STE WILLIAMS

Finally we know, legally speaking, why the US thinks it’s just fine and dandy to collect metadata relating to whom we call, who calls us, how long we talk, and maybe even where we’re talking from.

The rationale will likely sound familiar to those who’ve been following ongoing news concerning National Security Agency (NSA) surveillance.

It boils down to a landmark case from 1976 – Smith v. Maryland – in which the Supreme Court ruled that calling a telephone number necessarily involves disclosing the number to a third party – i.e., the phone company.

Because the number was disclosed during the phone call, the number’s not private, the Supreme Court held, and the government can have easy access to the call records.

This is the origin of the “third-party doctrine”. The logic has, in the case of the NSA arranging metadata downloads from Verizon et al., been ported over to the idea of demanding massive amounts of phone metadata.

The rationale has been secret until now.

It was unveiled for the first time on Tuesday and published on the website for the nation’s most secret court, the Foreign Intelligence Surveillance Court (FISC), as reported by Ars Technica’s Cyrus Farivar.

As Farivar writes, the 46-page opinion [PDF], authored by Judge Claire Eagan, was written on 29 August but not published until this week.

The unveiling of the legal rationale comes after FISC Judge Reggie Walton ordered the Government to conduct a declassification review of such decisions and related orders in the wake of Edward Snowden having leaked documents and thereby set in motion a firestorm over the National Security Agency’s (NSA’s) extensive surveillance program.

In her opinion, Justice Eagan explains why the Fourth Amendment to the US Constitution, which prohibits unreasonable searches, doesn’t pertain in the case of the metadata sharing program:

The telephone user, having conveyed this information to a telephone company that retains the information in the ordinary course of business, assumes the risk that the company will provide that information to the government. Thus, the Supreme Court conclude that a person does not have a legitimate expectation of privacy in telephone numbers dialed, and there, when the government obtained that dialing information, it “was not a ‘search'”, and no warrant was required.

. . .

Put another way, where one individual does not have a Fourth Amendment interest, grouping together a large number of similarly situated individuals cannot result in a Fourth Amendment interest springing into existence ex nihilo. [Ed. a Latin phrase meaning “out of nothing”.]

In sum, because the Application at issue here concerns only the production of call detail records, or “telephony metadata” belonging to a telephone company, and not the contents of communications, Smith v. Maryland compels the conclusion that there is no Fourth Amendment impediment to the collection. Furthermore, for the reasons stated in [REDACTED] and discussed above, this Court finds that the volume of records being acquired does not alter this conclusion. Indeed, there is no legal basis for this Court to find otherwise.

Farivar’s article is well worth the read, particularly given his analysis of whether the third-party doctrine on which Eagan bases her opinion might actually be starting to wobble.

As he explains, no telecomms company has to date challenged the legality of a FISC order.

Were Verizon, for one, to actually do so, it could well be bolstered by a January 2012 Supreme Court decision in the US v. Jones case, wherein the court ruled that law enforcement lacked the right to warrantlessly place a GPS tracking device on a suspect’s vehicle.

Justice Sonia Sotomayor wrote in that case that it well might be time to review the third-party doctrine:

…It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.

Is change in the air? Is the climate ripe for a shift in legal thinking on issues of the legality of NSA surveillance?

Let us know your thoughts in the comments below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PsDKSK57tps/

If you live in the UK and listened to the radio earlier this week, you might have heard Chester Wisniewski and me talking to a number of local radio stations about the UK government’s proposal to introduce an emergency alerting service based on mobile phone text messages.

The plan, which will enter a trial stage later this month, is aimed at tapping into the ubiquity of mobile phones and the simplicity of Short Message Service (SMS) text messages to provide an effective method of giving clear and concise advice in the event of an emergency.

Radio and TV are highly effective tools that already get the news out rapidly in the event of local or national crises, but if you aren’t watching or listening at the moment that the alert goes out, you miss it.

Augmenting this with text messages may not be the most cutting-edge approach – texts are so 1999, after all – but it will work with just about every mobile phone in the UK, and just about everyone has a mobile phone.

It all sounds uncontroversial, doesn’t it?

You can probably imagine any number of local incidents that, were they to happen in your town, you wouldn’t mind hearing about without needing to be watching a TV or listening to a radio at the time.

At the risk of sounding a bit gruesome, examples might be: factory on fire, poisonous smoke billowing out; flood waters burst banks, CBD inundated; train accident, blood donations needed urgently; and so on.

But many, if not most, of the radio interviewers were at best cautiously optimistic, and with good reason: they wanted to speak to computer security experts because they wanted to consider the potential security risks before endorsing the proposal.

Thinking through the privacy implications before implementing a plan that is “obviously” the right thing to do?

That’s a good sign, if you ask me!

Quantifying the risks

So, how might this work, and what are the risks?

• Knowing whom to tell

You can built a giant list of users, and send them each an SMS in turn when you have something to say. This makes the service opt-in (unless you compel the mobile operators to hand over their subscriber databases), so the people who will receive the alerts are those who genuinely want them.

But it’s inefficient, since you have to send thousands or millions of messages, one by one, and for local emergencies, it doesn’t automatically target people on the spot (they might be out of town for the day, or have their phone turned off).

And there’s the problem of maintaining and disseminating the list so it can be used in real time: that list would be a prized possession for cybercrimimals.

Or you can use SMS-CB, or “cell broadcasts,” where the mobile operator simultaneously sends a message to all the phones currently in a particular cellular area, thus promptly and efficiently reaching phones that are in range, and appropriately located.

But there’s no opt-in, and although many phones can opt out of CBs with a configuration setting, that’s usually an all-or-nothing approach.

• Authenticating the messages

Cybercriminals are adept at hijacking news stories, especially those involving tragedy and disaster, to peddle their own fraudulent information, or to spread misinformation and fear.

And they’re adept at copying the look and feel of genuine security warnings to give themselves an aura of legitimacy that misleads people, especially when they are in a hurry.

For web pages, there’s room in the browser’s interface for visual alerts that can’t easily be forged or disguised by the crooks (the HTTPS padlock in the address bar, for example), and those can help well-informed users to distiguish fake from real.

We don’t have similar protections for SMSes, and while the brevity of text messages is handy for clarity and simplicity in an emergency, it makes them easy to clone, or copy, or spoof, in a believable way.

• Tolerance for unexpected messages

Several of the interviwers noted that they suffer a similar problem to me: SMS fatigue.

We already receive so much SMS spam (what Naked Security jocularly calls SPASMS), urging us to consolidate our debts, or trying to sell us insurance we don’t need, that our tolerance for text messages is very low.

We’re probably the sort of people who wouldn’t opt in to any service, even a well-meant one, that required us to hand over our mobile phone details.

Unless we were expecting a message from a specific source (such as a two-factor authentication code we know is on the way), we wouldn’t pay much attention to it on the grounds that we never opted in to start with.

• Safeguarding the system

Similar emergency alerting systems, though admittedly not SMS-based ones, in other countries, have had terrible trouble with hackers.

Not because they were hacked frequently, but because they were hacked and abused at all – it only takes one fake emergency to cause panic, or to destroy trust for ever in the alerting system.

Indonesia’s disaster management adviser’s Twitter account was hacked; someone sent a bogus message claiming “Jakarta: tsunami arrives tomorrow.”

And in Montana, US, a TV-based alerting system was abused to send out warnings of a zombie apocalypse. (It might sound funny in hindsight, but it is a dire reminder of why security matters fourfold in alerting systems of this sort.)

Should it go ahead?

As one interviewer, desipte his own sceptical concern, pointed out, “The fact that there are lots of potential problems is no reason not to do it.”

He’s right.

What I applaud in this case is that the trials, which will involve up to 50,000 people, are to see if the system might work well enough in the UK to be adopted there.

In the post-9/11 security era, it seems that the trials of many security systems are more about seeing how to implement them, not to decide whether to do so.

And security systems put in place “because it’s obvious they’ll do good,” may end up having quite the opposite result.

Follow @duckblog

Image of hand holding mobile phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aw2a87H4RJE/

Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

In this episode, entitled Understanding Vulnerabilities, Paul Ducklin and Chester Wisniewski demystify vulnerability jargon in a way that’s useful to IT administrators.

After all, we’ve become so used to abbreviations like RCE, EoP and DoS that they have begun to lose their significance.

They stand for Remote Code Execution, Elevation of Privilege and Denial of Service respectively – problems that sound serious when written out in full, but somehow become “just one of those things” when reduced to acronym form.

But is an RCE worse than an EoP? Is a DoS less serious than an EoP? Where do Information Disclosure bugs fit in?

Chet and Duck help you answer these questions, and more, not only for the sake of interest, but also so that you can prioritise your patches in a way that fits your organisation best.

In the past week or so we’ve had biggish updates from Microsoft, Adobe, Oracle, and Apple; then we had updates to Microsoft’s updates; then an emergency “Fix it” for Internet Explorer; and we’ve just this minute finished writing up the latest Firefox fixes.

So the timing of this Techknow could scarcely be better!

Listen now:

(18 September 2013, duration 15’08”, size 9.1MB)

Listen later:

Download Sophos Techknow – Understanding Vulnerabilities [MP3]:

Previous Techknow episodes:

• Two-factor Authentication
• All about Java
• Understanding SSL
• Patching: should you lead, follow, or get out of the way?
• Busting Password Myths

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/o4NUOA-E4nI/

Free ESG report : Seamless data management with Avere FXT

Telstra is preparing to get proactive with malware, announcing that it will be implementing a DNS-based blocker to prevent customer systems from contact known command-and-control servers.

The “malware suppression” tool will will be introduced at no cost for fixed, mobile and NBN customers using domestic broadband and Telstra Business Broadband services.

The service is using a command-and-control address list sourced from an unnamed Californian partner, and the carrier maintains that it won’t be recording users’ browsing history.

However, there seems to be a little confusion between different arms of the carrier as to how the malware suppression service works. Here’s how the promotional blog post discusses the technology:

“Because the malware suppression technology only observes DNS queries and not internet traffic, no internet search history, browsing data or any other customer data is recorded, retained or sent to a third party.”

(Vulture South notes that the last time we looked, DNS queries travelled over the Internet. We therefore conclude that Telstra is trying to reassure customers that the content of their browsing is not examined.)

In its support QA, the carrier states:

“We do not retain a record of legitimate DNS queries made by your computer and those legitimate queries will be unaffected by the new malware suppression” (emphasis added).

As the same page notes, if the carrier has reason to query (sorry) a DNS query, it will fire off a query to California:

“At times, the DNS server may notice a pattern of queries from a number of different users which looks suspicious (for example, why would a real user try to go to a domain like qwe54fggty.dyndns.biz?). In this case, information about the suspicious target domain might be sent to our partner in California to examine whether the domain is a botnet or command control server.”

However, it states, in requesting that a domain be examined by its blacklist supplier, it will not pass on any information to identify the user or users trying to contact that domain.

In response to The Register’s questions, a Telstra spokesperson provided this statement:

“We are introducing malware suppression technology to the Telstra BigPond Network to help improve safety and security of the internet for our customers. We have developed the upgrade to our network with a technology partner, a firm based in the United States. The malware suppression technology does not look at any content our customers are sending or receiving, rather it prevents our customer’s computers from being controlled by Command and Control servers. The malware suppression service being deployed on the Telstra BigPond Network works on DNS queries only going to verified Command and Control servers.”

Which is likely to be all very well and good, until some poor sap finds their IP address lives on a server also occupied by a CC server. Such a scenario is not beyond the realms of possibility: in may 2013 Australia’s de facto internet filter blocked access to hundreds of sites when the intention was to block just one. Telstra must be hoping its un-named source of CC systems doesn’t make the same mistake. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/18/telstra_to_dnsblock_botnet_ccs/

SUNNYVALE, Calif. — Sept. 18, 2013 — Centrify Corporation, the leader in Unified Identity Services across data center, cloud and mobile, today announced that its Centrify User Suite offering supports the just-released Apple iOS 7 operating system for iPhones and iPads, enabling organizations to leverage Centrify’s proven Active Directory-based security service to manage users and devices and address enterprise mobility and BYOD challenges. The Centrify User Suite solution maximizes security and visibility through centralized access management and reporting of enrolled devices and installed applications, allowing IT staff to quickly and securely bring large populations of Apple iOS, Android and Mac devices under management by leveraging existing Active Directory identity infrastructure and skill sets.

With Centrify User Suite, both mobile devices and Macs are seamlessly integrated into Microsoft Active Directory, leveraging organizations’ existing Active Directory infrastructures, processes and skill sets to deliver enhanced security and centralized management for IT; and secure Single Sign-On (SSO) access for users in the workplace. This unparalleled integration with an organization’s on-premise Active Directory infrastructure and Group Policy-based management tools makes it easy to enforce and update Mac and mobile security settings. From locking or remotely wiping devices to securing access to email networks and enforcing use of passcodes, the Centrify solution enables administrators to easily assign devices to users and manage the associated properties and settings for each user’s device without the hassle of deploying complex new infrastructure or a separate management console.

“With the wave of mobile devices operating alongside Macs in organizations today, it is imperative that solutions securing these devices support the latest available operating systems versions,” said David McNeely, Centrify senior director of product management. “As an Apple partner, we’ve always endeavored to provide ‘day one’ support of every new operating system release to allow end users to embrace the latest and greatest innovations while enabling the organization to ensure safe and productive use of Apple devices in the workplace.”

Availability

Centrify support for iOS 7 release is available today in all Centrify User Suite Editions. To obtain more information, see http://www.centrify.com/products/centrify-user-suite.asp For the free Centrify Express for Mobile, see http://www.centrify.com/mobile/free-mobile-device-security-management.asp

About Centrify

Centrify provides Unified Identity Services across the data center, cloud and mobile that results in one single login for users and one unified identity infrastructure for IT. Centrify’s solutions reduce costs and increase agility and security by leveraging an organization’s existing identity infrastructure to enable centralized authentication, access control, privilege management, policy enforcement and compliance. Centrify customers typically reduce their costs associated with identity lifecycle management and compliance by more than 50%. With more than 5,000 customers worldwide, including 40% of the Fortune 50 and more than 60 Federal agencies, Centrify is deployed on more than one million server, application and mobile device resources on-premise and in the cloud. For more information about Centrify and its solutions, call (408) 542-7500, or visit http://www.centrify.com/.

Article source: http://www.darkreading.com/end-user/centrify-backs-byod-initiates-with-day-o/240161497

While phishing, reconnaissance scans, social engineering and other opportunistic attacks still comprise the lion’s share of malicious activity seen by most companies, a growing proportion of attacks are able to evade signature-based defenses. Cybercriminals using fully undetectable (FUD) services can create variants that are unrecognizable to antivirus programs and targeted attacks increasingly use custom-built malware designed to tiptoe past the target’s defenses.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

To find advanced malware, companies have to look for indicators of compromise that might not initially appear to be connected to a malware infection nor each other, says CP Morey, vice president of product marketing at security firm Sourcefire. For example, callbacks to unknown servers along with the installation of an unknown application and high utilization on a machine might not pass the threshold that requires investigation, but together they should set off an alert, he says.

“Traditional security technologies, or a signature-based approach, is like looking for a smoking gun — it’s pretty obvious when you find that at the scene of a crime,” says Morey. “Advanced malware, and its indicators of compromise, are more like the Golden Gun from the Bond films: it was made up of a cigarette case, a lighter, a cuff link, a fountain pen and some other stuff. By themselves, all seemed like no big deal, but when Bond assembled them, they became a gun.”

At the Interop conference at the end of September, Morey will discuss approaches to detecting increasingly sophisticated malware as well as the more run-of-the-mill malicious programs that are still able to escape detection. He and other security experts offered some first steps for firms.

1. Look for bad behavior
Companies should make sure that they are looking for suspicious behaviors, both on employees’ desktops and in how employees’ systems are accessing network resources. Sandboxing, where new files and program are first opened in a virtual environment, essentially look for bad behavior that could signal maliciousness.

“Behavioral analysis is a really critical piece in detecting that last ‘X’ percent,” says Michael Sutton, vice president of security research for Zscaler, which provides security for endpoints through a cloud service. “There will always be a chunk of stuff that cannot be detecting through signature-based approaches.”

[Why some industries are staring down the barrel, but still don’t know it, putting others at risk. See Advanced Threats, Imagination, And Perception.]

Yet, signature-based security is necessary as well. There are many threats — such as purely social-engineering or phishing attacks — that likely cannot be detected by behavioral software, he says. In addition, behavioral analysis can detect new threats, but unless it is tied to other information about what is happening across the network, companies may not know whether the attack was successful nor how deeply it penetrated the network.

“It is not able to tell me what happened there after,” Sutton says. “So it is important that behavioral analysis is not done in isolation.”

2. Get fuzzy, but not cute
Companies can also make use of machine learning and techniques that take a page from the attacker’s playbook: fuzzing.

With fuzzing, an attacker varies an input in random ways to see whether it impacts a specific system: Putting random files into Microsoft Word, for example, can produce crashes and illuminate exploitable vulnerabilities. Using a complementary technique, Sourcefire essentially fuzzes signature to detect the offspring of known malware.

“We take a known fingerprint for a malware sample and vary it using mathematical algorithms,” Sourcefire’s Morey says.

3. Prepare for compromise
Finally, companies need to prepare for the inevitable compromise. While having a good defenses can make attackers’ jobs more difficult, it is nearly impossible to keep every attacker out.

Yet, companies with a good defense-in-depth approach focus on detecting and responding to successful attacks as well, says Michael Lloyd, chief technology officer for RedSeal Networks, a network management and security firm. Saudi Aramco is a good example of a company that — through planning or luck — succeeded against its attackers, he says.

“They were attacked with a very well designed payload which did some damage, but it did not disrupt their ability to deliver oil,” Lloyd says. “In those terms, Saudi Aramco really succeeded in defending their business; the kept operating as a business, even after someone threw a very malicious attack at them.”

Companies should practice moving from the detection of suspicious activity to responding to the possible malicious attack, agrees Morey.

“What you do during and after an attack nowadays, is just as important as what you do before,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/advanced-threats/3-steps-to-secure-your-business-in-a-pos/240161501

A more elite and sophisticated cybersespionage group out of China was behind the breach and ultimate theft of security firm Bit9’s digital code-signing certificates that later were used to target some Bit9 customers, according to new research from Symantec.

The so-called “Hidden Lynx” cyberspy gang since at least 2009 has waged targeted attacks including water-holing campaigns where they injected malware into legitimate websites likely frequented by their targeted industries and then sifted out their true targets, mainly from financial services firms in the U.S. Symantec says the gang was behind the VOHO water-holing attacks in June of 2012, where the attackers also broke into an internal Bit9 server to gain access to the firm’s file-signing infrastructure in order to sign malware. The gang is also tied to Operation Aurora, which targeted Google, Intel, Adobe, and other major U.S. firms that was revealed in 2010.

Bit9 this spring revealed details on the breach, which resulted in attacks against three of its customers. The security firm confessed that an “operational oversight” led to the breach, with a virtual system on its network running without the company’s own whitelisting software. Harry Sverdlove, chief technology officer at Bit9, revealed that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers, and the breach was discovered in January of this year.

Symantec says three defense industrial base organizations that were attacked by Hidden Lynx, but they were Symantec customers, not Bit9 customers.

“On our side, we got samples from three different organizations all in the defense supply sector … these were customers of ours who were at the targeted end of this attack. We don’t know if they got breached or infected” by the malware, but the customers provided the samples to Symantec, says Vikram Thakur, a researcher with Symantec Security Response.

Says a Bit9 spokesperson on its customers that were attacked in the wake of its breach: “The customers were not government or military entities nor were they defense contractors or otherwise part of the DIB.”

Bit9 has stopped short of providing any details on its customers who were targeted. Sverdlove in an interview with Dark Reading earlier this year said Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. “Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers,” Sverdlove said.

[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks.]

Hidden Lynx differs from other Chinese APTs like APT1/Comment Crew: they appear to operate on a for-hire basis, hacking specific targets for their clients who commission them, according to Symantec, which published a whitepaper on the group and their attack methods yesterday.

The group also employs “cutting edge” attack techniques, according to Symantec, including zero-day exploits and custom Trojans created for specific jobs. One Hidden Lynx team uses the Backdoor.Moudoor Trojan for the first phase attacks– large, widespread attacks via waterholing and other methods. A second team uses Trojan.Naid, a less-prolific piece of malware, for infecting the actual targets that are sifted from the overall infected victims.

“We’ve seen them using waterholing like nobody else has. They use zero days to get people infected, and … then certain portions of the victims are siphoned off to a totally different Trojan [Naid] of a smaller magnitude,” Thakur says. “We’ve not seen that before” with APTs, he says.

It’s unclear whether the group is directly employed by the Chinese government, but their infrastructure is based in China, says Vikram Thakur, principal security response manager a researcher with Symantec Security Response. “They do have an authority sitting above them. The reason we know this is because they don’t just go after one type of data. By itself, that is quite striking … They don’t seem to have a fixed mandate, so they are able to channel all sorts of stolen information to somebody else. Someone is telling them what needs to be done.”

Symantec estimates that group ranges from 50- to 100 individuals targeting hundreds of different targets, 24.6 percent of which are in the financial industry; 17.41 percent in education; 15.08 percent in government; 12.39 percent in ICT/IT; 6.64 percent in engineering; as well as around 4- to 5 percent in industries such as defense, engineering, and media.

Nearly 53 percent of the targeted organizations with infections are in the U.S., followed by Taiwan, 15.3 percent and China, 9 percent, so Symantec says U.S. firms are by far the main targets. Other nations with miniscule infections likely were collateral damage, such as a U.S. user traveling in that nation. “They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets,” according to a Symantec blog post.

Thakur says victims of the first Trojan are infected for at most about a week, when the attackers sift through the specific targets, likely at the behest of their contractors. “Moudoor is more popular, and most people are looking for it,” so it’s used in the initial attack, he says. That then masks the second-day infection from the lesser-known Naid Trojan, he says.

The Hidden Lynx gang is going after intelligence on government business deals and planned talking points in diplomacy engagements, he says. “They want real intelligence from the physical world,” he says.

The group was also behind the infamous VOHO water-holing attacks that focused on organizations in Boston, infecting 4,000 machines via ten legitimate websites the attackers had injected with malware, as well as other attack campaigns against energy, and an attack that included a Trojan-laden Intel driver application that infected manufacturers and suppliers of military-grade computers.

Symantec’s full report on Hidden Lynx is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9/240161491

Security experts are urging users to apply newly released mitigations as a stop-gap while waiting for Microsoft to patch a newly discovered critical vulnerability in Internet Explorer.

Microsoft rushed out a Fix It tool yesterday in lieu of a patch after reports surfaced attackers were using the vulnerability to target Internet Explorer 8 and 9. According to Microsoft, the vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability could corrupt memory in a way that could permit an attacker to execute code in the context of the current user within IE.

An attacker could exploit this issue through drive-by downloads, either by compromising a legitimate site or tricking a victim into clicking a malicious link in an email or instant message.

“It’s not clear how many legitimate sites, if any, may have been found serving this malware, but Microsoft is definitely taking notice,” says Ross Barrett, senior manager of security engineering at Rapid7. “Considering the timing, I would personally expect to see an out-of-band patch from Microsoft.”

Noting that the issue is believed to be present in all supported versions of Internet Explorer, he adds that it is possible that the vulnerability has been targeted for some time.

“The fact that it is getting attention now is due to a noticeable volume or impact of active exploitation in the wild,” Barrett says. “It may have just been discovered last week, or it may have been in the private toolkit of the world’s best malware writers for more than a decade. Hard to say.”

Microsoft did not offer any further information about the kinds of websites being used as traps to target victims, and no word has surfaced on when a patch will be available. The company continues to urge customers however to apply the Fix It solution, “CVE-2013-3893 MSHTML Shim Workaround,” to prevent the vulnerability from being exploited.

According to Websense, an analysis of third-party telemetry feeds from “real-time global Internet requests” suggests as many as 70 percent of Windows business users are susceptible to attackers due to the fact that they are running IE 8 or IE 9 on Windows XP or Windows 7, the systems the attacks are currently focusing on.

“This [attack] is evidence that attackers continue to target low-hanging fruit,” says Patrick Thomas, security consultant at Neohapsis. “Address Space Layout Randomization (ASLR) is one of several defensive technologies baked into modern programs and libraries, which makes attacks like these significantly harder. It’s no coincidence that attackers are targeting a dynamic-link library (DLL) that did not get compiled with ASLR.”

Enterprise administrators, he adds, should be aware of what software on their networks uses and does not built-in protections like DEP, ASLR, and stack protections, and consider upgrade plans or establish patching priorities to mitigate the risks facing those more easily-targeted programs.

Besides the Fix It tool, there are some mitigating factors related to the attack. For example, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that mitigates the vulnerability.

In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the ‘Restricted’ sites zone, which disables script and ActiveX controls.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/microsoft-issues-emergency-fix-it-for-ie/240161502

Sometimes I wonder if the folks over at Mozilla Security are trying to embarrass me.

When I wrote about the new zero-day in Internet Explorer yesterday, I recommended IE users consider using Firefox as an alternative until a patch is available.

Today Mozilla has released Firefox 24.0 (as well as SeaMonkey and Thunderbird 24.0) fixing 17 vulnerabilities.

The bad news? Seven of these vulnerabilities are rated critical, four moderate and six low.

The good news? Mozilla has already released the fixes, so there is no reason to worry about mitigation techniques and “Fix its”.

Firefox 24.0 isn’t just a security roll-up. Mozilla has improved the performance, added more modern scrollbars on OS X and numerous other changes.

Reading through the security fixes it does not appear that any of these flaws are being actively exploited in the wild.

That could change at a moment’s notice.

Once the bugs are publicly known malicious coders will often look to see which of them may be easily exploited to use against people who fall behind on their patching.

If you want to learn more about remote code execution, information disclosure, denial of service and elevation of privilege flaws, why not give the latest Sophos Techknow a listen?

In 15 minutes Paul Ducklin and I try to explain what all of this vulnerability jargon means in a useful manner to IT administrators.

Play now:

(18 September 2013, duration 15’08”, size 9.1MB)

Download for later:

Sophos Techknow – Understanding Vulnerabilities (MP3)

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ILEPnDl4fZE/

Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

In this episode, entitled Understanding Vulnerabilities, Paul Ducklin and Chester Wisniewski demystify vulnerability jargon in a way that’s useful to IT administrators.

After all, we’ve become so used to abbreviations like RCE, EoP and DoS that they have begun to lose their significance.

They stand for Remote Code Execution, Elevation of Privilege and Denial of Service respectively – problems that sound serious when written out in full, but somehow become “just one of those things” when reduced to acronym form.

But is an RCE worse than an EoP? Is a DoS less serious than an EoP? Where do Information Disclosure bugs fit in?

Chet and Duck help you answer these questions, and more, not only for the sake of interest, but also so that you can prioritise your patches in a way that fits your organisation best.

In the past week or so we’ve had biggish updates from Microsoft, Adobe, Oracle, and Apple; then we had updates to Microsoft’s updates; then an emergency “Fix it” for Internet Explorer; and we’ve just this minute finished writing up the latest Firefox fixes.

So the timing of this Techknow could scarcely be better!

Listen now:

(18 September 2013, duration 15’08”, size 9.1MB)

Listen later:

Download Sophos Techknow – Understanding Vulnerabilities [MP3]:

Previous Techknow episodes:

• Two-factor Authentication
• All about Java
• Understanding SSL
• Patching: should you lead, follow, or get out of the way?
• Busting Password Myths

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zLbrjM9PzB8/