Archive | March, 2011

Rising Costs of Data Loss

One of the challenges that businesses regularly face is how to balance the known costs of network, application and data protection against the unknown costs of a data breach or series of breaches.  Often, business owners or IT staff are left to guess or worse, fail to acknowledge the costs and consequences of a significant breach of information.

Thanks to the Ponemon Institute, new research data is available to help provide guidance on the costs of a data breach.  Some key facts from their research shows:

  • 7% – the increase of data breach costs in 2010
  • $214 – the average cost per individual record compromised
  • $7.2 million – the average organizational cost of a data breach

Additionally, this research shows that malicious acts were the root cause of 31 percent of the data breaches studied, which is significantly up over the last two years.  But, the leading cause of data breaches is negligence – a whopping 41 percent of breaches are due to negligence in protecting and safeguarding sensitive data.

What can a business glean from this?  Take this recent example from the University of South Carolina where 31,000 individual’s private information, including social security numbers, was exposed online.  When applying the $214 cost per record, a quick calculation shows that the University is facing a potential cost of $6.6 million.

But, obviously not all data breaches cost the same.  Maybe a better example is the recent settlement made public in Massachusetts.  Here, the Massachusetts Attorney General reached a $110,000 settlement with a restaurant group that allegedly failed to protect patrons’ personal information.

The Briar Group LLC, the owner and operator of the Boston-based restaurants and bars, allegedly failed to take proper steps to keep payment card information safe.  In addition to civil penalties, the Briar Group must comply with state data security regulations, payment card security standards (PCI DSS), and it must establish and maintain an enhanced computer network security system going forward.

If one applies the Ponemon cost per record to the Briar Group, the $110,000 settlement would mean that the organization only lost 514 customer records.  Keep in mind, the period of the breach lasted eight months.  It seems unlikely that in eight months only 514 records were compromised.  The actual number of compromised records is certain to be much higher.

In the spectrum of data breach costs, the $110,000 settlement appears to be on the very low end of the scale.  What is not accounted for is the loss of public trust and the brand damage to the Briar Group and their restaurants and bars.  It’s hard to say what those damages will be.

Bottom line: data breach costs are going up. With an average cost of $7.2 million per data breach event, the expenditures to protect networks, applications and data suddenly appear to be miniscule.  As Benjamin Franklin said, “an ounce of prevention is worth a pound of cure.”  Too bad that the Briar Group didn’t take that advice.

Accidentally Issued Fraudulent Certificates Could Help Phishers

Today, Microsoft released a Security Advisory warning that Comodo — one of their Windows Trusted Root Certification Authority partners — had accidentally issued nine fraudulent digital certificates for some very popular domains.

When you visit sites, digital certificates help ensure that the site you visit really is the one you think it is. Phishers often try to spoof popular sites in order to steal your credentials. Digital signatures can help prevent this by informing you when a site has an improper certificate, which doesn’t match the domain.

Unfortunately, Comodo mistakenly issued legitimate digital certificates to an unknown third party, giving that third party valid (though fraudulent) digital certificates for some very popular domains.

The affected domains or web properties include:

  • login.live.com
  • mail.google.com
  • http://www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org
  • “Global Trustee”

This means an attacker in possession of these fraudulent certificates can leverage them to either create very convincing spoofed sites for those domains, or to help them carry out Man-in-the-Middle (MitM) attacks, even when valid certificates are required.

That said, Comodo has already revoked the fraudulent certificatess. If your web browser supports Online Certificate Status Protocol (OCSP), and you’ve enabled it, then your browser should protect you from sites leveraging these false certificates.

Furthermore, Microsoft has also released a Windows update that revokes these signatures. If you have enabled automatic updates, you may have already received it. Otherwise, be sure to download and install it. Once you install Microsoft’s patch and/or enable OCSP, these fraudulent certificates should pose you no harm.

[UPDATE] Comodo has apparently messed up with certificates before.

Corey Nachreiner, CISSP (@SecAdept)

login.live.com
mail.google.com
http://www.google.com
login.yahoo.com (3 certificates)
login.skype.com
addons.mozilla.org
“Global Trustee”

Firefox 4 Improves Speed and Security

For any Firefox fans out there, Mozilla has released version 4, which you can download now. Firefox 4 contains a number of improvements, but the most relevant to this blog are its security updates.

One of Firefox 4’s new features is called Content Security Policy (CSP). This feature helps to prevent Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. In the past, extensions like NoScript could try to prevent XSS attacks, by just preventing one site (or domain) from injecting script into another site (or domain). However, this basic XSS detection often results in false positives, as some developers actually design sites to work that way. Mozilla’s new CSP feature takes a more active approach. Web servers share special headers telling the browser what sort of content or scripts to expect. Mozilla won’t processes any content that the server didn’t specify, thus potentially avoiding injected scripts. That said, for all this to work the web sites we visit need to start supporting CSP headers.

Another new feature is Firefox’s support of the Strict-Transport-Security header. When you go to sites like gmail.com, you really want to visit the HTTPS version of the site. However, if you don’t bother typing the full URL into your browser, you may accidentally visit the normal HTTP site first, before being redirected to the HTTPS version. This little transition could provide attackers with what they need to exploit a Man-in-the-Middle attack (MitM). The Strict-Transport-Security header — which Firefox 4 supports — allows a web site to specify that it will only allows HTTPS connections, thus preventing the scenario mentioned above.

Firefox 4 contains many other old and new security features which you can read about on Mozilla’s site, or in this SANS ISC handlers diary post.

Besides the security improvements I mentioned above, Firefox 4 is also a lot faster. Browsers like Chrome and Safari have done a lot to make the browsing experience much faster, mostly by improving JavaScript rendering. Firefox 4 includes similar improvements, making it three times faster than Firefox 3.x, and on par with the fastest browsers on the market.

If you use Firefox, I highly recommend you download version 4 for its security and performance improvements. Don’t forget to also grab the latest version of NoScript, which I never browse without. Corey Nachreiner, CISSP (@SecAdept)

Adobe Patches Zero Day in Flash Player, Reader, and Acrobat

Severity: High

21 March, 2011

Summary:

  • These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat,  and Flash Player
  • How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash or Reader content
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Typically, Adobe’s quarterly Patch Day falls on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release a few out-of-cycle patches early. Today, Adobe released two security bulletins that fix a  zero day Flash vulnerability in Reader, Acrobat, and Flash Player, running on all platforms (including Android).

Though the two bulletins affect different software, they both fix the same core Flash related vulnerability that we described in our earlier WatchGuard Security Center post. As usual, Adobe doesn’t describe this zero day flaw in any technical detail. However, they do mention that the flaw lies within the authplay.dll component, which all three vulnerable products use. By enticing one of your users to visit a web site or download a PDF file containing malicious flash content, an attacker could leverage this flaw to execute code with that users privileges. If your users have administrative or root privileges on the victim platform, the attacker would gain complete control.

As was the case during our first post, attackers have been exploiting this flaw in the wild (even before Adobe knew it existed). If you use the affected software (as most users do), we highly recommend you install Adobe’s updates immediately.

For more details about these update, see Adobe’s bulletins below:

  • APSB11-05: March 2011 Flash Player Update
  • APSB11-06 : March 2011 Reader and Acrobat Update

Solution Path:

Adobe has released Reader, Acrobat, and Flash Player updates to fix this flaw. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you. Note: Adobe has not yet released a Reader X update for this vulnerability, since Reader X’s default sand-boxing technology should protect you from this flaw by default.That said, we do expect a Reader X update at a later date.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

Status:

Adobe has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

2011’s First OS X Update Patches 57 Vulnerabilities

Summary:

  • These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various documents or images
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer
  • What to do: OS X administrators should download, test and install OS X 10.6.7 or Security Update 2011-001 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 57 (number based on CVE-IDs) security issues in 26 components that ship as part of OS X or OS X Server, including Apache, Quicktime, and ClamAV. Some of the fixed vulnerabilities include:

  • Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle various image file types. Unfortunately, it also suffers from various security vulnerabilities involving the way it handles certain types of image files (such as a buffer overflow vulnerabilities). Though these vulnerabilities differ technically, they generally share the same scope and impact. If an attacker can get a victim to view a specially crafted image file (perhaps hosted on a malicious website), he could exploit any of these flaws to either crash an application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges. The affected image types include JEPG, TIFF, and XBM.
  • Many ATS Vulnerabilities. The Apple Type Service (ATS) helps OS X machines handle fonts. ATS suffers from various memory related vulnerabilities having to do with the way it handles certain types of embedded fonts. By tricking one of your users into downloading and viewing a malicious document containing a specially crafted font, an attacker can exploit this flaw to execute code on that user’s computer. By default, the attacker would only execute code with that user’s privileges.
  • Five Quicktime Vulnerabilities. Quicktime is the popular video and media player that ships with OS X (and iTunes). Quicktime suffers from five security issues (number based on CVE-IDs) involving how it handles certain image and video files. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted image or video in QuickTime, he could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, cross-site scripting (XSS) vulnerabilities, and information disclosure flaws. Components patched by this security update include:

AirPort Apache
AppleScript ATS
bzip2 CarbonCore
ClamAV CoreText
File Quarantine HFS
ImageIO Image RAW
Installer Kerberos
Kernel Libinfo
libxml Mailman
PHP QuickLook
QuickTime Ruby
Samba Subversion
Terminal X11

Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details.

On a related note, Apple has released many security updates in the last few weeks. Besides the Java update we alerted about early this month, Apple has also posted the following security-related product updates:

If you use any of those products, we recommend you update them as well, or let Apple’s automatic Software Updater do it for you.

Solution Path:

Apple has released OS X Security Update 2011-001 and OS X 10.6.7 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

RSA loses SecureID tokens due to APT attack

This year, I predicted we’d see an increase in Advanced Persistent Threats (APTs), both as an more common attack and an overused acronym. Unfortunately, a recently disclosed breach into RSA‘s network seems to prove this prediction true

Late last Thursday, RSA’s executive chairman, Art Coviello, Jr, posted an open letter warning their customers about a network breach that allowed attackers to gain access to servers related to their SecureID two-token authentication products. They don’t describe how the breach occurred in any detail, only that they’d discovered an “extremely sophisticated cyber attack” in their systems. They admit that attackers extracted some information related to their SecureID authentication products, but they don’t share exactly what that information is, or how attackers might leverage it.

So what does this mean to SecureID users? Well first, let’s start with the good news. By its very nature, SecureID provides a second token of authentication. It is that second token of authentication that is at risk, not the first token (which is your password). In other words, even if an attacker could totally hack your SecureID token, they’d still need to figure out your normal user name and password in order to log in as you.

That’s not to say this breach doesn’t pose some risk to SecureID users, though. As RSA warns, the information stolen “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation.” The whole point of implementing a two-token authentication system is because you want the security that second token provides, and it may be at risk after this breach. I recommend SecureID users check out RSA’s suggested best practice recommendations to help mitigate the risk this breach poses to SecureID solutions.

Without more details about what data got stolen, and how the breach happened, it’s hard to know the risk it really poses an average SecureID user. However, I expect RSA to release more information as the situation develops. If I learn new details of interest, I’ll be sure to follow up here. Corey Nachreiner, CISSP

Scummy attackers preying on Japanese disaster for a buck

Unfortunately, it almost goes without saying in this day and age; when some big event or unfortunate disaster happens, scummy malware pushers will jump all over it in hopes of enticing the news hungry masses to malicious sites and downloads. This unfortunate trend hasn’t failed to disgust me yet again with Japan’s recent earthquake and nuclear catastrophes.

Within hours of the first earthquake, scammers had already launched malicious campaigns to lure the worried global audience to phising sites masquarading as aide sites, and had also started  massive spamming campaigns targeting donors who want to help Japan.

 One of the techniques attackers increasingly use in these situations is called Black Hat Search Engine Optimization (SEO). This is a technique where attackers leverage the same SEO methods marketers use to get their web sites to prominently display with certain search results; only the attacker falsely links popular search phrases to a malicious site. Attackers are aggressively leveraging these Black Hat SEO techniques to tie their malicious phishing sites to the Japanese earthquake disaster. So you should definately be careful when searching for earthquake news on Google and other search engines.

I have a strong personal tie to Japan. I lived there for four years in the 80s, when I was younger. Many of my childhood memories are distinctly Japanese. So when I hear about these despicable criminals trying to make a buck off a country’s pain… well, I can’t really put to words how angry I feel. That’s why I want to make sure these crooks don’t succeed. As you receive email about the Japan disaster, or search for the latest information, please be wary of the links you click. While I encourage you to help out in some way, you should also be careful of who you are donating to. Finally, tell all your friends about these potential scams. If we all band together, maybe we can prevent these hoodlums from profiting from Japan’s pain. Corey Nachreiner, CISSP

Companies targeted by zero day Adobe Flash vulnerability

[UPDATE]
As mentioned at the end of my original post, I expect Adobe to release Flash and Acrobat updates sometime this week. However, Google Chrome users will get this Flash update early. If you use Chrome, Google and Adobe have already included the Flash fix in the latest Chrome release.

In a recent security advisory and blog post, Adobe warned of a new zero day Flash vulnerability that attackers are leveraging in the wild. The new vulnerability affects Adobe Flash Player, Reader X, and Acrobat X running on all platforms. Adobe doesn’t describe the vulnerability in much detail, other than that it lies within the authplay.dll component of their applications. They do, however, describe how attackers are leveraging the flaw in the wild.

Specifically, Adobe warns that attackers are attaching malcious Excel (.xls) documents to targeted emails. The attacker embeds a specially crafted Flash (.swf) file within the Excel document. If you open the malicious Excel attachment, the embedded .swf file executes, and leverages the zero day flaw to install persistant malware on your system (likely a bot client that gives the attacker a stepping stone to install even more malware).

Unfortunately, Adobe has just learned of this flaw from reports of attackers exploiting it in the wild. They haven’t had time to patch it yet. They plan to release Adobe Flash Player and Acrobat X updates that will fix this issue sometime during the week of March 21. However, they do not intend to release a Reader X update till June, since Reader X’s default sandbox setting should prevent this exploit from working.

In the meantimes, I recommend you warn your users about opening Excel documents attached to strange emails. If you like, you could use the proxies on our XTM appliances to block all Excel attachments. However, most organizations need to allow them for business. I will let you know when Adobes updates their products in Security Alerts posted here. Corey Nachreiner, CISSP

Latest OS X Java Updates Prevent Code Execution

Summary:

  • This vulnerability affects: OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard)
  • How an attacker exploits it: By enticing your users to a malicious website containing specially crafted Java applets
  • Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
  • What to do: Install Java for OS X 10.5 Update 9 or Java for OS X 10.6 Update 4 as soon as possible, or let Apple’s updater do it for you.

Exposure:

Today, Apple issued two advisories [ 1 / 2 ] describing Java security updates for OS X 10.5.x and OS X 10.6.x. The advisories warn of 16 vulnerabilities in OS X’s Java components (number based on CVE-IDs).

Apple doesn’t describe these flaws in specific detail, rather, they only share the  potential impact of the worst case flaw. By luring one of your users to a malicious website containing a specially crafted Java applet, an attacker can exploit some of these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In most cases, the attacker would only gain the privileges of the currently logged in user, which doesn’t include root or administrator access in OS X. Nonetheless, we recommend you install Apple’s OS X Java update as soon as possible.

Solution Path:

Apple has issued Java for OS X 10.5 Update 9 [dmg file] and Java for OS X 10.6 Update 4 [dmg file] to correct these flaws. If you manage OS X 10.5.x or 10.6.x computers, we recommend you download and deploy these update as soon as possible, or let OS X’s automatic Software Update utility install the proper update for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Microsoft Groove 2007 Code Execution Vulnerability

Severity: Medium

8 March, 2011

Summary:

  • This vulnerability affects: The Microsoft Groove 2007 service (which ships with some versions of Office 2007)
  • How an attacker exploits it: By enticing your users into opening specially crafted files Groove files
  • Impact: In the worst case, an attacker gains complete control of your user’s computer
  • What to do: Deploy the appropriate Groove update immediately, or let Windows Automatic Update do it for you

Exposure:

Microsoft Groove (now called Microsoft SharePoint Workspace) is document collaboration program that allows you to share a workspace with a team of online and offline members. When you make changes to a document, those changes automatically synchronize over the shared workspace. Groove ships with the Enterprise and Ultimate versions of Microsoft Office 2007.

In a security bulletin released today as part of Patch Day, Microsoft describes a serious vulnerability that affects the Microsoft Groove 2007 service. The flaw involves an insecure Dynamically Linked Libraries (DLL) loading technique that was originally described in this Security Advisory. By enticing one of your users into opening a malicious Groove-related  file (.vcg or .gta) that is located in the same network directory as a specially crafted DLL, an attacker could leverage this vulnerability to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker could leverage this issue to gain complete control of their machine.

Solution Path:

Download, test, and deploy the Microsoft Groove 2007 Service update, or let Windows Update do it for you.

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP, SMTP, and/or POP3 proxies to block the Groove-related files (.vcg and .gta) used to trigger these vulnerabilities. However, doing so will also prevent users from downloading legitimate Groove files as well. Instead, we recommend you install the updates listed above.

Nonetheless. If you would like to use our proxies to block these files types, follow the links below for instructions:

Firebox X Edge running 10.x

Firebox X Core and X Peak running Fireware 10.x

Status:

Microsoft has released patches to fix this vulnerability

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

%d bloggers like this: