’re missing some of the key data sets in our environments, even with the deluge of the data that we have,” Shackleford says, explaining that organizations also said they lacked system or vulnerability awareness and context around the data to observe normal data. “Without those it is very difficult to tell that bigger better story around what’s happening in your infrastructure and that’s exactly the type of problem that analytics platforms are looking and trying to solve.”

Part of the reason why organizations are finding they’re contending with too much data and not enough data at the same time is because they’re collecting in an upside-down process, says Ryan Stolte, CTO of Bay Dynamics.

“The bad assumption is that we should start with the data and focus on aggregating it and bring in it all into the same repository. When you start just by grabbing whatever data you can find and then hoping to get insight out of it later, it’s a long, expensive process and an upside-down approach,” he says.

Instead, organizations should be asking business and security questions first and looking for the data that will help answer them.

“You have to know what questions you’re trying to ask before you start going out and fetching data for it,” he says. “People have spent a tremendous amount of money consolidating data and never had a plan for what they were going to do it.”

In the same vein, Stolte says that organizations have a hard time acting on data, even if it is the right information, when they rely too heavily on SIEM.
“It’s a common mistake trying to aggregate everything through SIEM. But it is only giving you one perspective and very commonly ends up being a black hole of information that is not actionable,” he says.

According to Shackleford, SANS has seen organizations seek to move beyond just SIEM to analyze data and shift into more robust analytics techniques and platforms.

“We definitely see trends and the market is ready for this—people have this need for analytics and intelligence wrapped together in these larger data sets,” he says, explaining that at the same time only about 10 percent of organizations are confident in their intelligence and analytics capabilities. “Most people are still using traditional techniques, still using log management and SIEM platforms to pull all this together. So I say today analytics is still pretty much in its infancy. There’s a lot of room for growth.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/too-much-security-data-or-not-enough/240162415

Microsoft’s Tenth Anniversary Patch Tuesday is out, and, yes, Redmond’s security gurus did patch against the recent Internet Explorer zero-day that is being exploited in the wild.

More precisely, the vulnerability CVE-2013-3893 has been fixed, so even if you aren’t using (or couldn’t use) Microsoft’s temporary Fix it, you can now close off that avenue of attack altogether.

Notably the Fix it was for 32-bit platforms only, so servers and recent laptop installs running 64-bit Windows versions were out of luck.

That’s a creditably quick response from Microsoft, and a great Tenth Birthday result.

By the way, there’s a reliable and easy-to-modify proof of concept exploit floating around on the web, as well as an exploit module for the DIY break-and-enter toolkit Metasploit, so CVE-2013-3893 must be considered a clear and present danger.

The proof of concept I’ve seen is packaged as a single chunk of JavaScript inside a single HTML file, and targets IE 8 and IE 9 on Windows XP, Vista and Seven.

If you view a web page that contains the JavaScript from the proof of concept, then your browser will connect to an external site, download an executable file in the background, and run it.

If you don’t have a decent anti-virus installed (or you have one that hasn’t been updated since the free trial ran out a year ago) then you won’t see anything – not a warning, a dialog box, a progress bar or even a logfile entry – to tell you what happened.

Your browser will eventually crash, but after the download has finished and the secretly installed malware has launched.

→ A decent anti-virus is ilkely to control this exploit. Sophos Anti-Virus, for example, blocks boody-trapped web pages as Exp/20133892-B. But immunising your browser alogether, by neutralising the vulnerability that makes the exploits possible in the first place, is by far the best solution.

But don’t concentrate only on the Internet Explorer “biggie.”

There are six other remote code execution holes fixed this month, and even though four of them are rated only at Important by Microsoft, rather than Critical, I’d still treat “important” as meaning “important enough to patch right away.”

All the Important vulnerabilities are in various components of the Office suite, and can be triggered via shellcode – that’s executable code buried invisibly in amongst data – in files you are entitled to assume that Office should open without risk.

In theory, if you put executable code in a data file, it ought to be harmless: whether you give your name as text that spells out Paul Ducklin or machine code that corresponds to PUSH-PUSH-CALL-POP should make no difference.

The machine code version of your name should be treated as data, and never get a chance to run.

Programming mistakes do happen, however, sometimes allowing deliberately mangled files to confuse Word or Excel (or other software of that sort) into executing data as if it were code.

The eighth patch this month is for an information disclosure bug in Silverlight.

Microsoft isn’t saying what might be disclosed if this bug is triggered.

But since “information disclosure” is another way of saying “potential data breach,” you probably want to patch the eighth one, too.

For the opinion of SophosLabs on the likelihood of each of the eight vulnerabilities being exploited, and for advice on alternative mitigiations (if you are unwilling to patch) or additional mitigations (if you are patching anyway), please visit our Vulnerabilties page.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AFl18CXunU0/