August, 2011:

Numerous links and information are available at ISACA’s home page for Corporate users

Sarbanes-Oxley – COBIT version 5 standards emerge for IT controls
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-5-Initiative-Status-Update.aspx

Mozilla Firefox and other products have been revised to remove the hacked DigiNotar Certificate Authority,

Mozilla Firefox 6 – Security release for hacked Certificate Authority
http://securitywatch.pcmag.com/apple/287116-firefox-and-other-mozilla-apps-rev-to-blacklist-hacked-ca

QUOTE: Mozilla has released several new versions of programs in order to remove support for a root certificate from a hacked certificate authority.   We reported yesterday about how this root certificate had been used to create a fake google.com certificate, but it turns out that the hack occurred weeks ago and had been used many times. DigiNotar, the hacked certificate authority, is in a desperate struggle to retain their credibility.  The newly-updated programs are:

• Firefox 6.0.1
• Firefox Mobile 6.0.1
• Firefox 3.6.21
• Thunderbird 6.0.1
• Thunderbird 3.1.13
• SeaMonkey 2.3.2

Trend Labs shares good awareness for a variety of threats affecting Facebook and other social networking environments.

Social Networking Threats – Trend Labs report
http://blog.trendmicro.com/the-geography-of-social-media-threats-infographic/

QUOTE: KOOBFACE is not the only threat that hounds social media. These social networking sites also have features that can become threat vectors. A seemingly harmless wall post from a friend, a video shared by an online contact, or an instant message from a colleague can potentially lead to an attack.  These features are meant to make socializing effective and meaningful. However, they have also been used by cybercriminals in their attacks. In Facebook, the wall is the riskiest region of the user interface. Cybercriminals have concocted several threats leveraging popular news items

For tips on how to arm yourself against social media threats, check out our e-book, “.

e-Book – A Guide to Threats on Social Media
http://about-threats.trendmicro.com/ebooks/socialmedia-101

Symantec documents an advanced and highly stealth File Infector that can setup a botnet client on an infected PC

Xpaj Botnet Intercepts up to 87 Million Searches per Year
http://www.symantec.com/connect/blogs/xpaj-botnet-intercepts-87-million-searches-year
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_xpaj_b.pdf
http://www.symantec.com/security_response/writeup.jsp?docid=2009-091613-1844-99

QUOTE: W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm.

The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure revealed more than just the data sent from the server to infected clients. The servers contained encrypted binary data, encryption keys, databases, and Web applications. These were all elements of what transpired to be a fraud operation spread over multiple computers hosted in several countries.

As Adobe has improved their automated security updates, please promptly apply changes when prompted to ensure the best levels of protection.

Adobe – Flash and other products patched during August 2011
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://securitywatch.pcmag.com/apple/286074-massive-adobe-patch-release-fixes-flash-player-media-server-shockwave-photoshop-and-robohelp

QUOTE: Adobe released updates to 5 products today fixing a total of 23 vulnerabilities, mostly in Flash Player.  At least some of the 13 vulnerabilities fixed in Flash Player affect all versions of it: Windows, Mac, Linux, Solaris and Android. All are critical vulnerabilities which can result in remote code execution. None of the vulnerabilities are being exploited in the wild, according to Adobe. These changes also affect Adobe AIR for Windows, Mac and Android.

As always, you can get the most current version of Flash Player (10.3.181.36) at http://get.adobe.com/flashplayer. Don’t go anywhere else for it, as fake Flash installers are a common method of malware distribution

Webmasters should ensure they apply the forthcoming security patch to protect their web server environments:

Apache Web Server – New DoS Attack Vulnerability
http://blog.eset.com/2011/08/26/dos-apache-killer
http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/thread

QUOTE: Amidst a lack of fanfare this past weekend on a mailing list, a memory exhaustion hack popped up for the Apache webserver that may result in a Denial-of-Service (DoS) style attack. Since the Apache application serves up north of 65% of the websites on the internet, a plausible attack becomes quite an issue, especially if it gets much traction before a patch can be released.

Still, some Apache web servers have been humming along untouched for years without much oversight, and may not receive patches as quickly as the hack spreads, representing a potentially widespread attack surface in the meantime. The posting says “An attack tool is circulating in the wild. Active use of this tools has been observed.” The nice thing is how proactive the Apache Foundation has been since it was brought to their attention.

The FBI warns users to be careful with charitable donations, news reports, and web searches

FBI – Electronic Scam warnings updated for Hurricane Irene
http://www.fbi.gov/scams-safety/e-scams

QUOTE: 08/26/11—In light of Hurricane Irene, the public is reminded to beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts.

Tips on Avoiding Fraudulent Charitable Contribution Schemes
http://www.ic3.gov/media/2011/110311.aspx.

Reports can be made to:
http://www.ic3.gov/complaint/default.aspx

F-Secure documents a recent attack for one of the most secure authentication products, which was quickly corrected to resolve security issues

RSA – How SecurID was compromised
http://www.f-secure.com/weblog/archives/00002226.html
http://t2.fi/schedule/2011/#speech7

QUOTE: RSA was hacked in March. This was one of the biggest hacks in history. The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.

A new scam is circulating on Facebook:

Facebook – Hurricane Irene Scam circulating
http://blog.trendmicro.com/hurricane-irene-scam-hits-facebook/

QUOTE: Hurricane Irene surely turned New York City to “city that never sleeps” as it brought flood waters, knocked out power to more than 4 million people and was even responsible for at least 15 deaths in six states. What’s worse is that cybercriminals are taking advantage of the incident by spamming a fake video on Facebook. The page, which contains the alarming title “VIDEO SHOCK – Hurricane Irene New York” displays a clickable image of a fake video player on the page.

Please be careful when accepting certificate updates as noted in the following security warning

http://securitywatch.pcmag.com/google/287010-fraudulent-google-com-certificate-in-wild

QUOTE: In early July, Dutch certificate authority DigiNotar issued a fraudulent SSL certificate for ‘*.google.com’. This certificate could allow a malicious web site, in conjunction with certain other techniques, to spoof any domain on google.com including mail.google.com.