July, 2011:

The ISC shares good advice on being careful with links posted in Facebook

Facebook – Be careful with potentially malicious links
http://isc.sans.org/diary/Links+on+your+Facebook+Wall/11287

QUOTE: We received an email from a reader today about a link on his wife’s Facebook wall.  The link indicated that a friend had tagged her.  When he tried to remove the post from her wall it would not allow removal.  He reported it as spam.   Apparently a friend of hers clicked on the link and got infected.  The link point to a malicious site with random file names.  Let this serve as a reminder to everyone not to click on links until you have checked out the source.

Symantec offers an excellent in-depth article on how malware attacks operate.  In some ways, it is similar to installing a malicious application in Facebook, where the user provides permission before an infection takes place.  Likewise, mobile users are often offered “free applications” they can install.  

Android Threat Trend Shows That Criminals are Thinking Outside the Box
http://www.symantec.com/connect/blogs/android-threat-trend-shows-criminals-are-thinking-outside-box

QUOTE:  But, if the criteria to qualify 2011 as the real “year of mobile malware” was to be challenged, then surely the events of the past few weeks alone should be enough to justify the fact that this year truly has seen considerable seismic activity that has shifted the tectonic plates of the mobile threat landscape

One such strategy is to separate the malicious package into staged payloads. The idea is simple: instead of having one payload that carries all of the malicious code for any given attack, break the threat into separate modules that can be delivered independently. There are several advantages to deploying the threat in this way.

As with its previous variant, Android.Lightdd still requires the user to accept the installation of any download—a major obstacle in this model of delivering a payload. However, another threat also discovered in the wild, Android.Jsmshider, has found a way to overcome this obstacle.

Protecting Mobile devices is not too different than protecting your PC from the constant stream of email and hostile website attacks. To ensure safety, below are ideas for mobile device users to improve safety:

TECHNOLOGY ORIENTED CONTROLS
— Anti-Virus and Security products are now offered and can be used to block many attacks
— Patch your Mobile Device as security updates become available
— Avoid Jailbreaking your mobile device, which takes down layers of security control provided by the operating system
— Keep Permissions locked down for your Mobile phone (and lock them down further than defaults if necessary)

USER BASED CONTROLS FOR SAFETY
— Research any application offered prior to installing it
— Only install popular applications from mainstream websites (after researching it’s legitimacy)
— Avoid email spam and invitations for cool free mobile software
— Avoid installing any application unless you absolutely need it
— Avoid visiting any suspicious website links
— Read any warning messages presented carefully

Users should exercise avoidance and good risk management principles to avoid malware infections while using mobile devices.

Is 2011 Finally the Actual Year of Mobile Malware?
http://blogs.pcmag.com/securitywatch/2011/07/is_2011_finally_the_actual_yea.php

QUOTE: “This year will be the year of mobile malware” has been such a staple of new years predictions that it has turned into a running joke. But thanks to the design of Android and its markets, and some innovative malware designers, we seem to be there. Android malware has moved well beyond the proof of concept stage. A Symantec blog describes how Android crimeware developers are getting clever in their design of installers. The main trick of the trade is to divide the installation up in to multiple stages.

THE REAL DANGER: But that payload may not be the end of the story. When you install a program in Android it asks the user to approve permissions on it. Most users probably quickly reach the point of ignoring these boring details, but for those who are more fastidious Symantec has identified malware which breaks the payload into further stages.

Safari users should install this new release, as several vulnerabilities have been patched

Apple Safari Browser – Security release
http://blogs.pcmag.com/securitywatch/2011/07/apple_patches_dozens_of_vulner.php

QUOTE: Apple has released new versions of the Safari web browser, fixing a total of 56 vulnerabilities in the Mac and Windows versions of the program. 12 of the vulnerabilities affect only the Windows version of Safari. The other 44 affect both Mac and Windows. One of those, CVE-2010-1823, dates back 10 months and was fixed by Google at the time in Chrome. (Both Safari and Chrome use the Webkit browser engine.)

Apple Safari – Details of Security release
http://lists.apple.com/archives/security-announce/2011/Jul/msg00002.html

ESET offers an excellent analysis of how websites are attacked by hackers.

WebSite Security – Approaches used by hackers
http://blog.eset.com/2011/07/26/50-ways-to-hack-a-website

QUOTE: Well, really there are far more, but the latest study from Imperva of 10 million attacks against 30 large organizations from January to May of 2011 cites a cocktail of techniques used by would-be hackers to spot the weaknesses and exploit them. For those of us who’ve tailed a log file spinning out of control during an attack attempt, those numbers seem plausible. Over time, attacks have become slick and automated, often progressive, and adaptive, targeting the next phase based on what was found in the last.

To understand a typical hack attempt, visualize a typical commercial office space break-in. There may first be a surveillance phase. Following that is a second phase that determines which doors are locked. Then, if an unlocked door is found near a machine shop, you may adapt your attack to include a truck to haul heavy equipment out during the theft. On the other hand, if you find a door open by an accounting office, you may adapt your attack to use a single backpack to steal an equivalent value. Attacks of the variety we’re talking about here follow progressive stages of discovery, adapting as they go to the “terrain” they find in a similar manner, and using different sets of tools for each.

Some of the more popular styles found in Imperva’s study against Web applications were directory traversal (37%), cross site scripting (36%), SQL injection (23%), and remote file include (4%), aka RFI. Often these were used in combination.

F-Secure warns of a spam attack desinged to capture sensitive personal information.  Please do not respond to these or when in doubt call customer service to verify, rather than filling out this form

Bell South – Beware of upgrade phishing scam
http://www.f-secure.com/weblog/archives/00002205.html

QUOTE: We were tipped by an alert user (thanks Walt) about this phishing scam targeting F-Secure and Bellsouth. Please disregard such obvious phishing emails and delete them. Similar attacks have been targeting other operators and other antivirus companies as well.

An interesting analysis by AVAST which illustrates statistics from their cleaning of system infections.  While XP is more widely installed, there is improved protection within WIndows 7 from these types of attacks.

Windows XP – Main target of Rootkit attacks
http://blogs.pcmag.com/securitywatch/2011/07/xp_remains_main_target_of_root.php

QUOTE: Research from AVAST Virus Lab shows that Windows XP remains the main target of rootkit infection. In a six month study analyzing over 630,000 rootkit samples, almost 3 quarters of them originated from Windows XP systems, 17% from Vista and 12% from Windows 7.

Version 7 is a new release of the full Java client version. Below are links related to security

Java 7 – Security Features in this new release
http://blogs.pcmag.com/securitywatch/2011/07/java_7_upgrades_security.php
http://www.oracle.com/us/corporate/press/444374

QUOTE: All of the new features and improvements to existing features are cryptography-related and generally related to support for SSL/TLS in the JSSE (Java Secure Socket Extension) APIs. Certification path processing, which is generally SSL/TLS-related anyway, has been strengthened. Finally, a native provider has been added with several Elliptic Curve Cryptography (ECC) algorithms has been added.

Java 7 – Detailed Security Features
http://download.oracle.com/javase/7/docs/technotes/guides/security/enhancements7.html

Below are some of the new improvements in the latest version of Apple’s Mac O/S:

Apple Lion O/S – New Security Features
http://isc.sans.org/diary.html?storyid=11245
http://www.apple.com/macosx/whats-new/features.html

QUOTE: Once you are over the online install experience, the upside down mouse gestures and all the other bling that comes as part of OS X Lion, it is time to look at what has changed from a security point of view. Apple doesn’t exactly advertise security features, but Lion provides some significant security improvements.

* Address Space Layout Randomization (ASLR) – will make exploiting vulnerabilities significantly harder

* Automatic Security Updates – to happen behind the scenes

* Sandboxing -limits how individual applications can affect each other, and the underlying system. I

* Encrypted Backups – Time machine backups can now be encrypted.

* Privacy – Lion uses refined privacy preferences in particular limiting the access to location information