The CA Security Adviser Research blog has an interesting entry today following the trail of suspicious credit card charge.
Do you review your monthly statement for suspicious charges? Do you look over every charge or just the bigger ones? A fraudster may fly under your radar with a $5 charge. That can accrue to quite a bit of money if they hit enough people.
Review your bills. Whether its fraud or when the phone companies tacks on a monthly fee for long distance, you want to know about it as soon as possible.
Archive for February 2008
Its the Little Credit Card Charges
Shmoocon Commuting
If you’re heading down to to Shmoocon in DC February 15th to 17th, allow extra time if you’re taking Metrorail. Metro is performing platform repair at the Metro Center stop. WMATA recommends allowing an extra 30 minutes. This should start late enough to not be a problem Friday, but it will be annoying Saturday and Sunday.
Parking at the Wardman Park Marriott is $13/hour ($28/day). I dont know of alternative parking down there.
Adobe Reader Exploit Drops Trojan.Zonebac
As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named “bak” at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.
Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.
This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.
It looks like I may have to move up my implementation of Adobe Reader 8.2.1
A Third of Current Security Practices Useless
Dark Reading has an article reporting on a presentation Peter Tippett gave at the Computer Forensics Show in Washington DC.
He said that IT Security departments are wasting their time and a third of current security practices are useless.
Its not necessarily new thought.
It is really easy to get caught up in the patching hamster wheel.
Its easy to believe that products will solve your security problem.
A lot of security spending and effort is regulation based. Is your data more secure because users are required to have 12 character passwords that are changed every 60 days.
Is hard to get separation and look at security from new angles.
Quicktime 7.4.1 is Out
We pulled the trigger deploying Quicktime 7.4 to all users yesterday, so as we’ve grown to expect, Apple releases Quicktime 7.4.1 today. While we knew another update was coming, you just can’t wait forever for a update to post.
The Quicktime download is in the usual location. If you are running iTunes, just grab that update. Apple’s security bulletin is here.
Guardian Edge Support
At the beginning of the year, Guardian Edge transitioned support to an integrated voice response (IVR) system. Since then it seems impossible to call and speak to a live person.
I don’t generally like to call any support phone number. Most matters should be resolvable by checking the manual, reading the knowledge base, or opening a ticket via email or web form. When I do have to call support its because I really need an answer now, and don’t mind waiting on hold for a bit to get it.
The old Guardian Edge support fit that model perfectly. I could call, and normally get someone right away.
The new Guardian Edge support model is geared toward never speaking to anyone. If you call, a voice response system asks if the number you are calling from is the one associated with your account. Next even though they’ve already identified you by phone number the IVR asks for your support ID number. After that you can leave voice mail describing your case. In each case I’ve had since this change, the support technician replies by email in 4-6 hours. God help you if that answer doesn’t resolve the issue because the case will get lost after that.
We paid for phone support. This doesn’t seem like phone support to me. I have tried to address these concerns with Guardian Edge.. The person heading the project corrected a routing problem with my support ticket. They did not address what I feel is a loss of service.
This sort of thing happens a lot with expanding companies. They have more callers and don’t have the trained bodies to handle the calls. I still find it very disappointing
Adobe Reader 8.1.2 Released
Adobe Reader 8.1.2 is out, download here.
There are not any new security advisories for Adobe Reader at this time. Until I hear otherwise, this may just be a bugfix release.
Update:The 8.1.2 release notes are available. The summary states “The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.”
Update 2 Symantec Deepsight reports that a proof-of-concept exploit is available to members of the Immunity Partners Program.
Assessing Risk
Psychology Today has an article on peoples ability to assess risk.
We substitute one risk for another.
Insurers in the United Kingdom used to offer discounts to drivers who purchased cars with safer brakes. “They don’t anymore,” says John Adams, a risk analyst and emeritus professor of geography at University College. “There weren’t fewer accidents, just different accidents.”
Why? For the same reason that the vehicles most likely to go out of control in snowy conditions are those with four-wheel drive. Buoyed by a false sense of safety that comes with the increased control, drivers of four-wheel-drive vehicles take more risks. “These vehicles are bigger and heavier, which should keep them on the road,” says Ropeik. “But police report that these drivers go faster, even when roads are slippery.”
Both are cases of risk compensation: People have a preferred level of risk, and they modulate their behavior to keep risk at that constant level. Features designed to increase safetyâ€â€four-wheel drive, Seat belts, or air bagsâ€â€wind up making people drive faster. The safety features may reduce risks associated with weather, but they don’t cut overall risk. “If I drink a diet soda with dinner,” quips Slovic, “I have ice cream for dessert.”
Its not much of a leap to see how this effects computer security.
- I’m using a minority browser that brags about how secure it is. I guess I can browse where ever I want and click on anything.
- I have a new security suite, it will detect anything bad that happens
- The SMTP scanner hasn’t let through a virus yet, therefore I can open any attachment that comes in without consequence
The safety improvements in cars aren’t supposed to replace intelligent driving decisions. Security software provides layers of protection, it doesn’t replace informed choices.
Link originally seen at Schneier’s Bog
The High Cost of Handsfree
More and more wired peripherals are connected to the office computer, yet at the same time people want to be more wireless. They want a wireless keyboard, a wireless mouse and a wireless headset. Its a little bit ironic that people accept wires for their non-work related USB devices, but they “can’t stand the clutter” when it comes to using standard keyboards and mice.
This article from DarkReading reports on the ease of interception of wireless headset technologies and how they used information gathered through that means to socially engineer themselves into a badge and desk inside a company they were hired to pentest. Not only could they listen to phone conversations with a off-the-shelf scanner, in some cases the headset remained active after a call ceased, this effectively bugged the office!
A UPI version of the article spoke to Bob Hayes, managing director of the Security Executive Council who downplayed the issue.
“There are a lot of threats that are technically possible,” he said, pointing out that monitoring telephone conversations that way without permission was a federal crime. “Why would I do that,” he asked, “when I could get the same information a dozen different ways?” For instance by going through someone’s garbage, pretext phone calling, or eavesdropping on conversations at trade shows.
It not as if this is a far fetched Hollywood style plot. Its one thing to do a risk analysis and determine its not worth taking action. Its another to just say “we’ve got bigger fish to fry”.
Jack Johnson, former chief security officer for the Department of Homeland Security and now a partner in the Washington federal practice at Price Waterhouse Coopers had a more common response. “In general when it came to new technology, “ease -of-use considerations tend to trump security.”" Its only later that the vulnerabilities are discovered. The CxO has to have the cool toys today.
One would wish that after so many years we would stop making the same mistakes. Security needs to be baked in early on. It cannot be the dismissed factor in the triad of Security – Usability – Cost.
Wireless keyboards are also an issue. In November 2007 DreamLab Technologies announced that due to weak encryption in Microsoft wireless keyboards they were able to capture and decrypt keystrokes. Would you intentionally set yourself up for wireless keystroke logging?
Now maybe I’m just jealous that my plantronics headset is from the last millennium and I’m using a standard dell USB keyboard. But it seems to me that the inherent risks in going wireless need to be addressed in any product used in the enterprise. It would be for the best if standards were followed in a company and products analyzed rather than implementing a hodgepodge of whatever is personal preference.
