Security Pros Are Focused on the Wrong Threats

The New York Times reported last week that corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving their companies open to a raft of new cyberattacks aiming at private customer and corporate information.

That finding comes from a new biannual report from the SANS Institute, whose senior staff weighed two sets of data that have not been rigorously compared to date: data on the most common attacks hitting corporate networks and data on which vulnerabilities are most prevalent on company networks.

From the article:

Looking at the two sets of data together revealed immense shifts in what is getting the attention of today’s hackers. “The bottom line: Two cyber-risks dwarf all others, and users are not effectively mitigating them — preferring to invest in mitigating less critical risks,” said Alan Paller, director of research at SANS.

The less critical risks are flaws in the Windows operating system. While these bugs were the No. 1 problem for everyone on the Internet not long ago, times have changed. Thanks to significant security improvements by Microsoft, automated tools for applying its patches and generally good habits within organizations, the operating system is now much harder to hit. As such, hacker interest has waned. Only one major worm, Conficker, circulated in the first half of the year. Attacks on the operating system accounted for only about 30 percent of the total volume of attack activity on the Internet, and, thanks to patching, probably weren’t very successful, says Rohit Dhamankar, director of TippingPoint’s DVLabs.

But on the rise are quiet attacks on desktop programs, such as Microsoft’s Office, Adobe’s Flash Player and Acrobat programs, Java applications, and Apple’s QuickTime program. Attacks on these programs currently account for about 10 percent of attack volume, up from zero three or four years ago. And they are likely to be far more successful, since more than 90 percent of corporate computers are using old, unsecure versions of these programs, according to Qualys. Unaware of the importance of updating them or overwhelmed with the scope of the job, IT security staffers on average take twice as long to patch this software compared with the operating system.

“Attackers are very opportunistic. They will work with the easiest-to-use vulnerability that will give them the biggest return,” said Wolfgang Kandek, Qualys’s chief technology officer.

Which is also why attacks on company Web sites have skyrocketed. Mr. Dhamankar said a “staggering” 60 percent of attack activity was now directed at trying to hack Web sites, often by targeting “SQL injection” and “Cross-Site Scripting” flaws in open-source and custom-built Web applications, which currently account for more than 80 percent of the new vulnerabilities being discovered.

The last paragraph, is a good reminder why proxies are important not only in web access for end-users, but for protecting corporate websites in a reverse proxy scenario as well. With attacks coming from the web and attacks on outward facing websites on the increase, proxies are more important than ever in the security framework of any organization.

What's government's role in making the Web secure?

Newsday last week published an article about government and government's role in helping to make the web more secure. A Senate committee was exploring ways to secure computer networks last week, and a provision to give the president the power to shut down Internet traffic to compromised Web sites in case of an emergency, immediately set off some alarms. Apparently, corporate leaders and privacy advocates quickly objected, saying the government should not seize control of the Internet.

The lawmakers dropped the issue, but the discussion on the topic continues.

From Newsday:

How much control should federal authorities have over the Web in a crisis? How much should be left to the private sector? It does own and operate at least 80 percent of the Internet and argues it can do a better job.

"We need to prepare for that digital disaster," said Melissa Hathaway, the former White House cybersecurity adviser. "We need a system to identify, isolate and respond to cyberattacks at the speed of light."

So far at least 18 bills have been introduced as Congress works carefully to give federal authorities the power to protect the country in the event of a massive cyberattack. Lawmakers do not want to violate personal and corporate privacy or squelching innovation. All involved acknowledge it isn't going to be easy.

For most people, the Internet is a public haven for free thought and enterprise. Over time it has become the electronic control panel for much of the world's critical infrastructure. Computer networks today hold government secrets, military weapons specifications, sensitive corporate data, and vast amounts of personal information.

Included in the backlash against the proposal were responses like these:

"The government needs to get its own cybersecurity house in order first before it tries to tell the private sector what to do," said Gregory T. Nojeim, senior counsel for the Center for Democracy and Technology.

Nojeim said the Senate Commerce Committee bill appears to leave "tough questions to the president, and that isn't comforting because some presidents will answer those questions in troubling ways."

While these issues are pondered, there remains one major problem to government control of the Internet:

Shutting down a compromised system may sound like a good idea, but "it's not like the Internet has an on-off switch somewhere you can press," said Franck Journoud, manager of information security policy for the Business Software Alliance.

While the government may not have an on-off switch, each organization that has access to the Internet should. If there truly were a network emergency, could you shut down access ot the Internet for your web-users? Having a proxy infrastructure would give an easy point access of turning off access to the Internet, and another good reason to have web proxies if you don't already.

Internet companies face up to 'malvertising' threat

The Guardian reported this week on the phenomenon called "malvertising". A type of attack we've talked about quite often on this blog, one where fake ads containing malware are placed on well-known websites as a way to reach millions of people through names they trust. Some of the sites hit by a series of recent attacks include the New York Times and Horoscope.com.

Unlike traditional spam or virus attacks, which rely on victims clicking on a link in an email or mistakenly downloading an infected program, malvertising attacks are often hidden on popular websites and can sometimes even inject malicious code directly to a computer as soon as the target sees the compromised commercial (also known as a drive-by download).

From the article:

"This is a growing problem," said Graham Cluley, a consultant with online security firm Sophos. "Hackers are making more and more use of ad networks to distribute their attacks to users visiting legitimate well-known sites."

"These are not random attacks. When they infect third party ad networks they may not know precisely which website will end up displaying their ads - but, frankly, they don't care about that. The important thing for them is that they get eyeballs."

Malvertising was first identified by security experts several years ago, but the growing breadth of online advertising has made it more attractive to criminals as a way to reach millions of web users quickly and easily.

A string of incidents in recent weeks have stepped up concerns, including attacks last weekend where popular sites including rightwing news service the Drudge Report were hijacked by criminals. The attackers succeeded in placing malicious ads through Google's DoubleClick service, which were then syndicated around a range of different sites.

The previous weekend, readers of the New York Times - the world's biggest newspaper website - were subjected to a malvertising attack after hackers posed as a legitimate company in order to buy advertising space.

While the incidents are embarrassing for those companies which get caught out, they pose a very serious threat to the readers of those sites - many of whom are not running up-to-date virus protection.

"Attackers use online ads for the same reasons a legitimate company would do so," said Mary Landesman of web security firm ScanSafe.

"When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing."

Malvertising is a good reason to put a proxy between your end-users and the Internet. A proxy with URL database filtering, anti-malware scanning and embedded URL blocking would prevent drive by downloads from infecting workstations in your organization's network.

7 Ways Security Pros DON'T Practice What They Preach

Computer World reminds us this week that IT admins rarely practice what they preach. In a world where we force our end-users to go through proxies and firewalls, it's common for the IT admin to create work-arounds or special policies that let them through the proxy or firewall without the same level of security as the rest of the end-users.

While I applaud them for pointing this out, my own personal philosophy is that the admin should be forced to obey the same restrictions as the end-users, but also have the ability to bypass it when the needs of the job arise. It's the admins that routinely bypass security restrictions that are the most likely to shoot themselves in the foot, by inadvertently getting a malware infection or causing some other problem on the network.

There are also simple rules that we often forget, or think we're above the rest or the world, and that includes things like simple admin passwords, USB sticks with secure data, and using open, insecure wifi networks. Think twice the next time you do something you know your end-user can't.

How SSL-encrypted Web connections are intercepted

I've written plenty of articles in the past about SSL and proxies. SSL is an important piece you shouldn't forget when securing web access from your organization. Searchsecurity.com published an article this week on how SSL-encrypted web connections can be intercepted, from the legitimate use (proxying and filtering), to illicit interception. It's good long article explaining the different technologies involved. Click here for the full article on the link on the title above.

Security Thought for Thursday: The Proxy Purists Were Right

Neil MacDonald, a blogger for Gartner, recently published an articled titled: Security Thought for Thursday: The Proxy Purists Were Right. And of course the title immediately caught my eye, since I write about proxies and am one of the staunch evangelists for proxy technologies.

What's interesting about MacDonald's article is that he's not only talking about web proxies but any proxy. His take is that:

A proxy-based model for externalizing and enforcing security policy is the right approach and becoming more, not less, relevant.

...

All of these technologies allow us to inject our policy as traffic goes back and forth.

The last sentence shows the true power of the proxy. It's that control through policy that makes the proxy the valuable piece in the network infrastructure.

MacDonald makes another good point in the following:

Increasingly we don’t own or control all of the pieces of IT (the users, the devices, the components, the services, etc) that composite together to build a system. Are proxy-based models the best way ensure the application of security policy moving forward? I believe in most cases they will be.

So do we.

Klingon going out of fashion?

I'm not quite sure what the attraction of the Klingon language is, but a few security vendors have followed this trend among IT professionals and offered versions of their software that supported the Klingon language. Both Sophos Anti-Virus and Blue Coat Web Filter offered support for the Klingon language in their products.

Sophos announced this week, though that they were discontinuing support for the Klingon version of their anti-virus software. Blue Coat on the other hand hasn't made any such announcement regarding support in their product, so at least Klingon lives on in their web filtering product.

Curious George's latest mischief: malware

As if you didn't already know, even your kids aren't safe on the Internet. According to Network World this week, the Public Broadcasting System’s Web site has been infected at a section related to the Curious George children’s TV show and when a fake authentication page doesn’t work for the user, tries to drop malware on them.

From the article:

When the log-in page fails, the end user is served an error page with malicious JavaScript that drags the user to a malicious domain where an attempt to exploit vulnerabilities on the user’s desktop applications is made, says Paul Royal, principal researcher at security firm Purewire.

The attacks includes attempts against known vulnerabilities in Acrobat Reader, an AOL ActiveX control, Apple QuickTime and others. There are patches to correct these application vulnerabilities but if the user hasn’t applied the patches, the exploit observed by Purewire at the PBS.org Web site could be successful in installing malicious code on the victim’s desktop computer.

The malicious domain -- qxfcuc.info -- was registered through registrar eNom, Royal says. The registrant’s identity is not public, perhaps because the registrant paid a $10 a year fee that is typically charged to keep identity private, he adds.

This latest attack is a good reminder that we not only need protection at work (by going through a fully protected corporate proxy with embedded URL and anti-malware protection), but also at home. For those of you wondering how you get enterprise class URL protection at home, a quick reminder that Blue Coat Systems offers a free client for home use available at http://www.getk9.com

Websense to Revise OEM Royalty Revenue Recognition Policy

Apparently Websense found it needed to revise its revenue recognition policies this week around some OEM agreements they acquired when they purchased SurfControl. This revenue recognition policy is forcing them to go back to 2007 and to reduce the amount of recognized revenue.

From the press release:

As a result of this change, the company's financial statements for the fiscal years ended December 31, 2007 and 2008 and for the fiscal quarters ended March 31, 2008, June 30, 2008, September 30, 2008, March 31, 2009 and June 30, 2009 should no longer be relied upon.

Obviously this doesn't affect users of Websense or SurfControl software, but does change numbers for those of you interested in the company from an investment point of view. It also shows they have lower market share numbers (based on revenue) than previously thought, if that makes a difference in your purchasing plans.

Choosing the Right Anti-Malware/Anti-Virus for Your Proxy

I've talked a lot about having an scanning engine on your enterprise proxy implementation. You need this to make sure you're scanning any webpages your end-user visits for malware or viruses.

This of course begs the question which anti-malware or anti-virus software should you be using with your proxy. It's a tough question if the proxy is new to your network, or if you haven't run an anti-malware package with your proxy before.

Almost every organization out there is already running anti-virus and anti-malware for email and desktops. Deciding which package to run for web, depends on what you're trying to accomplish. If you need an extra layer of protection, and the desktop package already scans web pages, you probably want to run a different vendor on the proxy so that you get an added layer of defense.

The other thing you should look into, is how much CPU each vendor uses, and how easy it is to write policy to determine what gets scanned, so that not everything is scanned (e.g. radio streams, video streams should probably not be scanned). In addition cost, reputation, and actual catch rates will be factors in your decision. There's one site out there, avtest.org that rates the catch rates for the various anti-virus and anti-malware vendors and may be a good starting point for research. Of course not all vendors will agree with the results from this site, and it's also important to research false positive rates as well. The right answer for anti-malware and anti-virus packages will be different for each organization, so be sure to do your research when you select the package to work with your proxy.

Facebook Population Rivaling US Population

CNN reported today that the population of users at Facebook is nearly as large as the U.S. population hitting the 300 million mark. In addition Facebook for the first time turned a profit last quarter. About 70 percent of Facebook's users are outside the U.S.

These two announcements reiterate that social networking is here to stay. This of course presents a challenge for IT administrators who need to decide what to do about traffic from their networks to social networking sites. In the past this was an easy decision, as social networking sites were easily categorized as outside of the realm of the work world. Proxies easily allowed administrators to set up policy to block social networking sites (and some of the inherent risks associated with them like the Koobface virus that appeared on Facebook this year).

As we move towards the end of 2009, more and more companies are finding a place for social networking in the marketing campaigns, employee communications, and other aspects of the work world. It's safe to say social networking will be more integrated in what we do in the workplace as time goes on. Rather than blocking social networking, IT admins are going to have to find ways to allow access to these sites, while making sure they block the associated malware and embedded malware URLs.

An up-to-date proxy running the latest URL database filtering software with the capbility of blocking embedded URLS along with anti-malware and anti-virus scanning for web pages is an absolute must for this emerging validation of the use of social networking at the workplace.

New York Times Malicious Ads Attack

Sophos reported this week on an attack on the New York Times website, where readers of the New York Times website NYTimes.com were exposed to danger as the popular media outlet served up malicious advertisements to some of its visitors.

According to a posting at the NYTimes.com website, some readers saw a pop-up messaging warning them that their computer had been infected, and urging them to install fake anti-virus software (also known as scareware).

As Sophos reported, this isn't a new malware attack, as other media outlets (such as the Daily Mail, ITV and RadioTimes) have also fallen prey to serving up malware inside malicious ads using fake anti-virus alerts.

In late breaking news it was discovered that the hackers purchased advertising space directly from the New York Times, posing as internet telephone company Vonage.

Fake anti-virus alerts have become one of the biggest revenue-generators for cybercriminals, and as a result we're seeing more attacks all the time either planting malicious scareware on compromised websites, posing as legitimate security companies, or explotiing hot internet search topics.

This recent malware exploit reiterates the new paradigm of security in enterprise environments, where web security is just as, if not more important than email security. Almost all organizations today run email anti-virus and anti-malware scanning. It's just as important to be doing it for web traffic using a proxy as the security device for web browsing. Just make sure your web proxy has up to date anti-malware and anti-virus software along with up to date URL database filtering.

7 Reasons Websites Are No Longer Safe

Network World ran an article yesterday on why websites are no longer safe. This news isn't surprising to most IT admins, and the reason why there are forward proxies in many enterprise networks. Network World uses new data from Sophos in explaining their observations and follows up with seven reasons websites are dangerous:

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.

Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages -- one every 3.6 seconds -- were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites.

In a recent interview with CSOonline, Wang outlined seven primary reasons legitimate sites are becoming more dangerous.


1. Polluted ads

Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user.

"A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates," Wang said. "Some of these affiliates are less than diligent in reviewing content for flaws and infections."

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said.

Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data.

2. SQL injection attacks

SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years. For example, see "SQL Injection Attacks Led to Heartland, Hannaford Breaches."

SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn't include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server.

"The hacker essentially takes advantage of flaws related to shoddy site development," Wang said.

3. User-provided content

It doesn't take a genius to write a comment to a blog posting or something they see on a social networking site like Facebook or Twitter. The bad guys know this and are therefore taking the opportunity to pollute discussion threads and other sources of user-supplied content with spam-laden links. (See "Seven Deadly Sins of Social Networking Security".)

"You can get comment spam, completely irrelevant comments including links to sites trying to sell you stuff," Wang said. "They can also try posting full links to malicious sites or work in a little scripting, depending on the filter they are trying to work around."

4. Stolen site credentials

Using the types of malware and social networking tactics described above, as well as other means, attackers can steal the content provider's log-in credentials. From there it's no sweat logging into the site and making changes. It typically is a change so subtle and small that it escapes notice. The tiny bits of code added in can then steal the site visitor's credit card or other data.

5. Compromised hosting service

This one is similar to number 4, where the credentials of the content provider are stolen and hackers log in to make sinister changes. Through this vector, Wang said the bad guys could potentially poison thousands of sites the provider is hosting in one strike.

6. Local malware

The website you visit may be perfectly safe, but if there's malware hidden on your own machine you can unwittingly become part of the attack, Wang said. For example, the user can visit their online banking site, and when typing in a user name and password the Trojan is there to record that information and pass it back to the attacker, allowing him to go in later and empty out your account or that of others.

7. Hacker-engineered fakes

Finally, there's the problem of hackers trying to sell you fake merchandise that includes phony security software. If a box appears warning that your machine may have been infected and that you must immediately download a particular security tool to remove it--a common occurrence if you have visited a site that surreptitiously downloads malware onto your computer--it's a sure sign of trouble.

"You spend your $39.95 and you get a worthless piece of software, and at the same time you have given them your credit card data," Wang said.

What is one to do if their website relies on ads and open access? Wang suggested IT security administrators use security scanners against anything coming in by way of third-party hosts and, for in-house apps and other online property, that developers redouble efforts to write more ironclad code.

For those who heavily rely on third-party forums, a wise practice is to take a daily scan of vulnerability reports that may affect those providers and to keep up to date on security patches that will harden your own environment against these threats, he added.

All these are good reminders to make sure the forward proxy in your enterprise network is up to date with the latest anti-malware software and URL databases, and to make sure there's no easy way around the proxy in the network. This of course means blocking web access to any system other than the proxy at the router and firewall.

How a Phishing Attack Exposed an Energy Company to Hackers

eWeek ran an article this week on one energy company's experience with malware and how a end-user's web browsing exposed critical systems. Using a Microsoft zero-day vulnerability and a bit of social engineering, hackers compromised a workstation and threatened critical systems.

From the article:

It began with an e-mail sent to an employee at an energy company, and ended with a security breach that exposed critical systems to outside control.

This is an-all-too common scenario, and just one example of the types of threats targeting not only critical infrastructure but organizations generally. The attack referred to above happened at the site of an energy company that Intrepidus Group is keeping anonymous. In a discussion with eWEEK, however, the security vendor outlined just how a malware attack broke into a critical network.

The attack began to unravel April 3, 2007. That's when a fraudulent user account—complete with administrative privileges—was detected by the energy company. At that point, Intrepidus Group was called in to try to uncover what exactly had happened. Working backward, the company traced everything back to a little bit of social engineering.

"What started off as a very strange attack where people couldn't understand why these random administrative accounts were being added in the internal network ended up being two and a half days later us realizing the primary domain controller in the system—which is the keys to the system, really, with all the passwords and user accounts—had been compromised with this zero-day attack," said Intrepidus Group CEO Rohyt Belani. "But the big thing that set off alarms … was that the attack had originated not from the outside big, bad world, but … from another machine inside their corporate network."

The machine sat on the same segment where the SCADA (Supervisory Control And Data Acquisition) controllers were. Soon, evidence appeared that the attackers had leapfrogged off this network and broken into the domain controller, Belani explained. After backtracking even further, the investigation determined the source of the breach—a relatively simple phishing attack.

The phishing e-mail contained a pitch for a new health care plan, something that caught an employee's eye. The e-mail claimed to be about benefits for a family with two or more children, and the employee had three. The message also contained a malicious .chm file attachment.

When the employee opened the attachment, it reached out to a server in the Asia-Pacific region and pulled out a malicious executable that gave the attackers a foothold on the employee's machine, Belani said.

The attack took advantage of MS07-029, a Windows DNS (Domain Name System) vulnerability that at the time was unpatched. Using the vulnerability as an entry point, the attackers ended up with control of the employee's account.

"The attacker had a problem; he got system-level access via an unpublished zero-day exploit," said Aaron Higbee, CTO of Intrepidus Group. "But attackers need to maintain access and are worried about their initial exploits either causing instability with the system or the system getting patched. This is why they created the [other] account … with domain admin access."

With the level of access they gained, the attackers could potentially control, view and modify everything related to the business, Higbee said.

In the aftermath of the attack, Intrepidus advised the company to make some changes to its security strategy. For starters, the company was advised to re-architect the outbound filtering of Internet access and put a proxy in place for Web browsing to ensure that employees aren't reaching out to seemingly random sites. More critical is the subject of segregation. No workstation sharing a critical network segment should be connected to the Internet, Belani said.

"It should be segmented away from the sensitive SCADA controllers," he said.

It's interesting to note, the recommendation for change after the attack was the implementation of a proxy gateway for web browsing, something we've been recommending on this blog for some time now.

Recruiters Post Fake Jobs, Sell Your Resume

While this isn't really related to proxies, I thought it would be interesting to IT professionals. Larry Chaffin from Network World did a study where they posted some fake resumes to the most popular online job sites, and found that their resume was sold many times over to other recruiters, and that many of the jobs they applied to (that they were qualified for), told them they were not just to get the resume for resale.

From the Network World article:

I was given a tip about the problem of recruiters posting fake jobs; this was just to get a 1000 or more resumes to sell. I guess I did not know this but there is a nice business going on now in this area. So to see what would happen we made up three resumes of fake people. The first was a CIO with 20 years of experience in big companies and a whole list of published articles. The next was a three time CCIE who has been doing networking for 15 years and had project management experience. The last was our entry level with a few certifications and administrations jobs.

So with that we posted for jobs that our resumes would fit and then some we were over qualified for, but that was ok. We looked at the positions that said remote position\work from home office with a national telecommunication company or fortune 100 companies. Also we applied for architect, engineer and executive jobs as well. We applied for around 70 jobs and even on some of them we made sure we had the experience they wanted. Being just right or over qualified you would think we would get a call, but no, we got emails saying sorry but you did not meet the qualification of the position.

Within three days we started to get emails and calls to our temp cell phone, these were from people we did not know or jobs we applied for while doing this project. They said they were forwarded our resume and had a low level position for a three time CCIE. We turned it down but after the first call we started to get allot of calls and email from India, China, Canada and other countries. Our resume was sold to these recruiters all over the world as an applicant who was looking for a job, was fully vetted and background check done. We were told this by one recruiter in Canada.

So we found out that it was true, people are selling resumes off job boards and I mean the top five that are out there. If you are just looking and have a job, be careful as you could get caught looking for a job. On the other hand you might get more than you asked for; the one job we applied for in the CIO roles was with a national recruiter and company and very well known. It is funny how the resume made it to Asia with our fake man.

Man-in-the-Middle HTTPS Attack Weak Point in Major Browsers

Softpedia reported this week on a research project carried out at Microsoft, where developers broke numerous secure HTTPS connections using a man-in-the-middle attack with the aid of a specially configured proxy. Based on the results of this research, security experts from SecurityFocus revealed several vulnerabilities found in all major modern browsers.

From the article:

The SecurityFocus advisory initially targeted Mozilla (which subsequently released a security update), but it was recently updated to reflect all major browsers like: Opera, Internet Explorer, Safari and Chrome.

Using Pretty-Bad-Proxy (PBP), three developers from Microsoft and a teaching assistant from Purdue's Computer Science department revealed several loopholes in browser behavior regarding HTTPS connections. They were able to inject HTML and scripting language inside a secure page, which lead to a breach inside the HTTPS connection without ever breaking the cryptographic scheme.

This way, they were able to steal secure data from the connection, fake a secure server, fake a secure page and impersonate an authenticated user in a server-client conversation. Regarding this issue, the developers said in their statement that “These vulnerabilities reflect the neglects in the design of modern browsers. […] Thus further (and more rigorous) evaluations of the HTTPS deployments in browsers appear to be necessary.”

According to the researchers, all major web browser companies were informed about this issue and have planned to patch their browsers. Until now, only Firefox was updated in June. Meanwhile, the rest of the browsers continue to be vulnerable against man-in-the-middle type of attacks in HTTPS connections.

In principle, the major flaw that cripples all browsers is that they are executing all error messages inside the secure environment of the page being called, so all requests and data can be sniffed and modified by PBP. If cookies are enabled and involved in the authentication process, credentials and account info can be intercepted and stolen.

Malware adds IM to speed up its theft of your identity

Network World reported yesterday that one of the more sophisticated pieces of malware in circulation has been given an upgrade that lets cybercriminals act even faster after they've stolen data from a PC. The Zeus Trojan uses an instant messaging component that alerts hackers immediately when they've captured someone's authentication credentials. That enables the fast use of time-sensitive information, such as one-time passwords now often employed in online banking.

Apparently, Zeus isn't the first piece of malware to employ instant messaging, since another password-stealing program called Sinowal was found to be using it as well in 2008. Once on a PC, Zeus sends log-ins and passwords to a remote server, which the hacker must then access and sort through. Several variants of Zeus have a Jabber instant messaging module. The hackers set up two Jabber accounts, one to send information and one to receive. When Zeus obtains log-ins, it sends them to a remote server. The Jabber module then looks for credentials for specific financial institutions and then transmits the information to the hacker by instant message.

It's estimated the number of computers in the U.S. alone infected with Zeus was at around 3.6 million computers, making it one of the most prevalent malicious software programs and a very large botnet.

Users can be infected if they haven't installed the latest security patches on their computer and visit a Web site through a drive-by download (one that happens without needing the end-user to click on or do anything on the website). Zeus may also be inadvertently installed on a computer if a person is tricked into opening an e-mail attachment containing Zeus.

It's estimated from Zeus Tracker that there are now 802 malicious hosts with Zeus. All this is a good reminder to make sure you browse safely (with a proxy) and that your proxy has up to date anti-malware and URL lists.

Sophos adds some new security blogs

If you were familiar already with the two blogs that Sophos provides on security (including Graham Cluley's blog), you'll be happy to know they've added two additional ones from some of their security experts.

First up, Paul "Duck" Ducklin has been working at Sophos for almost 15 years. During that time he's headed up a variety of departments including software engineering, global technical support and even (as he puts it) "for a few admittedly temporary weeks of vertiginously enormous budgetary power" the IT department.

Since 2001 Duck has been based in Sydney, Australia, where he acts as Head of Technology for activities in Asia Pacific. Never short of an opinion - or a desire to express them - you can expect his blog to be quite lively.

Paul Ducklin's blog : www.sophos.com/blogs/duck

The other new blog belongs to Chester "Chet" Wisniewski, a senior security advisor working out of Sophos's Vancouver offices. Chet is responsible for working with the security community and communicating that information in an actionable way to security and IT professionals.

Chet's experience working with Fortune 500 organizations as a security consultant and network architect place him in an excellent position to share advice to customers about how to secure their networks and data against evolving threats.

Chet Wisniewski's Blog : www.sophos.com/blogs/chetw