Archive for February, 2013

New Mac malware opens secure reverse shell

February 23rd, 2013

A new backdoor Trojan for OS X is making the rounds, attempting to set up a secure connection for a remote hacker to connect through and grab private information.

The malware, dubbed “Pintsized” by Intego, is suspected of using a modified implementation of OpenSSH to set up a reverse shell that creates a secure connection to a remote server.

The use of an encrypted connection makes it more difficult to detect and trace, especially since it uses the common SSH protocol. In addition, the malware attempts to hide itself by disguising its files to look like components of the OS X printing system, specifically the following:

com.apple.cocoa.plist
cupsd (Mach-O binary)
com.apple.cupsd.plist
com.apple.cups.plist
com.apple.env.plist

Intego does not state where these files are placed in the OS, but as with prior malware in OS X this requires an option to automatically launch the malware whenever the system is started or when a user logs in, which in OS X is the various launch agent directories in the system. Launch agents use a property list (plist) structure, and can be used to target a binary executable (such as the mentioned “cupsd” one above) to keep it always running on the system.

Therefore, to check for this malware, open the following directories in the system to check for the presence of any of the above files:

/System/Library/LaunchDaemons
/System/Library/LaunchAgents
/Library/LaunchDaemons
/Library/LaunchAgents
~/Library/LaunchAgents

NOTE: You can highlight each folder path above individually, right-click the selection, and choose “Open” from the Services contextual submenu to open it in the Finder.

Because malware developers use these folders as a means of running their malware in OS X, one easy way to detect any misuse of them is to set up an alert that will notify you whenever files are added to them. I outlined how to do this with tools and services that are included in OS X, and the Luxembourg CIRCL subsequently developed a standalone installer that sets up a similar monitoring routine.

In addition to monitoring these folders, you can also install a reverse firewall like Little Snitch, which will notify you whenever a program attempts to make a connection to a remote server.

Currently it is unknown how the malware initiates its attack, whether it uses a previously documented vulnerability or one that is yet to be disclosed; however, the malware is not known to be widespread and is primarily being discussed on various security mailing lists. Nevertheless, by checking for the presence of the above files in the system’s Launch Agent and Launch Daemon folders you should be able to determine if your system is free of it.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Apple, Facebook, Twitter hacks said to hail from Eastern Europe

February 21st, 2013

While many security experts have been pointing the blame at China for the recent wave of cyberattacks on U.S. companies and newspapers,Bloomberg reports that some of the malware attacks actually may be coming from Eastern Europe.

Investigators familiar with the matter told Bloomberg they believe a cybercriminal group based in either Russia or Eastern Europe is carrying out the high-level attacks to steal company secrets, research, and intellectual property, which could then be sold on the black market.

Evidence that the attacks may be coming from Eastern Europe is the type of malware being used by the hackers, which is more commonly used by cybercriminals than by government spying. Also, investigators have tracked at least one server being used by the hackers to a Ukrainian hosting company.

Roughly 40 companies have been victims of cyberattacks over the past several months. These companies included tech businesses, such as Apple, Facebook, and Twitter, and newspapers, such as The New York Times, the Wall Street Journal, and the Associated Press.

Apple announced today that hackers targeted computers used by its employees, but that “there was no evidence that any data left Apple.” In a statement, the company said it discovered malware that made use of a vulnerability in the Java plug-in, and that it was sourced from a site for software developers. Apple blocked Java from some of its Macs late last month using its XProtect antimalware tool and citing security vulnerabilities.

A report by The New York Times yesterday claimed that an “overwhelming percentage” of the cyberattacks on U.S. corporations, government agencies, and organizations came from an office building in Shanghai with ties to the People’s Liberation Army. These allegations remain unconfirmed and flatly denied by Chinese authorities.

The hack on The New York Times itself was months long and included the theft of corporate passwords of Times employees, as well as spying on personal computers. The attacks on Facebook, Twitter, and Apple were a bit different in that reportedly only a small number of systems were infected and the hackers got in via the Java vulnerability.

This isn’t the first allegation of cybercriminals operating out of Eastern Europe. Security firm McAfee Labs published a report in December that warned of increasing attacks on U.S. financial institutions from Eastern European hackers. Dubbed Project Blitzkrieg, McAfee said the possible attacks would be done with a highly developed Trojan that could infect victims’ computers, plant software, and allow cybercriminals to steal information and money.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

China slams cyberattack accusations over lack of proof

February 19th, 2013

China is refuting a report that names its military as the source of recent cyberattacks against the U.S.

A report released this week by U.S. security firm Mandiant linked the People’s Liberation Army to a large number of cyberattacksagainst U.S. corporations, government agencies, and other organizations. The report specifically pointed the finger at Chinese military Unit 61398, noting that digital forensic evidence led investigators to the building housing that unit.

China’s response?

As expected, the government has criticized the report, citing a lack of hard evidence. In a press conference held by China’s Department of Defense News Affairs, Defense Ministry representative Geng Yansheng challenged Mandiant’s findings.

Yansheng claimed the report relied on the use of IP addresses to trace the attacks to China. But such addresses are commonly stolen and used by hackers, he noted. Therefore, it’s difficult to know the exact source of a hacking attempt.

“Everyone knows that the use of usurped IP addresses to carry out hacking attacks happens on an almost daily basis,” he said, according to Reuters.

Yansheng also asserted that there is no standard international definition of what constitutes a cyberattack.

“There is no legal evidence behind the report subjectively inducing that the everyday gathering of online (information) is online spying,” he said, Reuters added.

Finally, Yansheng called it irresponsible for Mandiant to publish such a report since cyberattacks are conducted anonymously, leaving uncertainty as to their source.

Turning the tables to portray China as the victim, Yansheng also said his country is one of the main targets of cyberattacks.

A Google translated version of the press release has Yansheng saying, “According to statistics, the Chinese armed forces access to the Internet user terminal suffered a large number of foreign attacks[. A]ccording to the IP address of the display…a considerable number of attack sources [were] from the United States, but we did not…accuse the U.S. side.”

Yansheng also reiterated the claim that China forbids hacker attacks and that the government has always cracked down on such criminal activities.

Despite China’s protestations, the United States remains concerned over the reported cyberattacks. The U.S. government is “eyeing fines, penalties, and other trade restrictions” against the country, according to the Associated Press, even as it pursues more diplomatic channels.

“We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so,” Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement. “The United States and China are among the world’s largest cyberactors, and it is vital that we continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Twitter aiming to slash phishing e-mails sent from ‘Twitter.com’

February 17th, 2013

If you get an e-mail saying it’s from Twitter, the social-networking company wants to assure you that it’s really from Twitter and that there’s no need to worry that someone’s out to steal your password.

At least, it’s almost certain that the e-mail you just got from a Twitter.com address is not a phishing attack, the company said in a blog post today.

Twitter said it has adopted a new security protocol known as DMARC that was designed by a consortium in order to cut way down on phishing attempts.

DMARC solves a couple of long-standing operational, deployment, and reporting issues related to e-mail authentication protocols. It builds on established authentication protocols (DKIM and SPF) to give e-mail providers a way to block e-mail from forged domains popping up in in-boxes. And that in turn lessens the risk users face of mistakenly giving away personal information.

Twitter did not immediately respond to a request for comment about how big a problem these kinds of phishing attacks have been in the past.

In its blog post, Twitter said that all four major e-mail providers — Gmail, AOL, Yahoo Mail, and Hotmail/Outlook — have signed on to the DMARC protocol in an industrywide attempt to make e-mail just a bit safer by preventing messages that seek to pilfer users’ personal information from ever making it into their in-boxes.

Then again, in its blog post, Twitter said only that it’s “extremely unlikely that most of our users” will get phishing attacks purporting to be sent by Twitter. That leaves the company a little wiggle room in case the practice continues, or if the phishing community figures out a way to bypass the DMARC protocol and resume its nefarious work. After all, if there’s one thing that’s guaranteed to get hackers and bad actors looking for a way to keep doing their thing, it’s a public announcement that they’ve been neutered.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Add Microsoft to list of hacked companies

February 15th, 2013

Updated to include Microsoft comment Security software companies must be smiling ear to ear as they read the news briefs coming off the transom. Microsoft said today that an undetermined number of computers in its Mac software business unit got infected with malware. The company said the number of infected PCs was small but that there was no indication customer data had been compromised.

In a blog post late Friday, Matt Thomlinson, who directs the company’s Trustworthy Computing Security program at Microsoft, wrote:

Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing. This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries (see our prior analysis of emerging threat trends). We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks.


Welcome to the new normal. The escalating number of reported attacks was underscored by a recent report on malware put together by McAfee which reported that the number of trojans created to steal passwords rose about 72 percent in the last quarter.

Last week Apple said that an unknown number of Macs had been compromised, but that “there was no evidence any data left Apple.” The malware was tied back to a site targeting iPhone developers. Employee computers for Facebook and most likely dozens of other companies were also breached.

The incidents occurred roughly around the same time that The New York Times, The Wall Street Journal, and The Washington Post disclosed that outsiders had also targeted their employees’ computers.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Facebook, Yahoo Fix Valuable security Holes

February 13th, 2013

Both Facebook and Yahoo! recently fixed security holes that let hackers hijack user accounts. Interestingly, access to methods for exploiting both of the flaws appears to have been sold by the same miscreant in the cybercrime underground.

According to Softpedia, Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong.

“The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords. Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one. However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.”

Information obtained by KrebsOnSecurity indicates that this “exploit” was being sold to a handful of members of an elite underground forum for $4,000 per buyer. The individual selling the exploit is the same hacker that I reported last year as selling access to a vulnerability in Yahoo!  that let attackers hijack email accounts.

In late November 2012, I wrote about a cross-site scripting (XSS) vulnerability in Yahoo! thatwas being sold for $700 in the underground by an Egyptian hacker named TheHell. Shortly after that story, the hacker changed his nickname, but continued selling the exploit. Earlier this week, The Wall Street Journal‘s AllThingsD blog reported that Yahoo! had fixed the flaw I pictured in the video from that blog post.

“Web giant Yahoo just confirmed that it has been dealing with a vulnerability to its email service that may be connected to a surge in breaches of email accounts that are being used to send spam and other annoying content,” wrote Arik Hesseldahl. “I just got a statement from a Yahoo spokeswoman saying that the vulnerability seen in a video has been fixed.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

What You Need to Know About the Java Exploit

February 11th, 2013
Image representing Oracle Corporation as depic...

Image via CrunchBase

On Thursday, the world learned that attackers were breaking into computers using a previously undocumented security hole in Java, a program that is installed on hundreds of millions of computers worldwide. This post aims to answer some of the most frequently asked questions about the vulnerability, and to outline simple steps that users can take to protect themselves.

Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java makerOracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version ofJava 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at theNational Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. ButWill Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced  with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: I don’t browse random sites or visit dodgy porn sites, so I shouldn’t have to worry about this, correct?
A: Wrong. This vulnerability is mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily stitched into porn sites as they can be inserted into legitimate, hacked Web sites. All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Q: I’ve read in several places that this is the first time that the U.S. government has urged computer users to remove or wholesale avoid using a particular piece of software because of a widespread threat. Is this true?
A: Not really. During previous high-alert situations, CERT has advised Windows users to avoid using Internet Explorer. In this case, CERT is not really recommending that users uninstall Java: just that users unplug Java from their Web browser.

Q: I’m pretty sure that my Windows PC has Java installed, but I can’t seem to locate the Java Control Panel from the Windows Start Menu or Windows Control Panel. What gives?
A: According to CERT’s Dormann, due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or  C:\Program Files (x86)\Java\jre7\bin.

Q: I can’t remember the last time I used Java, and it doesn’t look like I even need this program anymore. Should I keep it?
A: Java is not as widely used as it once was, and most users probably can get by without having the program installed at all. I have long recommended that users remove Java unless they have a specific use for it. If you discover later that you really do need Java, it is trivial and free to reinstall it.

Q: This is all well and good advice for consumers, but I manage many PCs in a business environment. Is there a way to deploy Java but keep the plugin disconnected from the browser?
A: CERT advises that system administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java withJavascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.

Selectively script blocking can take some getting used to. Most script-blocking add-ons will disable scripting by default on Web sites that you have not added to your trusted list. In some cases, it may take multiple tries to get a site that makes heavy use of Javascript to load properly.

Internet Explorer allows users to block scripts, but even the latest version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below). The lack of a simpler approach to script blocking in IE is one of the main reasons I continue to steer readers toward Firefox and Chrome.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Backdoors Found in Barracuda Networks Gear

February 9th, 2013

A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. basedBarracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.

Barracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab.,discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Viehböck said he soon found that these devices all were configured out-of-the-box to listen for incoming SSH connections on those undocumented accounts, but that the devices were set to accept connection attempts only from Internet address ranges occupied by Barracuda Networks. Unfortunately, Barracuda is not the only occupant of these ranges. Indeed, acursory lookup of the address ranges at network mapping site Robtex.com shows there are potentially hundreds of other companies running Web sites and other online operations in the same space.

Barracuda Networks has not yet responded to requests for comment. However, this morning the company released a series of advisories acknowledging these and other vulnerabilities, flagging the backdoor flaws as “medium” threats. The company’s fix includes restricting remote SSH configuration to two accounts — and requiring those accounts to use a public/private encryption key pair. But according to SEC Consult, Barracuda’s fix still allows remote SSH logins via the “root” account without requiring an encryption key exchange, and the fix does nothing to further restrict the range of Internet addresses that can be used to access the backdoor accounts. SEC Consult said Barracuda replied that the remaining accounts were vital for customer support.

“In secure environments it is highly undesirable to use appliances with backdoors built into them,” Viehböck wrote in SEC Consult’s advisory. ”Even if only the manufacturer can access them.”

Barracuda also released updates to fix a serious vulnerability in the company’s SSL VPN product that SEC Consult found could let an unauthenticated attacker to download configuration files and database dumps, and allow the system to be shutdown and new administrative passwords set without prior authentication.

It’s not clear for how long the backdoor accounts have existed in Barracuda’s products, but the researchers found evidence that they have been in place since at least 2003. Also, this threadon the security mailing list Full Disclosure  includes some interesting discussion about how these backdoor accounts may have been used.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Critical Java Update Fixes 50 Security Holes

February 7th, 2013

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

The original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchershave shown that the new feature can be easily bypassed.

The latest versions — Java 7 Update 13 and Java 6 to Update 39 – are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java.comhomepage.

Most end users who have Java on their systems probably don’t need it and can safely remove it (this advice does not scale for users of corporate systems, which may have specific applications that rely on Java). This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.

If you do need it, unplug it from the browser unless and until you need it. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Apple has been taking steps to block Java on OS X systems when new unpatched vulnerabilities have been detected. According to MacRumors, for the second time in a month, Apple blacklisted the current version of the Java Web plugin on OS X, using the “Xprotect” anti-malware system built into OS X to enforce a minimum version number that had yet to be released. However, 9to5Mac.com now writes that Java 7 Update 13 for Mac OS X brings Java on the Mac to the correct version number enforced by Xprotect, meaning Mac users who need Java can use it again without having to monkey with Terminal command-line workarounds.

This is the final set of updates for Java 6 — Oracle is phasing it out and has already taken steps to begin migrating Java 6 users to

Java 7. Overall, this probably a good thing. Lawrence Garvin, the self-described “head geek” at Austin, Texas based network management and monitoring firm SolarWinds, said that while media attention to Java 7′s security issues may be influencing the decision by some organizations to delay upgrading their Java 6 installations, only 18 of the security issues identified since Java 7′s release are unique to Java 7.

“Of the 84 vulnerabilities identified since Java 7’s release, we found that 66 of these existed in Java 6, while 40 existed in Java 5,” Garvin said. “Press coverage around Java 7’s security issues may be influencing some organizations to fail to upgrade their Java 6 installations to Java 7, thinking that Java 7 is flawed, when in fact the entire core of theJava platform has vulnerabilities. Oracle has announced that no new updates will be forthcoming for Java 6 after February 2013, so that any additional vulnerability discovered in Java 7 – and also existing in Java 6 – will never be patched.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Yahoo! Pushing Java Version Released in 2008

February 5th, 2013

At a time when AppleMozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of JavaYahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

Yahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

There are two reasons why this is a big deal: Java is the biggest source of malware infections across an entire industry of exploit packs — crimeware toolkits that are stitched into hacked and malicious Web sites and designed to exploit known browser flaws. Also, Yahoo! is a major Internet company that ought to know better. Sadly, this Yahoo! offering is aimed at small businesses, who are least likely to understand the importance of updating apps like Java and who are most frequently the targets of extremely costly cyberheists.

One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering results suggestingthat sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.” I’ll leave it to Matt Cutts, a search guru and head of the anti-spam team at Google, to explain why this is such a fundamental pillar of search engine optimization (SEO).

Update, Feb. 13, 4:47 p.m. ET: Yahoo! finally got back to me, issuing the following spin-tastic statement: ““Yahoo! Web Hosting websites can be built and maintained using a variety of tools that give businesses the flexibility to develop sites according to their needs and technical comfort. We will continue to work on delivering the best experiences for our customers.” When asked what readers should take from the above statement, a spokesperson for the company said Yahoo! had tweaked SiteBuilder so that it is now bundled with Java 6 Update 39, and that it will be updated to Java 7 by the end of the month. Hopefully, it won’t be Java 7 Update 1.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta