Recently in Security, an afterthought Category

Home working alert

| No Comments
| More

A couple of weeks ago I received a telephone call at home claiming to be from the Windows Support team. The lady on the phone asked me if my PC was running slow (which it was!) and put me through to a tech lead.

"How did you get my number," I asked.

The tech support man said he worked for a company that had been approved by Microsoft to provide customer support. He then asked me to open the Windows Event Viewer. "Your PC has been infected," he said, when I told me what the Event Log was showing.

I guessed his next question would be to ask me to grant him remote access to the PC....The penny dropped. Ah this is a phishing scam. Had I agreed, the caller would probably have been able to install rogue software on my PC.

Okay so he very nearly got me. Lesson learnt.

But it is worrying how easy we can be tricked. And with more of us using our own computers for work, there is a very real risk that hackers will target us at home claiming they are tech support.

Java exploit questions Oracle's security

| No Comments
| More

Oracle has said "no comment" to the question I posed on when it would release a patch for a serious security hole in its Java runtime environment, that is currently being exploited.At the time of writing, there was absolutely no info or advice or the company's security blog.

Internet users are at the mercy of Oracle as reports have emerged of a zero-day vulnerability that capable of infecting PCs that run Java within their web browsers.

The next patch scheduled for release by Oracle is 16 October. 

Java, the write once, run anywhere runtime environment is used on websites to add sophisticated interactivity. It requires a runtime download browser plug-in, and it is this plug-in that has been exploited.

Symantec said: "In our tests, we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does not work on the older version JRE 1.6. A proof of concept for the exploit has been published and the vulnerability."

The FireEye site warned: "It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis."

F-Secure added: There being no latest patch against this, the only solution is to totally disable Java. Since this is the most successful exploit kit + zero-day... qué horror. Please, for the love of your computer disable Java on your browser."

Lessons from a lost Kindle

| No Comments
| More
Two days ago I left my Kindle 3G somewhere - probably in the pub or or the train - and of course it is most likely now gone for good. 

We hear a lot about IT consumerisation, and the biggest issue with the Kindle, apart from the loss of the actual device, is that it is connected to a credit card thanks Amazon's One-Click purchase feature. So someone finding my Kindle, would instantly be able to start buying ebooks on my credit card.

Fortunately, Amazon provides two ways to prevent this. First, through the Manage your Kindle portal, it is possible to deregister the device. Second, by calling Amazon (it's 08445456508 in the UK), Amazon can block the device completely, stopping it from being reregisterd under a different account. Amazon customer service then sends a confirmation email:

Hello xxxx,

I'm sorry to hear that your Kindle was lost. I've deregistered this Kindle from your account and noted this in our systems so that it can't be registered by another person. 

Your Kindle's Serial Number is: xxxxxxxxxx. If you find your Kindle, please contact us again and we can reinstate your registration.


I have now downloaded the Kindle app from the Android Marketplace - and while the screen is rubbish compared to E.Ink on the Kindle, I have full access to my library of books - which is quite amazing really.

So here's the lesson: the Kindle is only valuable because of the books (ie content)  that are installed. Once the Kindle is deregistered and blocked, the hardware is actually worthless (good luck to any hacker willing to take it apart and install a new OS). The Kindle is essentially a one application thin client that connects wirelessly to the Amazon bookstore.People will inevitable ask why such devices exist because the new iPad can do everything. But it just goes to show how a simple operating environment can be locked down and secured, reducing data theft should the device be lost or stolen.

Trustworthy Computing has made MS a better company

| No Comments
| More
On January 15 2002, Bill Gates announced to the world that Microsoft would completely change how it developed software, putting quality as the main priority. Given its Windows and Office software runs on the majority of the world's desktop and laptop computers, any quality issues affected millions of users. Given Microsoft software is so widely deployed, hackers could target the quality issues, exploiting poor quality code using simple buffer overflow attacks, to gain access to millions of Windows computers. For instance the Code Red, attack in 2001, brought down Microsoft's IIS web server software, while SQL Slammer, in 2003, became the fastest spreading worm ever.
Image representing Bill Gates as depicted in C...

Image via CrunchBase

Trustworthy Computing, (TwC) the term Gates coined to describe the company's strategy on IT security and software quality, would have a profound effect on Microsoft products. Windows XP had to be redeveloped as Windows XP SP2. It is fair to say, that today, the extent of Trustworthy Computing, has made Microsoft a producer of high quality software. It has also led to Adobe, tying its patch releases in with Microsoft's Patch Tuesday, monthly updates.
Prior to Patch Tuesday, software companies were very secretive about security vulnerabilities. While it may have generated negative headlines about the risks and vulnerabilities in Microsoft software, Patch Tuesday has become an essential part of IT administration, allowing IT departments to plan and test updates to their Microsoft software.
Speaking to Computer Weekly, Steve Lipner, partner director of program management, TwC  group at Microsoft, said "We have made progress and learned a lot of lessons, but we know we are not done. Computing is part of the fabric of society and trustworthy computing is still something we have to focus on."
What TwC has achieved is raise the bar on software quality, and, at the same time, it has made the general public more aware of keeping their computers "up-to-date." In this age of greater and greater connectivity, such awareness will go some way to protect people from hacking and phishing.
Enhanced by Zemanta

Video: code quality

| No Comments
| More
Matt Peachey, vice president, Emea, Veracode - says eight out of 10 applications will be insecure. In this video he discusses why developers do not relate security to code quality. Peachey believes it is not just in-house code that may be insecure...do not trust suppliers. "You need to hold suppliers accountable.," he adds. "Do not assume that the software you buy from third parties is secure. It probably is not secure."


He says, "Organisations do not insist an application is secure - they should push this responsibility down to their suppliers"

Companies are poor at measuring quality. "How do you know you are getting better over time."

Enhanced by Zemanta

September 13th Microsoft Patch Tuesday Application Compatibility Report by ChangeBASE

| No Comments
| More

Application Compatibility Update

By: Greg Lambert

 

Executive Summary

With this September Microsoft Patch Tuesday update, we see again a relatively small set of updates in comparison to the lists of updates released by Microsoft in the previous months. In total there are five Microsoft Security Updates with the rating of Important. This is a minor update from Microsoft and the potential impact for the updates is likely to be moderate.

 

As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE AOK team, we have seen very little cause for potential compatibility issues.

 

Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this September Patch Tuesday release cycle.

 

Sample Results 1: MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege

 patch sept 1.png

 

Sample Results 2: MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

 

patch sept 2.png

 

Testing Summary

 

MS11-070

Vulnerability in WINS Could Allow Elevation of Privilege (2571621)

MS11-071

Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)

MS11-072

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)

MS11-073

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)

MS11-074

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

 

Sample Results 3: AOK Summary Report Sample from a small database

patch sept 3.png

AOK Patch Summary Results

Patch sept 4.PNG

Security Update Detailed Summary

 

MS11-070

Vulnerability in WINS Could Allow Elevation of Privilege (2571621)

Description

This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system running the WINS service. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Payload

W03a3409.dll, Wins.exe, Winsevnt.dll, Ww03a3409.dll, Wwins.exe, Wwinsevnt.dll

Impact

Important - Elevation of Privilege

 

MS11-071

Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)

Description

This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

Imjpapi.dll

Impact

Important - Remote Code Execution

 

MS11-072

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)

Description

This security update resolves five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1986 and CVE-2011-1987.

Payload

Excel.exe

Impact

Important - Remote Code Execution

 

MS11-073

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)

Description

This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited either of the vulnerabilities could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Payload

Ietag.dll, Mso.dll

Impact

Important - Remote Code Execution

 

MS11-074

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

Description

This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicked on a specially crafted URL or visited a specially crafted Web site. For the most severe vulnerabilities, Internet Explorer 8 and Internet Explorer 9 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 helps to block the attacks in the Internet Zone. The XSS Filter in Internet Explorer 8 and Internet Explorer 9, however, is not enabled by default in the Intranet Zone.

Payload

Groove.exe, Groovedocumentsharetool.dll, Grooveutil.dll, Groovewebplatformservices.dll, Groovewebservices.dll

Impact

Important - Elevation of Privilege

 

*All results are based on an AOK Application Compatibility Lab's test portfolio of over 1,000 applications.

 

 

Can you cut your IT security budget?

| No Comments
| More

Among the sessions at this year's Infosecurity Europe conference was a panel discussion that explored the topic of how you would slash your IT security budget by 30%. It is near impossible to put a cost on IT security and weigh this against the benefits. An ROI can only be determined after an incident, where the CISO can put a cost on the effectiveness of IT security products and services at thwarting a threat.

 

In this video, I interviewed Paul Simmonds, a former CISO at ICL and a board member of the IT security group, Jericho Forum, about the challenges in cutting an IT security budget >>

 

Video booth: Ed Amoroso calls for software developers to raise their game

| No Comments
| More
I recently asked Ed Amoroso, chief security officer at AT&T about what kept him awake at night. He says software produced by the best developers using the very best tools still produces vulnerability. Ed wants to see software developement becomes more of an engineering profession. He says:

Over the next 20 years, software engineers will become much more formal, so we can depend on developers to produce code that is resilient to cyber attack."

Microsoft Releases Emergency Update Today

| No Comments
| More
Later today, Microsoft will issue an emergency patch to fix a critical flaw in Windows that enables hackers to run code and take over PCs. Outlined on the Trusted Reviews site, there are several things that spring to mind.

This type of response from Microsoft is known as an OOB (Out OF Band) release and as such is an emergency release. Normal non-high risk patches are incorporated into the monthly Patch Tuesday report, which ChangeBASE analyses each month on this highly esteemed blog. But this one is gaining specific and immediate attention by Microsoft, requiring a rapid response from them, hence a quick testing turn around.

In light of the speed at which Microsoft is addressing the issue, our advice would be to test, and deploy as fast as possible. With this one, organisations can't afford to sit back and see what happens - they need to act fast. Waiting for next week's Patch Tuesday updates is not an option for this security issue.

And, here is the link to the original site;
http://www.trustedreviews.com/software/news/2010/08/02/Microsoft-to-Release-Emergency-Security-Patch/p1?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TRVNews+%28TrustedReviews+News+only+Feed%29

To receive updates from Microsoft like these in the future, feel free to sign-up for the Security Update Advance Notification service found here:
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Apollo 11 and the forgotten art of software engineering

| 1 Comment
| More

The Apollo lunar landing programme, which culminated in Neil Armstrong
and Buzz Aldrin's moon walk on 20 July 1969, represents a technical
achievement that has yet to be surpassed.
The computer systems that helped them get there were among the most
advanced of the time. Certainly, no more complex public software project
had been undertaken before the Apollo programme.
The Apollo Guidance Computer, developed at MIT for the lunar landings,
was the first embedded system. It was also the first example of a
fly-by-wire system. Such systems are used today on modern aircraft such
as the airbus A-380.
The pilots relied on computers controlled by safety-critical software to
keep them alive and enable them to navigate the 384,400km to the moon,
control the descent and launch of the lunar lander, and return safely
back to Earth.
Thousands of computer technicians and programmers were involved in the
Apollo programme. The software development process Nasa used to
co-ordinate these people is often cited as an example of software
engineering, although the term was coined midway through the lunar
project.
As the world celebrates the 40th anniversary of one of man's greatest
achievements this week, the idea of software projects being engineering
projects has somehow been forgotten.
Businesses are keen to gain a competitive edge by churning out software.
Apart from in aerospace and some safety-critical -applications, speed of
application development has become more important than quality.
End-users accept computer bugs as a way of life.
The British Computer Society is keen to raise the bar, with training,
accreditation and certification, which it hopes will turn computer
programming into a profession, with professional standards.
Microsoft's Trustworthy Computing initiative shows that commercial
software can be made less buggy.
But will users accept the price of higher quality software, the longer
development time and the potentially higher licence fee? They need to.
As computer technology becomes embedded in human society, the effects of
buggy code will become more obvious and damaging. Software must be
engineered to a high quality.

About this Archive

This page is a archive of recent entries in the Security, an afterthought category.

review is the previous category.

Skills is the next category.

Find recent content on the main index or look in the archives to find all content.

Archives

Category Archives

 

-- Advertisement --