A few months ago C|Net published an article claiming current economic conditions have resulted in greater enterprise use of free and open source technologies.  This sparked an internal discussion about whether the supposed tendency would have an impact on risk to the enterprise.   As such discussions are wont to do, it descended into the quagmire of “how secure is open source”, and eventually died a quiet death after the RISK team grew weary with the topic. I had already half-heartedly begun a blog article framing the debate, but quickly filed it away under ‘do not resuscitate’.

However, three subsequent events brought additional insight to the matter, namely:  an XKCD cartoon, the build-out of a lab test bed, and a team-member’s ailing water heater. These unrelated events convinced me to go ahead and blow the dust off the blog entry and get it posted.

(more…)

by William Murray

Not so long ago, but in a different era, the rogue hackers were building tools to automate the creation of viruses and worms to exploit newly publicized vulnerabilities.  They boasted that these tools were enabling them to develop malicious code faster and faster and that soon they would be able to create an attack within twenty-four hours of the identification of a vulnerability. Thus was born the idea of the “zero-day” attack.  Note that “zero-day” is a term of art, that it modifies attack, and that it is relative to the identification of the vulnerability.  

While it is sometimes used to refer to a previously unknown vulnerability, the words have no meaning in that context. “Zero-day” relative to what?  To yesterday?  The term has lost its original meaning without gaining a new one.  It became an expression that, not only carried no meaning of its own, but confused the meaning of any terms with which it was used.  This aggravates the general problem in security that our terms of art, e.g. threat, attack, vulnerability, and risk are used without distinction, not to say interchangeably.  Multiple times a week I find myself parsing quotes about security in the media, in a sometimes vain attempt to figure out what the source intends.

(more…)

Today we published a notification to our security customers advising them that the latest Microsoft vulnerability, discovered only after in-the-wild criminal attacks, should be treated as “Hot.” Hot is our term for something which needs to be addressed within seven days.

In June we published a similar advisory regarding the DirectShow vulnerability, also discovered only after in-the-wild criminal attacks, wherein we advised the issue as “Important.” Important means to take action within thirty days.

Both issues were discovered only after in-the-wild criminal attacks, so why would we rate them different?

(more…)

Microsoft has announced that they have discovered a vulnerability in DirectShow. Exploitation of the vulnerability could allow a criminal to run code of their choice in the victim’s security context simply by the victim browsing to a website while allowing scripts to run. The browser being used doesn’t matter providing it allows scripting. Microsoft is aware of limited attacks in-the-wild. Patches are being developed.

All versions of Windows are vulnerable, except Vista and Server 2008. It is worth noting that DirectShow was patched for similar vulnerabilities in April 2009, and previously in December of 2007. Neither of those vulnerabilities was ever significantly exploited.

(more…)

Multiprotocol Label Switching (MPLS) security is not for the faint hearted. However, like most information technology, understanding basic principles and having a policy founded on sound principles allows an administrator to sleep at night knowing the networks are secure.  A policy for employing thoughtful and conservative essential practices and having quality assurance practices to ensure continuity of secure operations is one of those basic principles.  An antithetical principle is that when a criminal takes control of your systems, bad things are going to happen.

(more…)

I’ve been reading, with no small amount of interest, about the congressional hearings surrounding the Payment Card Industry Data Standards (PCI DSS) that took place on March 30th. Over the last six months, various incidents and data breaches have renewed discussion about the Payment Card Industry’s Security Standards Council and the value of PCI DSS. It all came to a head on Tuesday in various testimonies given to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology (or ‘SETCAST’ – see http://www.homeland.house.gov/hearings/index.asp?ID=185). I thought I’d take the opportunity to write my first blog post for Verizon Business to discuss why I think the PCI DSS is just fine.

(more…)

So rumors abound that a paper and exploit code will be published today that use a vulnerability in a processor’s caching mechanism to install code that is being called “undetectable.”

If it appears that we’re obviously not stating names and vendors, you’re right, we aren’t. At the time of writing all we’ve seen is speculation.

But let’s just take one aspect of the current hoopla: “Can something be installed on your computer and become undetectable?”

(more…)

In a recent blog post at ZDNet, Jason O’Grady mentioned the benefits of running an application that monitors outgoing (egress) traffic on your Mac. OS X malcode has been in the news lately, with Trojaned versions of iWork and Photoshop CS4 appearing on the BitTorrent network, and Jason offers Little Snitch (an egress firewall application) as “one way to keep tabs on software that likes to call home” (such as a Trojan).

As our recent series on Mac AV suggests, I don’t run antivirus software on my OS X client systems. However, I do run Little Snitch. We neglected to mention egress firewalls as a worthwhile addition to good OS X configurations in that series, and would like to take the opportunity to do so here.

(more…)

A number of organizations take the end of the year as an opportunity to publish predictions about what will happen in the security space during the subsequent year. The RISK Team engages in that exercise every Thursday as part of our weekly Risk call, during which we analyze emerging threats and vulnerabilities. So instead of generating a new list, we’ll share one that was refined over the course of 50 weekly meetings. In addition, we’ll share our predictions from the prior five years.

(more…)

by Peter Tippett and Kevin Long

This is Part III of a three-part series on OS X security. Please read Part I and Part II if you haven’t already.

If you ran Amtrak, would you install a missile defense system on your trains? Trains are certainly vulnerable to missile attack, and the cost of such an attack would be devastating. Luckily, trains are not commonly subjected to missile attack, so the cost of implementing such a defense is not justified.

Is the protection afforded by antivirus software (AV) worth the cost? First we’ll estimate the cost, then we’ll discuss the protection AV affords.

(more…)

by Peter Tippett and Kevin Long

This is Part II of a three-part series on OS X security. Please read Part I if you haven’t already.

Before we go further, a review of the Verizon Business RISK Team’s risk equation is in order. Risk is traditionally thought of as the product of Likelihood * Impact (Cost). In the world of computers, the Likelihood is itself the product of Threat, which is the frequency of attempts of an attack, and Vulnerability, which is the likelihood of success of an attempted attack considering all countermeasures that are already in place. Thus, Risk = Threat * Vulnerability * Impact.

For the purposes of this discussion, Impact is consistent across platforms, so Threat and Vulnerability are the factors that will be addressed.

The threat of attacks against OS X systems has traditionally been significantly lower than that against Windows systems. When OS X was introduced in 2001, reasons cited for that could have included the following: (more…)

by Peter Tippett and Kevin Long

What’s a Mac user to do? Depending on where (and when) you looked, during December you’ve been offered the following advice when it comes to having security software on your system:

• If you listened to Apple on December 1, you should be running multiple antivirus applications.
• If you listened to a maker of antivirus software, you should be running their respective antivirus application.
• If you listened to various bloggers and columnists, you’ve certainly not heard a consistent message.
• If you listen to Apple today, they’re suggesting that Leopard is protected against malicious code “right out of the box.”

Despite the existence of several notable posts already written about this topic, this month’s chatter provides an opportunity to share the reasons we recommend against running antivirus software on Macs (in most situations).

(more…)

by Dave Kennedy and Russ Cooper

I just checked, and so far not one member of the Verizon Business RISK Team has moved into their apocalyptic redoubts over the latest vulnerability in Internet Explorer (IE).  Our assessment is that this latest vulnerability isn’t very different than many of the IE vulnerabilities we’ve seen in the past.  IE has historically been a popular target for criminals, and we don’t doubt some are using/will use this latest vulnerability to take over users’ systems.  We assess the threat  volume as small, with locations isolated, and believe that several mitigations are available to reduce overall risk.

(more…)

There seems to be a lot of discussion regarding the 7 years it took for Microsoft to patch against SMBRelay (the name of a tool published in 2001.) There’s some speculation that Microsoft is only now addressing the issue because a Metasploit module was added in 2007 to exploit the vulnerability. Here’s our take.

Should Microsoft have patched SMB sooner? Why? Who has been adversely affected by the vulnerability? We’ve never had an Incident Response case that involved abuse of it. Given the fact that we now know there was a solution to the puzzle, chances are that solution was stumbled upon by accident in one of those “Eureka” moments. Once that idea was finally conceived, of course, it made sense for them to produce a patch, but do try to appreciate just what was at stake as they attempted to implement it and test it. Thousands, if not hundreds of thousands of 3rd party applications are based on SMB working just the way it does. Break it while patching the vulnerability and you’d have a lot of upset people.

(more…)

Today Microsoft released a patch for the “click-jacking” vulnerability announced by Robert Hanson in September. The issue, as you may remember, was that exploiting this vulnerability (in all versions of XMLHTTP but 3.0) allowed him to cause your click on a web page to be directed at anything he wanted. So you might have thought you were clicking a URL to http://securityblog.verizonbusiness.com, but you’d visit http://Ive_Got_You_Now_Sucker.com.

(more…)