The DHS Daily Open Source Infrastructure Report (DHS) covers the publicly reported material for the preceding day(s) not previously covered.  This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

Many significant incidents were reported this week relative to our focus, but only one was reported as a “Top Story” -- that was on Monday regarding a worm that is targeting Windows Vista. 

Of great interest to me is the report regarding Sears installing spyware on customer's computers which gathered everything but the kitchen sink that appeared on Tuesday.  I cannot help but wonder who else is doing the same thing and has not yet been discovered.  There is room for research here! 

Could it be possible that some of us are incorrectly emphasizing which threats should receive the greatest amount of effort/attention?  A recent report says so.  Read more in the Thursday selected item.  Interestingly, a Microsoft tool which addresses this is included in Friday's report.



Windows Vista computers may be under attack.  Are yours protected?

35. September 10, USA Today – (International) Security experts warn of possible worm hitting Vista. A group of top security analysts and researchers say the latest Windows security hole, for which there is no patch, leaves hundreds of millions of Windows Vista PCs wide open for infection by a Conficker-like Internet worm. Security experts did not express much concern about Conficker when it first began to spread sporadically last fall, taking advantage of a similar unpatched vulnerability in Windows XP computers. At its peak, Conficker searched out and infected some 10 million Windows XP machines worldwide. Conficker continues to spread on its own and currently infects about 5 million Windows XP computers. This time around, the debate in security circles about how damaging this Vista flaw could turn out to be is heating up much quicker. “The likelihood of hackers launching a worm is great,” says a Shavlik researcher. “Any flaw that can be spread without user interaction is a gold mine.” Conficker turned out to be so pervasive partly because it targeted a fresh flaw in Windows XP, which runs 65 percent of the Microsoft PCs in use. By contrast, Vista, introduced two years ago, runs on just 30 percent of PCs, according to this InfoWorld report. From a security perspective, that is a good thing. “Overall, fewer users are vulnerable,” says a Purewire researcher. Still, the Shavlik researcher estimates that there are one billion personal computers in use. That means there is something north of 200 million Vistas PCs connected to the Internet and available as targets. That is plenty of incentive for today’s top-tier botnet controllers, who get rich amassing hundreds of thousands of infected PCs and using them to spread spam, steal data and perform other lucrative criminal activities. Source: http://blogs.usatoday.com/technology...ing-vista.html


Has Sears spyware been installed on your computer or on computers in your firm? 

30. September 13, Ars Technica – (International) FTC forces Sears, Kmart out of the spyware business. The Federal Trade Commission (FTC) has busted a strange set of spyware purveyors — U.S. retailing giants Sears and Kmart. The FTC recently approved its final consent order against the companies (which share the same owner) over an episode that can only be chalked up to incompetence of a truly epic scope. Sears Holding Management Company decided that it could really use a lot more marketing data to fuel its decision-making process, so it began offering visitors to sears.com and kmart.com a special invite — sign up for “My SHC Community,” download a piece of “research” software, and earn 10 American dollars. All one had to do was turn over to the company every single bit of information about one’s Web browsing. This was not just about the websites visited, or even about specific URLs; the “research” software transmitted the complete contents of a browsing session, even secure sessions. This meant that Sears and its data collection partner would have access to the “contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails,” said the FTC. Among other things — the software also collected non-Web information about the user’s personal computer. Sears did tell people that it would track their “online browsing,” but when security researchers looked into the software in early 2008, they charged that the disclosure was mostly buried in legalese. Under the settlement with the FTC, Sears has now agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the wild. In addition, if it wants to do any tracking in the future, the company has committed to “clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party.” Source: http://arstechnica.com/tech-policy/n...e-business.ars


A key Microsoft patch for XP and Vista!  Be sure it is installed on your computers!

30. September 14, eWeek – (International) Microsoft backports Windows 7 security change to XP, Vista. Microsoft has backported changes to its AutoRun and AutoPlay features to Windows Vista and Windows XP to help users fight malware that spreads via USB devices. Microsoft made the change in Windows 7 earlier in 2009 to stop the spread of the infamous Conficker worm, which was taking advantage of the functionality to silently jump from PC to PC. With the change, Windows will no longer display the AutoRun task in the AutoPlay dialog except for removable optical media such as CDs and DVDs. The functionality was made available for XP, Vista, and Windows Server 2003 and 2008 on August 25. The decision to make the change followed the well-publicized growth of malware spreading via USB devices during the past couple of years. In fact, a report by Symantec found that self-copying to removable media was among the most common means of malware propagation in the second half of 2007. “McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames and other consumer electronics,” the director of security research at McAfee Avert Labs, blogged in January. “This trend will continue due to the almost unregulated use of flash storage [devices] across enterprise environments as well as their popularity among consumers.” Source: http://securitywatch.eweek.com/micro..._xp_vista.html


It is believed that some of our peers are not focusing upon their most significant threats!

39. September 15, Tech Herald – (International) Study: IT focused on the wrong network threats. A new report that looks at data collected from March-August 2009, from the SANS Institute, TippingPoint, and Qualys, essentially says IT security teams are misdirected. Security operations within IT are focused on operating system issues, leaving the two largest security problems, client-side software and web applications, on the back burner. The attack data in the report comes from IPS appliances deployed by TippingPoint at some 6,000 companies and government agencies. Vulnerability data comes from Qualys, via various appliances and software that monitored more than 9,000,000 systems, running over 100,000,000 scans. The combined information from Qualys and TippingPoint was then vetted by the SANS Institute, and the Internet Storm Center. The report focuses on three things. The first is that IT operations for the most part are making great strides in patching and securing the infrastructure from operating system threats. Other than the issues with Conficker, there were no new Worms based on operating system flaws during the time the data was collected. With that said, the other side of the operating system coin is that the number of buffer overflow attacks tripled from May-June to July-August, accounting for more than 90-percent of the attacks against Windows. The other two issues, mostly ignored by IT security, are the reason buffer overflow attacks worked so well during the testing period. The jump in the overflow based attacks correlated with the increase in the number of client-side software and web application vulnerabilities. “Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access,” the report says while discussing client-side software. Source: http://www.thetechherald.com/article...etwork-threats


Is it possible the release of this tool by Microsoft is a direct result of the report above for Thursday, September 17, 2009?

45. September 16, InfoWorld – (International) Microsoft offers tools for secure application development. Microsoft is introducing on Wednesday two testing tools to help Windows programmers build better security into their C and C++ applications, but an industry analyst was dismissive of how useful the tools would be for enterprise developers. Offered at no cost, the tools enable implementation of Microsoft’s SDL (Security Development Lifecycle) process, for injecting security and privacy provisions into the development lifecycle as opposed to testing during pre- and post-deployment of an application. One of the tools, BinScope Binary Analyzer, analyzes binary code to validate adherence to SDL requirements for compilers and linkers. It also verifies use of strong-named assemblies and up-to-date build tools. “Essentially, what it does is it checks for a variety of SDL requirements like GS flag, which is used to prevent buffer overflows,” said the principal security program manager for the security development lifecycle team at Microsoft. Buffer overflows enable hackers to take control of an application, the manager said. “To the extent that you can prevent those at compile time, that’s a good thing from a security standpoint,” he said. The tool requires symbol files, providing security against hackers potentially using the tool to analyze software on the Web for weaknesses. The second tool, Microsoft MiniFuzz File Fuzzer implements the fuzz testing technique. Testers check application behavior by parsing files that have been deliberately corrupted. Security tests are applied to take code through different flow patterns and identify whether resulting crashes should be investigated as potential application security risks. “If you find a file failure and it has security ramifications, you want to go out and fix that problem,” the manager said. Source: http://www.computerworld.com/s/artic...?taxonomyId=63

Note:  The DHS only maintains the last ten days of their reports online.  To obtain copies of earlier reports or complete summaries, go to:


 




More...