Security Hero Rotating Header Image

January, 2009:

Google glitch causes confusion

Google glitch causes confusion

This morning, an apparent glitch at Google caused nearly every [update 11:44 am] search listing to carry the "Warning! This site may harm your computer" message. Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information. We are working now to bring the site back up. We are also awaiting word from Google about what happened to cause the false warnings.

[Update 12:31] Google has posted an update on their official blog that erroneously states that Google gets its list of URLs from us. This is not accurate. Google generates its own list of badware URLs, and no data that we generate is supposed to affect the warnings in Google’s search listings. We are attempting to work with Google to clarify their statement.

[Update 12:41] Google is working on an updated statement. Meanwhile, to clarify some false press reports, it does not appear to be the case that Google has taken down the warnings for legitimately bad sites. We have spot checked a couple known bad sites, and Google is still flagging those sites as bad. i.e., the problem appears to be corrected on their end.

For more information about how the process works and the relative role that Google and StopBadware.org play, please see our Clearinghouse page or this question in our FAQ.

[Update 1:36] Google updated its statement to reflect that StopBadware does not provide Google’s badware data.

[Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible.

URL: http://blog.stopbadware.org/2009/01/31/google-glitch-causes-confusion

Openness versus consumer protection? Android, iPhone, and transparency

Openness versus consumer protection? Android, iPhone, and transparency

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google’s Android application market. It’s unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it – Google’s own testing showed no malicious behavior – but the application disappeared from the Android Market anyway.

Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain’s "Future of the Internet" blog, writes:

[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.

Contrast the Apple iTunes App Store, which pre-screens applications. It’s unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out – including, controversially, competitors to some applications designed by Apple.

Elisabeth continues:

Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)

Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness – and can help foster a more secure internet for us all. 

Disclosure: Google is one of StopBadware’s sponsors.

URL: http://blog.stopbadware.org/2009/01/30/openness-versus-consumer-protection-android-iphone-and-transparency

Is having a security policy in place nine-tenths of the law?

Is having a security policy in place nine-tenths of the law?

Recent studies have shown that most employees, including IT staff, are often unaware of corporate security directives or even tend to ignore them.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/WuCzrXxPiXo/

Threatscape Report – January 2009 Edition

Threatscape Report – January 2009 Edition

The following statistics are compiled from Fortinet’s FortiGate network security appliances and intelligence systems for the period December 21st, 2008 – January 20th, 2009.

Table of Contents:


FortiGuard Global Threat Research

Exploits and Intrusion Prevention

Top 10 Exploitations

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank Vulnerability Percentage Severity
1 Trojan.Storm.Worm.Krackin.Detection 44.1 High
2 Danmec.Asprox.SQL.Injection 5.3 High
3 MS.SQL.Server.Insert.Statements.Privilege.Elevation 3.8 High
4 MS.Network.Share.Provider.Unchecked.Buffer.DoS 3.6 High
5 MS.IIS.Web.Application.SourceCode.Disclosure 2.9 Medium
6 TCP.PORT0 2.7 Low
7 SSLv3.SessionID.Overflow 2.4 High
8 HTTP.Server.Localhost.Request.Source.Code.Disclosure 1.5 High
9 MS.DCERPC.NETAPI32.Buffer.Overflow 1.3 Critical
10 MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow 1.0 High

New Vulnerability Coverage

There were a total of 43 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 13 were reported to be actively exploited (30.2%).

Figure 1 breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:


Figure 1: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition’s Top 100 ranking, with “new” highlighting the malware’s debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank Malware Variant Percentage Top 100 Shift
1 Spy/OnLineGames 8.8 +2
2 W32/Netsky!similar 8.2
3 W32/Virut.A 7.4 +3
4 HTML/Iframe.DN!tr.dldr 7.1 +1
5 HTML/Iframe_CID!exploit 6.9 -1
6 W32/Dropper.VEM!tr 5.4 +94
7 W32/MyTob.BH.fam@mm 3.7 +3
8 W32/Small.AACQ!tr.dldr 2.6 -1
9 W32/MyTob.AQ@mm 2.1 +6
10 W32/Basine.C!tr.dldr 1.9 -2

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by disti

URL: http://www.fortiguardcenter.com/reports/roundup_jan_2009.html

Addressing Red Flags compliance

Addressing Red Flags compliance

The Federal Trade Commission has instituted new regulations known as “Identity Theft Red Flags” that promise to mitigate the havoc posed by identity theft to financial institutions and their customers. Effective May 1, 2009, these new regulations require financial institutions and creditors with covered accounts to implement programs that detect, prevent, and mitigate instances of identity theft.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/DXvc1Mac7Mk/

Second Call for Paper – DIMVA 2009

Second Call for Paper – DIMVA 2009

Posted by Sebastian Schmerl on Jan 28

  (We apologize if you receive multiple copies of this message.)

President’s cyber security plan misses the (end)point

President’s cyber security plan misses the (end)point

President Obama’s cyber security plan is revealed within the Homeland Security agenda posted on Whitehouse.gov. The plan echoes many of the recommendations made in a report (PDF) by the Commission on Cyber Security for the 44th Presidency.

The elements, all of which are sensible, include:

  • Appointing a national cyber advisor
  • Investing in R&D for infrastructure security
  • Working with the private sector to set standards for infrastructure security
  • Working with industry to develop safeguards against cyber-espionage
  • Shutting down untraceable payment schemes used to facilitate cybercrime
  • Providing law enforcement with money and training to improve their cybercrime enforcement efforts
  • Set standards for securing personal data and disclosing data breaches

If the administration makes progress towards all of these goals and plays its part well, this would represent a significant step forward in the fight to secure our homeland security and to protect consumers.

I am, however, disappointed that the President’s plan does not include elements specifically focused on botnets and other malware that present a risk to individuals, business, and critical infrastructure. As demonstrated in the 2007 cyber attack against Estonia, infected PCs can be used to attack infrastructure. Just as a traditional military strives to not only defend its assets, but also to reduce its opponent’s armaments, we must work to get the malware off of users’ PCs. A sensible federal cyber security policy should include a focus on education, technology, and research to help keep users’ PCs safe. Ideally, this would incorporate working with the private sector to encourage data sharing, engaging the academic and malware research communities, increasing funding for non-profit initiatives such as the National Cyber Security Alliance (and, dare I say, StopBadware.org), and investing in the development of new technologies and new policies aimed at keeping computers secure.

URL: http://blog.stopbadware.org/2009/01/27/presidents-cyber-security-plan-misses-the-end-point

Support execs in their use of Apple iPhones

CASE STUDY: Support execs in their use of Apple iPhones

A growing Silicon Valley virtualization company needed to free up bandwidth and support its employees’ use of iPhones.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/ii0iroQm-jU/

phion airlock in use at Herba Chemosan

CASE STUDY: phion airlock in use at Herba Chemosan

A pharmacist wholesaler in Austria modernized its distribution systems and found protection for its network.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/-c6oT3KBxD4/

Infoblox Achieves U.S. Federal Government Certification for IPv6

Infoblox Achieves U.S. Federal Government Certification for IPv6

Infoblox announced today that the Infoblox appliances, with the unique Infoblox NIOS™ operating system and grid technology, have been successfully certified by the Defense Information Systems Agency for Internet Protocol (IP) Version 6 (IPv6) interoperability. 

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/FPObKKtSZqE/release.cfm

Cisco IOS Cross-Site Scripting Vulnerabilities

Cisco IOS Cross-Site Scripting Vulnerabilities

Two separate Cisco IOS? Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities have been reported to Cisco by two independent researchers.

URL: http://www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html

New bots, more badware sites?

New bots, more badware sites?

In recent weeks, a new worm known as Conficker/Downadup has been making the rounds, turning many (reportedly millions) of PCs into bots. At the same time, the number of badware sites Google has reported to us has been steadily increasing, from around 145,000 a couple months ago to around 183,000 now.

Are these related or just a spurious correlation? It’s hard to be sure. Google has been known to tweak its systems, sometimes leading to a significant increase or decrease in the number of reported hosts without any change in external conditions. On the other hand, it seems very possible that there is a direct link. If you’re a malware author looking to quickly spread a worm, compromising a bunch of websites and turning them into unwitting distributors of the worm is an effective weapon in your arsenal. And, of course, the botnet itself, as it grows, can be used to help infect even more sites.

Do you have more information on this question? Let us know at BadwareBusters.org.

URL: http://blog.stopbadware.org/2009/01/20/new-bots-more-badware-sites

Microsoft Security Bulletin for January 2009

Microsoft Security Bulletin for January 2009

The table below lists the Microsoft vulnerabilities for January 2009.

MS Bulletin Number Microsoft Bulletin Title Severity Impact of Vulnerability Affected Software CVE ID
MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution (958687) Critical Remote Code Execution Microsoft Windows CVE-2008-4114 CVE-2008-4834 CVE-2008-4835

Threat Remediation

Fortinet provides coverage on Microsoft vulnerabilities in January 2009.

CVE Number Signature Name
CVE-2008-4114 SMB.Malformed.DataOffset
CVE-2008-4834 MS.SMB.Trans.Request.NT.Create.Memory.Corruption
CVE-2008-4835 MS.SMB.Trans2.Request.Memory.Corruption

For more information on new and enhanced signatures, visit theIPS Service Update History.If you require more information, contact the FortiGuard Team using ourContact Us web page.

Document History

Revision Date Version Number
Tuesday, January 13, 2009 1 Initial Documentation.
Tuesday, January 16, 2009 2 Signatures have been released on IPS Definition 2.587 previously in beta state..

Reference:

URL: http://www.fortiguardcenter.com/advisory/FGA-2009-03.html

MD5 Hashes May Allow for Certificate Spoofing

MD5 Hashes May Allow for Certificate Spoofing

This is the Cisco response to research done by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger pertaining to MD5 collisions in certificates issued by vulnerable certificate authorities.

URL: http://www.cisco.com/en/US/products/products_security_response09186a0080a5d24a.html

Infoblox Introduces Resilient Core Network Services to Cisco Branch Office Solutions

Infoblox Introduces Resilient Core Network Services to Cisco Branch Office Solutions

Infoblox announced today in a live video web cast “Unleashing the Power of Dynamic Infrastructure” that its virtual software module is now available on the Cisco Application Extension Platform (AXP) for the Cisco Integrated Services Router (ISR).

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/5B0ozMEIKPo/release.cfm