Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: secunia

    A Little Sunshine / Latest Warnings / The Coming Storm / Web Fraud 2.041 Comments
    2
    Jun 11

    Spotting Web-Based Email Attacks

    Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

    The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

    Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

    This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution I highlighted in a February blog post.

    To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour — first wrote about these attacks almost four months ago.

    Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

    Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

    Continue reading →

    Security Tools12 Comments
    7
    Dec 10

    Rap Sheets on Top Software Vendors

    A new online resource aims to make it easier to gauge the relative security risk of using different types of popular software, such as Web browsers and media players.

    Last month, I railed against the perennial practice of merely counting vulnerabilities in a software product as a reliable measure of its security: Understanding the comparative danger of using different software titles, I argued, requires collecting much more information about each, such as how long known flaws existed without patches. Now, vulnerability management firm Secunia says its new software fact sheets try to address that information gap, going beyond mere vulnerability counts and addressing the dearth of standardized and scheduled reporting of important security parameters for top software titles.

    Secunia "fact sheet" on Adobe Reader security flaws.

    “In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment,” the company said.

    In addition to listing the number of vulnerabilities reported and fixed by different software vendors, the fact sheets show the impact of a successful attack on the flaw; whether the security hole was patched or unpatched on the day it was disclosed; and information about the window of exploit opportunity between disclosure and the date a patch was issued.

    The fact sheets allow some useful comparisons — such as between Chrome, Firefox, Internet Explorer and Opera. But I’m concerned they will mainly serve to fan the flame wars over which browser is more secure. The reality, as shown by the focus of exploit kits like Eleonore, Crimepack and SEO Sploit Pack, is that computer crooks don’t care which browser you’re using: They rely on users browsing the Web with outdated software, especially browser plugins like Java, Adobe Flash and Reader (all links lead to PDF files).

    Security Tools80 Comments
    4
    Oct 10

    Comcast Pushes Bot Alert Program Nationwide

    Comcast, the nation’s largest residential Internet service provider, announced last week that it is expanding an initiative to contact customers whose PCs appear to be infected with a malicious bot program.

    The Philadelphia-based cable Internet company is expanding nationwide a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company’s security page. The system also sends the customer’s browser a so-called “service notice,” a semi-transparent banner that overlays a portion of whatever page is being displayed in the user’s Web browser.

    Customers can then either move or close the alert, or click Go to Anti-Virus Center, for recommended next-steps, which for Windows customers includes:

    • Downloading any missing Microsoft security updates.
    • Making sure the customer has some kind of up-to-date anti-virus software running.
    • Downloading and running Microsoft’s malicious software removal tool.
    • Downloading and installing Secunia‘s free Personal Software Inspector tool, a program that periodically scans the user’s computer for missing security updates for commonly used third party applications, such as Adobe Reader, Flash, and Java, and QuickTime.

    Continue reading →

    Security Tools / Time to Patch60 Comments
    8
    Sep 10

    Revisiting Secunia’s Personal Software Inspector

    Security vulnerability research firm Secunia has released a public beta of its Personal Software Inspector tool, a program designed to help Microsoft Windows users keep their heads above water with the torrent of security updates for third-party applications. The new beta version includes the promised auto-update feature that can automatically apply the latest patches for a growing number of widely-used programs.

    Secunia first announced in March that it would soon make the auto-update feature available to consumers, noting that the average PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that  typically run on top of it.  The new beta version doesn’t allow auto-updating for all applications, although Secunia says the list of applications that can be auto-updated through its tool will grow as the public beta progresses.

    Overall, PSI 2.0 Beta seems to work quite a bit faster and use fewer resources than earlier versions. But my main concern in allowing third-party programs to update through PSI has so far been — ironically — relinquishing control over the update process. That’s because many “free” applications — such as Java, Adobe and Foxit readers — are free because a number of users never bother to deselect the check mark in the box next to offers to install additional software that is often bundled with these products, including virus scanners and various browser toolbars.

    Continue reading →

    A Little Sunshine36 Comments
    1
    Jul 10

    Top Apps Largely Forgo Windows Security Protections

    Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.

    Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

    These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third party apps they looked at fail to leverage either feature.

    As indicated by the chart to the right, Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.

    “If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly,” wrote Alin Rad Pop, a senior security specialist at Secunia. “While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attackers choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.”

    Continue reading →

    Time to Patch61 Comments
    5
    Mar 10

    Yep, There’s a Patch for That

    The average Microsoft Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely, according to an insightful new study released this week.

    The figures come from security research firm Secunia, which looked at data gathered from more than two million users of its free Personal Software Inspector tool. The PSI is designed to alert users about outdated and insecure software that may be running on their machines, and it is an excellent application that I have recommended on several occasions.

    Stefan Frei, Secunia’s research analyst director, said the company found that about 50 percent of PSI users have more than 66 programs of installed.

    “Those programs come from more than 22 vendors, so as a first order estimate the number of different vendors you have on your box is the number of different update mechanisms you have to master,” Frei said. “This is doomed to fail.”

    Continue reading →