Thursday, February 21, 2013

Security Smorgasbord, vol 5 no 1

Microsoft asks Is everything we know about passwords wrong? Interesting:
Federal Reserve Regulation E guarantees that US con-
sumers are made whole when their bank passwords are
stolen. The implications lead us to several interest-
ing conclusions. First, emptying accounts is extremely
hard: transferring money in a way that is irreversible
can generally only be done in a way that cannot later
be repudiated. Since password-enabled transfers can
always be repudiated this explains the importance of
mules, who accept bad transfers and initiate good ones.
This suggests that it is the mule accounts rather than
those of victims that are pillaged. We argue that pass-
words are not the bottle-neck, and are but one, and by
no means the most important, ingredient in the cyber-
crime value chain. We show that, in spite of appear-
ances, password-stealing is a bad business proposition.
When is it time to patch Adobe Reader and Java?  Any day that ends in "-day":
Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java.

The Java update comes amid revelations by Apple, Facebook and Twitter that employees at these organizations were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines.
Related:
Removing Java from your browser

Apple finally patches Java for OS X

Adobe Reader: security is now 3% less sucky
Security infrastructure vendors under attack

We've seen attacks against security technology vendors over the last few years: RSA, McAfee, a number of certificate granting firms.  Add a new one to the list:
Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

Waltham, Massachusetts-based Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.
It's an interesting technology, because antivirus techniques are always closing the barn door after the horse gets out.  Bit9's whitelisting technology reverses this: anything new is unusual and suspicious.  They have some clever ways to make sure that new updates from iTunes are added to the "good" list, so they've done decently well with forward thinking customers and have (so far) avoided the big problems with implementation and day to day operations that a lot of other technologies have encountered (*cough* IDS *cough*).

But their white list is only as good as the security of their list.  Bad Guys seem to have penetrated their network and added malware to the "good" list.  Several Bit9 customers seem to have been compromised this way.

I expect the trend of attacking security infrastructure to continue.  As Willie Sutton is said to have replied when asked why he robbed banks, "that's where the money is."  Penetrating technology infrastructure lets you get into the targets you really want much more easily.

No comments: