Computer: Security

Showing posts with label Security. Show all posts

Friday, 2 August 2013

SQL flaws remain an Achilles heel for IT security groups

Computerworld - Indictments filed against five persons charged in a massive international hacking scheme indicate that SQL injection vulnerabilities continue to be a huge security Achilles heel for large IT operations.

The residents of Russia and Ukraine were indicted Thursday in connection with the theft of more than 160 million credit card numbers and other financial data from a virtual Who's Who of big business, including NASDAQ, JCP, Carrefour, Discover Bank, Hannaford, Heartland and Dow Jones.

The indictments allege that the victims lost some $300 million over a seven-year period between 2005 and 2012.

In a statement, Paul Fishman, U.S. Attorney for the District of New Jersey described the attacks as "cutting edge" and called the work a threat to the U.S. economy and national security.

The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The papers show that in most cases, the breach was made via SQL injection flaws -- a threat that has been thoroughly documented and understood for well over than a decade.

The NASDAQ network, for instance, was initially attacked via a SQL injection vulnerability on an online password reminder page. The flaw let hackers access the network without authorization to get a foothold that eventually let them gain full administrative control.

Similarly, initial unauthorized access to corporate networks at Heartland, JC Penney, Wet Seal, Visa Jordan and Diners Singapore came as a result of SQL coding errors. In each instance, the attackers rapidly escalated their privileges on the network to install malware and backdoors for stealing credit card and other data.

Via SQL injection attacks, hackers take advantage of poorly coded Web application software to install malicious code in a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate data entered by a user -- such as when ordering something online or when resetting a password.

An attacker can take advantage of input validation errors to send malformed SQL queries to the underlying database letting them break into it, plant malicious code and/or access other systems on the network.

SQL injection flaws are relatively simple to fix, once found. The challenge for IT personnel is knowing where to look for them. There are hundreds of places in large Web applications where users can input data, each of which can provide a SQL injection opportunity.

Hackers have taken advantage of SQL injection flaws for years because they can be exploited with relative ease. In recent years, SQL injection attacks have consistently ranked as one of the most popular methods for hackers to break into networks.

How Cloud Communications Reduce Costs and Increase Productivity

Small and midsize businesses are moving to the cloud to host their communications capabilities. Learn how enterprise-quality phone benefits, online management, conferencing, auto attendant, and ease of use are built into a system that is half the cost of a PBX.

Read now.

View the original article here

360 Internet Security 2013

Pros Quick installation, even on malware-infested systems. Attractive interface. Good scores in antivirus tests, both from PCMag and independent labs. Built-in feedback form for reporting any problems.

Cons Identified two legitimate PCMag utilities as Trojans. Proactive Defense behavior monitor displays many popup queries requiring a user decision, for both good and bad programs. Bottom Line With an uncluttered user interface decorated in cheery pastels, 360 Internet Security 2013 is one of the better-looking free antivirus products. It performs its essential antivirus functions well, but an over-enthusiastic behavior-based detection system flags good and bad programs alike.

By Neil J. Rubenking

Qihoo 360 Software is big in China, with nearly a half-billion users, but it's not nearly as well-known in the U.S. That's a bit of a shame, because the company's 360 Internet Security 2013 is an attractive, easy-to-use, free antivirus. Yes, despite the suite-sounding name, it's a standalone antivirus product.

The installer cuts out unnecessary clicks and screens. A single click accepts the license agreement and starts the product installing. It's a quick process. However, the necessary initial antivirus signature update can take quite a while—over 15 minutes on some of my test systems.

360 Internet Security's main window has a modern, flat look and uses cheery pastel colors. The main focus is on three buttons that perform a quick, full, or custom scan. Although the interface is spacious and uncluttered, it actually conveys a lot of information. Small banners in one corner offer statistics on performance and quarantined files. Three icons animate to let you know when each of the three antivirus engines is updating. And you can pull down a high-level set of controls that turn security components on and off.

Minor Installation Bumps
On eight of my twelve malware-infested virtual machines, the antivirus installed with no more than a minor hitch. However, malware on three of the test systems actively terminated the installer every time I tried to launch it. I successfully installed the product in Safe Mode (kudos to Qihoo for allowing Safe Mode installation!). The installation succeeded, but in each case it would not fully update. The final solution involved running a full scan, performing a full uninstall/reinstall, updating malware definitions, and running another full scan.

The remaining system causes problems for every antivirus I test, because ransomware totally covers up the desktop, even in Safe Mode. Qihoo has a bootable rescue CD, but it's strictly Chinese. Given that this rescue CD could have solved the problem, I helped out a bit, working around the ransomware to get the product installed.

A product that breezes through the install process with next to no problems earns five stars for ease of installation. 360 Internet Security did pretty well, enough to earn four stars.

Quite Good Cleanup
This antivirus divides a full scan into five stages: correcting system security settings, checking applications for malware, looking for active threats in memory, evaluating files that launch at startup, and finally scanning all files for malware. It clearly displays which steps have finished, and offers a choice between highest speed and least impact on performance.

On completing a scan it displays a simple list of all malware traces. It doesn't rank them by threat level the way Ad-Aware Free Antivirus+ 10.5and avast! Free Antivirus 8 do, nor does it aggregate the traces belonging to the same malware the way Comodo Cleaning Essentials 6 and Spybot - Search & Destroy 2.0 do. However, you can get a view of related traces by sorting on the malware type column.

The scanner components in AVG Anti-Virus FREE 2013 and Bitdefender Antivirus Free Edition (2014) remove malware traces upon finding them, as much as possible. 360 Internet Security waits for your permission to clean up the found traces. On almost all of the test systems, the antivirus requested a quick scan after cleanup finished, to catch any "hidden dangers," and then requested a reboot to remove a "stubborn virus."

360 Internet Security detected 75 percent of the malware samples, the same as avast!, Norman Malware Cleaner 2.08, and several others. Its 5.8 point score also matched avast!'s. Bitdefender Free detected 81 percent and scored 6.2 points. The top score among products tested using my current malware collection, 6.6 points, went to Bitdefender Antivirus Plus (2014).

Tested using my previous malware collection, Malwarebytes Anti-Malware 1.70 earned 7.1 points, the top score among all current products. For details about how I run the malware removal test, please see How We Test Malware Removal.

360 Internet Security 2013 malware removal chart

View the original article here

Monday, 29 July 2013

Researcher claims responsibility for security breach at Apple developer website

An independent security researcher claimed responsibility for the security breach incident that forced Apple to close down its Developer Center website last week.

Ibrahim Balic claims that he reported the vulnerability to Apple and didn't act with any malicious intentions, but he confirmed extracting user IDs, names, and email addresses from the website.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

On Sunday, Apple announced that an intruder broke into its developer website and attempted to download the personal information of users registered on the site. The site had been offline since Thursday.

"Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed," the company said in a message posted on the site's home page.

Balic, a security researcher who is based in London, tried to clarify his involvement in the incident via Twitter and in a video posted on YouTube.

"This is definitely not a hack attack; I have reported all the bugs," Balic said Monday on Twitter. "I am not an hacker, I do security research," he said in a separate message.

Balic's name is listed on Facebook's acknowledgement page for security researchers who responsibly reported security issues to the company.

"I reported security bugs to Facebook and Opera before over numerous times," Balic said Tuesday via email.

He posted a video on YouTube in order to demonstrate how the exploit works, but he has since removed it because it exposed the information of some users. The title of the video suggested that he had gained access to the details of over 100,000 Apple Developer Center accounts.

"The video is now removed from YouTube," Balic said on Twitter. "I apologize for sharing some of the confidential information."

He confirmed via email that he obtained the names, email addresses and user IDs associated with over 100,000 Apple Developer Center users.

The vulnerability exploited to extract the information was reported to Apple via the company's "Bug Reporter" system along with other issues, Balic said. Apple shut down the Developer Center website four hours after the last report was sent, he said.

Balic claims that the company did not respond to his reports until today, when he received an email saying that the issues are being investigated.

Apple did not respond to a request for comment filed Monday.

Some people on Twitter and in comments on other websites criticized Balic's decision to download over 100,000 user details and the subsequent exposure of the now-removed YouTube video.

View the original article here

Security researcher claims good intentions in hacking Apple Dev Center

Apple has finally explained why its Dev Center has been mysteriously shut down since last Thursday: An intruder broke in to the company's developer site in an attempt to steal registered developers' personal information. While Apple says it's in the process of "completely overhauling" its developer systems, updating its server software, and rebuilding its entire database, a Turkish security researcher named Ibrahim Balic has emerged claiming credit for the successful hack -- and claiming he had only the best white-hat intentions.

Balic's tale is reminiscent of other security researchers who claim to have breached a third party's systems or software for the greater good. Whether Apple or affected developers will share his view that he was acting in their best interests (as well as Apple's) remains to be seen; for the time being, it's not crystal clear what went down.

Apple's take on the breach goes like this:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed.... In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database.

Apple has since told TechCrunch that only developer accounts and not iTunes accounts were compromised and no credit card data was stolen. Developers, however, have reported receiving unsolicited password reset requests.

Since Apple revealed the breach, Balic has come forward to claim credit for discovering the vulnerability in the Dev Center site as well as 12 other bugs. He has also posted a video on YouTube (which at time of writing has been set to private), showing he had in his possession developer credentials extracted from Apple's developer database. However, he claims that his intention all along has been to light a fire under Apple's bottom to fix the bugs before a malicious hacker exploited them.

Balic posted his confession to the Comments section of TechCrunch. Following are some excerpts (with spelling and grammar corrected for clarity):

My name is Ibrahim Balic, I am a security researcher. You can also search my name [on] Facebook's Whitehat List. I do private consulting for particular firms. Recently I have started doing research on Apple....
In total I have found 13 bugs and have reported through http://bugreport.apple.com. I gave details to Apple as much as I [could], and I've also added screenshots. One of those bugs has provided me access to users details. I immediately reported this to Apple. I have taken 73 users details (all Apple workers only) and [provided] them as an example. Four hours [after] my final report, [the] Apple developer portal [was] closed down.

Balic claimed that Apple never responded to his reports but has since learned that the company has contacted law enforcement to investigate: "I'm not feeling very happy with what I read and [I am] a bit irritated, as I did not [do] this research to harm or damage," he said. "I didn't attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the data for the [purpose] of seeing how deep I can go within this scope.

"I do not want my name to be in blacklist," he concluded. I'm keeping all the evidences, emails, and images; also I have the records of bugs that I made through Apple bug report."

Balic appears to have lost sympathy from some observers for two reasons: First, he posted the aforementioned video to the public -- and neglected to redact the names and email addresses he'd collected. (I had a chance to view the video before Balic changed the privacy setting on YouTube.)

Second, Balic claimed in the same admission that he took only 73 users' details and has "100,000-plus user details." That's an obvious contradiction, though whether Balic took 73 users' details or 100,000, Apple developers should be rightly concerned. The Dev Center clearly has been breached by at least one third party, and Apple is worried enough to have shut down the Dev Center for days to pour time and resources into rebuilding the database and overhauling the site.

Developers also may not find much comfort in Apple's assurances that "sensitive personal information was encrypted and cannot be accessed." If cyber criminals have gotten their hands on developers' contact info, they're a step away from getting their hands on associated password information, either via cracking or spear-phishing. The last thing a developer wants is to have a bad guy take control of his or her developer account and attempt to propagate malware in his or her name.

For the time being, we don't know Balic's true intentions. We don't know someone other than Balic knew about the vulnerability that enabled him to make off with either 73 or 100,000-plus developers' data. What's clear, though, is that if you're an Apple Developer, you need to be mindful that your account may have been breached and to take necessary precautions to change your password as soon as possible.

This story, "Security researcher claims good intentions in hacking Apple Dev Center," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

View the original article here

Friday, 26 July 2013

Update: Cisco to acquire security vendor Sourcefire for $2.7 billion

Cisco is set to expand its security software portfolio with the acquisition of Sourcefire in a deal worth $2.7 billion.

The combined company will offer a product set that provides "advanced threat protection across the entire attack continuum -- before, during and after an attack -- and from any device to any cloud," Cisco said Tuesday.

[ Discover what's new in business applications with InfoWorld's Technology: Applications newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

Both companies' boards have approved the acquisition, which is expected to close later this year, according to Cisco's announcement.

Sourcefire has about 650 employees and reported $223.1 million in revenue during 2012. It sells products for network security and malware protection and also offers IPS (intrusion prevention systems) appliances.

The pending acquisition follows Cisco's purchase earlier this year of Cognitive Security, maker of software that employs artificial intelligence to spot threats.

Cisco has made many other security-related acquisitions in recent years. Overall, the company is looking to build out a security services platform architecture that provides a common, aggregated set of tools, said Christopher Young senior vice president, security group, during a conference call Tuesday.

In the past, "you had a point [security] product for everything you could think about," he said. "This is no longer a market where point product leadership is going to win out."

Today, "the [security] perimeter is vanishing to encompass the mobile network and the cloud," as well as other endpoints that "in many cases, the IT department no longer controls," Young said. "When this is described as a war, it's not an over-exaggeration."

Cisco was also attracted by the "vibrant open-source community" that has sprung up around Snort, the intrusion detection and prevention engine created by Sourcefire's founder and CTO, Martin Roesch, as well as Sourcefire's highly skilled team of vulnerability experts, Young said.

While there are some overlaps between Cisco and Sourcefire's products, the combined company "will offer customers a value proposition far beyond what they've got today," Young said. Further details on how the companies' respective products are to be combined will be released after the deal closes, he added.

Roesch will play a role at Cisco that covers the company's overall security portfolio, and the rest of the leadership team will also join Cisco, according to Young.

While Sourcefire has built up a commercial business around Snort, the software "will remain free" following the deal's close, Roesch said on the call.

View the original article here

Friday, 19 July 2013

Bitdefender Total Security (2014)

Pros Good results in PCMag antivirus tests; great results in independent tests. Accurate spam and phishing protection. Tough, no-hassle firewall. Full-scale parental control. Facebook monitoring. Private data protection. Password management. Secure browser. Vulnerability scan. File backup and sync. File encryption. Secure deletion. System tune-up. Anti-theft.

Cons Some difficulty installing on malware-infested systems. Default firewall configuration omits some protections. Password management limited. Some impact on performance. No drag/drop to encrypt or shred files. Bottom Line With Bitdefender Total Security (2014) you get all the standard security suite features plus file backup and sync, file and folder encryption, system tune-up, and even anti-theft protection. All of the components work well; it's a winner.

By Neil J. Rubenking

The phrase "security suite" covers a lot of ground. Antivirus and firewall are essential components, and some suites don't go much beyond those basics. Others add just about every security feature you might want, and then some. Bitdefender Total Security (2014) ($79.95 per year for three licenses) falls into the latter category, the kind of product I call a "mega-suite," and its many components all do their jobs well.

At first glance, this product hardly looks different from the less feature-rich Bitdefender Internet Security, or even from the standalone Bitdefender Antivirus Plus. All three reflect current security status with a green, yellow, or red banner, and all three display four panels at a time, representing four security components; a slider lets you bring the other components into view. The antivirus has a total of six component panels, the basic suite brings that number up to nine, and Total Security maxes out with a dozen panels. You can rearrange the order of the panels so that your four favorites are the ones that appear at startup.

Like Norton, Kaspersky, and others, Bitdefender has stopped using a version number or year in the product title. To help distinguish this review from later no-number reviews, I've appended "(2014)" to the name.

Shared Antivirus Protection
Bitdefender Total Security's antivirus protection is exactly the same as what you get from Bitdefender Antivirus Plus (2014). For full details on the shared features, please read that review. Here, I'll just summarize.

Getting Bitdefender installed on twelve systems crawling with malware required some help from tech support, especially for one system that was temporarily disabled by the install-time scan. A product that installs hassle-free gets five stars for ease of installation; Bitdefender earned three stars.

In my malware removal test, Bitdefender scored 6.6 points, the best of any product tested using my current collection of malware samples. Tested using my previous collection, Norton 360 (2013) and Webroot SecureAnywhere Complete 2013 also scored 6.6, as did Comodo Internet Security Complete 2013.

For a full explanation of my malware blocking test, see How We Test Malware Removal.

Bitdefender Total Security (2014) malware removal chart

Bitdefender's Web-based scanner detected 91 percent of the malicious URLs I tried to visit, which is very good. In my full malware-blocking test it earned 9.0 points. Of products tested with the same malware samples, only Ad-Aware Pro Security 10.5 did better, with 9.4 of 10 possible points. Webroot beat all products tested with the previous malware collection, scoring an impressive 9.9 points. The article How We Test Malware Blocking explains my testing methodology.

Bitdefender Total Security (2014) malware blocking chart

In tests by the independent antivirus labs, Bitdefender outscores all other vendors. The chart below summarizes recent lab test results. For more information about the labs and their tests, see How We Interpret Antivirus Lab Tests.

Bitdefender Total Security (2014) lab tests chart

View the original article here

Wednesday, 17 July 2013

Bitdefender Total Security (2014)

By Neil J. Rubenking

For a full explanation of my malware blocking test, see How We Test Malware Removal.

Bitdefender Total Security (2014) malware removal chart

Bitdefender Total Security (2014) malware blocking chart

Bitdefender Total Security (2014) lab tests chart

View the original article here