Global Security Defence Agenda Report

McAfee and the Security and Defence Agenda (SDA) have revealed their findings in a report that attempts to paint a global view of the current cyber-threat, (sigh* Cyber?  Really?) defensive measures, and an assessment of the road ahead.  The report was created to identify key areas for discussion, highlight trends, and to help governments and organizations understand how their security defense posture compares to others.

This report involved a survey and interviews with roughly 250 leading authorities worldwide with over 80 security experts in government, international organizations and academia.  It is aimed at the “influential layperson”, and deliberately avoids technical jargon.

Some Key Findings:

  • 57% of global experts believe an arms race is taking place in cyber space.
  • 45% of respondents believe that online security is as important as border security.
  • 43% identified damage or disruption to critical infrastructure as the greatest single threat with wide economic consequences.
  • 36% believe information security is more important than missile defense.
  • US, Australia, UK, China and Germany all ranked behind smaller countries for their state of incident readiness. Continue reading

Late Breaking Attack Vectors WebCast

Mike Kachmar sent me an email invitation to a monthly webcast that should be interesting, and offers an opportunity to grab a few of those elusive CISSP CPE credits.  I thought I’d extend the invitation along.  Previous webcasts have been both intersting and informative.

Don’t miss the “Late Breaking Computer Attack Vectors” webcast!  They are also giving away a Apple iPad2 at the end of the webcast (already got one, but another one wouldn’t hurt…).  You do NOT need to be present to win.  Simply register with complete and accurate information and we will announce the winner at the end of the webcast.

The webcast is sponsored by Thawte and hosted by Larry Pesce, from the PaulDotCom Team, Wednesday February 1, 2012 2:00PM ET


Join the paulDotCom Team as they take a practical look at the most recently identified threats IT Security Professionals face on a daily basis.  Rather than narrating a lifeless monologue on the most recent global data correlation, they will take an “everyman’s” approach to the Who, What, When, Where and Why of the most recent attack vectors.

Rather than asking them to do the impossible and tell us in advance what the topics will be – after all, how “Late Breaking” can that really be? They will be modifying and editing their presentation up until a few moments prior to the webcast based on the most recently identified attack vectors.

I should be back in the office from my morning interviews by then, so I’m ALL in…


Hackers are compromising WordPress 3.2.1 blogs in order to infect visitors with the nasty “TDSS rootkit”, according to Websense.  Once access has been gained to a blog,  malicious JavaScript code is injected into its pages to load a Java exploit from a third-party server.  Websense is quoted on InfoWorld as saying, “From our analysis the number of infections is growing steadily (100+).”

The TDSS rootkit is one of the stealthiest rootkits in the wild, seeking to acquire total control of infected PCs for use as zombies in its botnet.  TDSS infects system drivers;  once activated, it infects the hard drive’s boot sector, ensuring that its malicious payload is loaded into memory before the operating system.  This greatly complicates the detection and removal of TDSS.  Newer variants have seen significant developments, maturing the rootkit further, improving its self-protection capabilities, bug-fixing, developing the payload, and reacting promptly to new detection technologies.

To ensure the rootkit gets firmly implanted within the system, the crooks have begun using a file infecting virus which injects code into driver software. This ensures the rootkit is loaded immediately after the operating system starts, if it isn’t already present.

This malware agent is particuloarly popular with fake A/V scammers, and “affiliate marketers” looking to make fast money on other people’s pain.  Learn more about his nasty malware at Kapersky’s SecureList Blog.

Beware “Official” Android Trojans!

Symantec has uncovered a massive botnet that may have lured millions of Android users into downloading malware infected apps from the official Android Market site.  The Trojan, being called ‘Android.Counterclank’, was wrapped into at least 13 free games on the official android app download site.  The following apps are known to be affected:

  • Counter Elite Force
  • Counter Strike Ground Force
  • CounterStrike Hit Enemy
  • Heart Live Wallpaper
  • Hit Counter Terrorist
  • Stripper Touch girl
  • Balloon Game
  • Deal & Be Millionaire
  • Wild Man
  • Pretty women lingerie puzzle
  • Sexy Girls Photo Game
  • Sexy Girls Puzzle
  • Sexy Women Puzzle

If you have downloaded one or more of these games, you had best be taking some action to protect your information.  According to the description at Symantec’s site, the combined download figures for these malicious apps indicate Android.Counterclank has the highest distribution of any Android malware so far this year.

I don’t own any Android devices, so, why am I writing about this malware rather than the hundreds of malware variants found each day?  I am concerned that the “official” download site is laden with malicious applications.  The Android Market is owned and operated by Google Inc.  Android configurations really need to be tightened up, and the practices used when vetting an app for distribution on an “official” site need to be scrutinized and corrected.

Google really ought to know better.  There motto is “Don’t Be Evil”…

Cisco IronPort Vulnerability

Advisory ID: cisco-sa-20120126-ironport

Cisco IronPort Email Security and IronPort Security Management Appliances contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.  Fixed software versions or patches are not yet available.  Configuration workarounds that mitigate this vulnerability are available.

Cisco IronPort Email Security Appliance (C-Series and X-Series) versions prior to 7.6.0 and IronPort Security Management Appliance (M-Series) versions prior to 7.8.0 are affected by the FreeBSD telnetd remote code execution vulnerability documented by Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-4862.  This one scores a 19 out of 20 on the CVSS score (BASE & TEMPORAL), so you may want to exercise the workaround on this one.



Symantec Recommends Not Using PcAnywhere

Weak LinkReuters reports that Symantec has taken the rare step of advising customers not to use one of its mainstay products, saying that remote control software product pcAnywhere is at increased risk of getting hacked after details and code were stolen.  Symantec is asking customers to temporarily stop using the product, until it releases an update to the software that will mitigate the risk of an attack. PcAnywhere is also bundled with other titles, like Symantec’s Altiris line of software for managing corporate PCs.

This is a serious step, and I applaud Symantec for coming clean on the risks of this powerful and popular product.  Most vendors woould simply warn users of increased risk and provide workaround and mitigation steps that may or may not be implementable or effective.  I hope that Symantec can release new code quickly, and overcome this unfortunate problem.

Fake App On Apple’s App Store

Naked Security is warning that just because Apple has put in procedures to police their App Store and pre-approve each app, doesn’t mean that fake or malicious apps never appear.  This weekend the iPhoneography blog spotted a bogus app posing as the popular Camera+ application.  It’s not just fake software you have to watch out for, malicious code has made it into the App Store in the past too.


Insecure Conference Rooms

Weak LinkThe New York Times is reporting that Rapid7 researchers have discovered that they could remotely infiltrate conference rooms in some of the top venture capital, law firms, pharmaceutical and oil companies across North America by simply calling in to unsecured videoconferencing systems found by scanning the internet.

Moore found he was able to listen in on meetings, remotely steer a camera, and zoom in on items in the room to read proprietary information on documents.  Most expensive videoconferencing systems offer encryption, password protection and camera lock down capabiilties, but they found that administrators were setting them up outside of firewalls for convenience, and not properly configuring security features.  Some systems were set up to automatically accept inbound calls, opening the way for anyone to call in and eavesdrop on a meeting.

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Time to review your video and conference  call setups, folks.  It would be terrible to find out that privileged client or finiancial information was so easily obtainable AFTER the fact!

Twitter Acquires Dasient

Twitter has just acquired anti-malware vendor Dasient, who is no longer developing for the security industry.  “Effective immediately, we will be bringing our technology, tools, and team to the revenue engineering team at Twitter,” Dasient wrote on its blog.  “As part of this merger, Dasient is winding down its business and is no longer able to accept new customers.”

So, what does that indicate to you?

  • Does Twitter know that the Internet is a dangerous playground, and is investing in application security from the inside out?
  • Are they hedging their bets that they can re-enter the security market with a new Twit-Brand?
  • Was it just the right time and place to merge development resources?

Anonymous’ Latest Shennanigns

Over the weekend, Anonymous defaced CBS‘ website, and apparently deleted all of their online content.  Monday they were working on defacing a Brazilian city site.  Now they have taken to Twitter, asking their “followers” to select their next targets for them, The Register reports.

Still seething over the arrest of Megaupload mogul Kim Dotcom, Anonymous tweeted the following:

Just out of curiosity, what would you like to see #Anonymous hack next? Tweet and let us know…

They are vowing to keep up the pressure, launching attacks and causing disruptions until Dotcom is released.