Security Protection – Harry Waldron (WP) Rotating Header Image

September 30th, 2011:

Mozilla Firefox 7 now available

The Mozilla foundation has released the latest version of Firefox 

http://isc.sans.org/diary/Firefox+v+7+0+1+Is+Live/11698

http://www.mozilla.org/en-US/firefox/new/

New TLS/SSL Security Vulnerabilities – Best Practices for Protection

Trend Micro shares some excellent user safety tips and administrative design standards to help mitigate attacks.  One key practice is to close secure websites by logging out to keep sessions as short as possible.

BEAST and TLS/SSL Security: What It Means For Users and Web Admins http://blog.trendmicro.com/beast-and-tlsssl-security-what-it-means-for-users-and-web-admins/
What can users do?

• Keep time spent on sensitive SSL sessions as short as possible. The attacker needs time to decode the encrypted message. If the session cookie is invalid before the attacker has finished, this attack fails.

• When leaving an SSL protected site, be sure to actually log out, not just move to a new site. In many cases, actively logging out will invalidate any cookie/session data that the attacker may have successfully decoded.

• Standard security best practices still work. For this attack to be successful, the attacker must have access to either your network or your computer. At the very least, up-to-date security software will make life harder for an attacker.
What can website administrators do?

• Make sure your logout button performs the expected action. You are leaving users at risk if your site does not actually invalidate session cookies when they click “log out”.

• Ensure that session cookies are tied to an IP address where the session was established. If that IP address changes, consider validating that the source of the requests is still your user. This will not prevent this attack, but it will make it harder to exploit your users.

• Resist the temptation to change SSL ciphers without carefully considering the risks first. While it is true that RC4 is not subject to this attack, it presents more risk than AES. Also, it isn’t a bad idea to keep an eye on the IETF TLS working group.  New versions of the TLS standard exist that eliminate the weaknesses used in this attack. Unfortunately HTTP server and browser coverage of these new standards is spotty at the moment at the moment. So you have to carefully consider both your environment and your user base before such a change.

TLS (Transport Layer Security) Working Group http://datatracker.ietf.org/wg/tls/charter/

TLD4 Rootkit – New Variant of MBR version emerges

TLD4 is one of the most advanced Windows malware agents circulating.  It is highly stealth and hides in the master boot record of the Windows O/S.  Trend Micro shares developments related to a new version:

TDL4 Worm Component Employs Bitcoin Mining http://blog.trendmicro.com/the-worm-tdl4-and-botcoin-miners/

QUOTE: TDL4 is a well known variant of the TDSS malware family known for evading detection by antivirus products by infecting affected systems’ boot sector. We’ve been monitoring developments related to TDSS, and earlier this year we saw TDL4 exhibit propagation routines through a worm component that Trend Micro detects as WORM_OTORUN.ASH.

Amazon Kindle Fire – High Tech and Low Cost e-Book reader

This is an interesting development as a low-cost high technology tablet:

Amazon Unveils $199 Kindle Fire Tablet http://www.bloomberg.com/news/2011-09-28/amazon-unveils-199-kindle-fire-tablet.html

QUOTE: The Kindle Fire will have a 7-inch display and sell for $199, compared with $499 for Apple’s cheapest iPad, Amazon executives said in interviews with Bloomberg Businessweek. The device, a souped-up version of the Kindle electronic-book reader, will run on Google Inc.’s Android software, the Seattle-based company said. Amazon also introduced a touch-screen version of its e-reader, to be called Kindle Touch.

F-Secure ShareSafe Beta – Security Application for Facebook

F-Secure has developed a security product designed to integrate with Facebook and check for malicious links.

F-Secure ShareSafe Beta – Security Application for Facebook http://www.f-secure.com/weblog/archives/00002243.html

QUOTE: Security applications and Facebook tend to mix together like oil and water.  Therefore, when attempting to develop a security application for Facebook… it had better not be boring. And that brings us to our new beta: F-Secure ShareSafe. The development team behind ShareSafe aims to build an entertaining Facebook app, with security benefits tagging along for the ride.