General discussion

NEWS - August 31, 2010

Google disputes bug patching report

"IBM's X-Force admits mistake, now says Google patched all disclosed vulnerabilities in the first half of 2010"

Google on Monday said that a recent report claiming it failed to patch a third of the serious bugs in its software had the facts wrong.

IBM's X-Force security company, which released the report last week, acknowledged the error and issued a revised chart that shows Google patched all the vulnerabilities rated "critical" or "high" in its online services.

"We questioned a number of surprising findings concerning Google's vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report's conclusions," said Adam Mein, a security program manager at Google, in an entry on a company blog .

Last week, X-Force's report claimed that 9% of all Google bugs disclosed in the first half of 2010 were unpatched, and 33% of the vulnerabilities ranked as critical or high had not been fixed.

According to IBM's revised tabulations, Google patched every vulnerability revealed in the first six months of this year.

"After we released our trend report ... we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart," said Tom Cross, a researcher with X-Force, in a mea culpa blog posted on Saturday. "As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart."

Continued :

Also : Unpatched security holes: IBM re-evaluates
Discussion is locked
Reply to: NEWS - August 31, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - August 31, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Fake TweetDeck update preys on Twitter users

It was a Bank Holiday weekend here in the UK meaning that we had the pleasure of a longer break than normal, with Monday not being a normal working day.

But it appears that at least one bunch of criminals weren't resting on their laurels as they spread links pointing to what they claimed was an update to the popular Twitter client, TweetDeck.

? Hurry up for tweetdeck update!
? Update TweetDeck! Bank Holiday
? Critical tweetdeck update Bank Holiday
? Sorry for offtopic, but it is a critical TweetDeck update. It won't work tomorrow!


The tweets are being posted from hacked Twitter accounts, and do not link to a legitimate update for TweetDeck. Instead, unsuspecting users are putting themselves at risk of infection by a Trojan horse which Sophos detects as Troj/Agent-OOA.

TweetDeck has reminded its users that they should only download updates from its official website.

It's possible that the malicious hackers who spread the attack are taking advantage of Twitter ceasing support for basic authentication in their API today, meaning users have to be using a Twitter client which uses OAuth.

Regarding this particular attack, Twitter says it is resetting the passwords of accounts that it has seen distributing the dangerous link.

Continued @ Graham Cluely's Blog :

Also: Fake TweetDeck update lures prompt password resets

- Collapse -
TDSS Pretending To Be Tweetdeck Update

Timing is everything?especially if you?re trying to spread malware. Last week, the developers of the popular Twitter application Tweetdeck notified users that due to changes in the supported authentication protocols by Twitter, users of older versions would have to upgrade.

Naturally, cybercriminals latched onto this bit of news and sent out their own tweets saying the same thing. However, their malicious tweets contained a URL-shortened link to what was supposedly a Tweetdeck installer named tweetdeck-08302010-update.exe:
[Twitter Search Results]

This particular file, however, is not a legitimate installer but a TDSS variant detected as TROJ_TDSS.FAT. The TDSS malware family functions as rootkits that are able to take complete control of affected systems; in addition their complexity and sophistication makes these malware difficult to remove.

Tweetdeck has officially warned their users not to fall prey to this attack. In addition to detecting the malicious ?installer?, the website hosting it has been blocked as well.

As Posted @ TrendLabs Malware Blog:

- Collapse -
New Zero-Day Vulnerabilities Imminent

An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, web application vulnerabilities, and proof-of-concept exploits for patched vulnerabilities throughout the month of September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed in the month.

According to Trend Micro researcher Rajiv Motwani, the vulnerabilities that will be announced will be a collection of old and new ones, with Microsoft being a major target. The new vulnerabilities can be considered as zero-day flaws, and will leave users vulnerable until a vendor patch is offered and applied. However, this process may take some time, until then users should use any suggested workarounds.

It is also believed that detailed information for recently released advisories will also be published. The chances are that the released information mayinclude proof of concept code, making exploits more likely. Exploit packs on malicious and compromised websites will probably include these new exploits as well.

Continued @ TrendLabs Malware Blog:

- Collapse -
Researchers slate 'month of bugs' launch for Wednesday

"Claim to have unpatched vulnerabilities in Excel, IE and other Microsoft, Apple and Mozilla software"

Starting tomorrow, a little-known group of security researchers will kick off a month of bug disclosures that target unpatched vulnerabilities in software from Adobe, Microsoft, Mozilla, Apple and others.

But the researcher who came up with the idea of month-long bugfests four years ago isn't optimistic that reviving the practice will have much of an impact on the general state of computer security.

The "Month Of Abysssec Undisclosed Bugs" (MOAUB) will feature flaws in Microsoft's Excel and Internet Explorer, the Linux-based cPanel Web hosting control panel, and other software, said Abysssec Security Research in a post to the firm's blog earlier this month.

"They're threatening -- at least, the companies affected will see it as a threat -- to release vulnerabilities on all kinds of software, from desktop applications to browsers," said Jamz Yaneza, threat research manager at Trend Micro, today.

Microsoft, which figured prominently in the MOAUB announcement, said it's aware of the group's plan. "As always, if and when a vulnerability is publicly disclosed, Microsoft will take immediate action to determine the appropriate response for our customers," said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC).

Continued :

- Collapse -
Major Disruption of Pushdo Botnet Wasn't The Original Goal

"Botnet's spam traffic cut by 80 percent "

The researchers who successfully shut down much of the Pushdo botnet's infrastructure last week didn't go in planning to take down a large chunk of the botnet -- that was a secondary but major byproduct of some related botnet research they were conducting.

Thorsten Holz, senior threat analyst at LastLine and assistant professor of computer science at Ruhr-University Bochum, Germany, says he and his colleagues were working on a research project involving various botnets, including Pushdo, MegaD, and Rustock, matching infected IP addresses with their respective botnets. They decided to they needed C&C servers to evaluate an algorithm they were developing for the project, which ultimately led them to decide to take down some Pushdo C&C servers to assist their research, he says. "Pushdo's command and control infrastructure turns out to be pretty vulnerable to takedown efforts, so we identified the C&C servers in eight different hosting providers," Holz says. "It was the ideal target to get the servers down and analyze the data."

"It was not our goal to completely take down the entire botnet. We were looking for insights into it to learn more about command and control servers," he says.

The Pushdo C&C servers provided just the data the researchers needed to test their new tool. "It was unclear to what extent we [could] disturb the Pushdo operation, and we were positively surprised that it worked that well," Holz says.


Related : Huge spamming botnet injured but still alive

- Collapse -
Google's New Priority Inbox Hits a Snag

The buzz this morning isn't Google's Buzz, but its new Priority Inbox feature for the company's Web based Gmail messaging service. The new feature allows heavy e-mail users to filter out and prioritize important messages. But the search giant has already hit a snag in releasing it to the public.

Users of the new feature found that a fun, instructional YouTube video used to explain the new feature was loading, invisibly, in their Chrome browser every time they logged into Gmail with the Priority Inbox feature enabled.

The video, which can be viewed here, is harmless but led to some head scratching and complaints from Gmail users, who struggled to figure out why rag time was playing every time they went to check their e-mail, as documented on a number of Google support threads.

"Whenever I sign into my Gmail using Chrome, music automatically starts playing. This is a new issue. It's like old time dance music. Occasionally there will be a sound effect like a click, a bubble, cards shuffling, a dog growling, " a support group user with the handle barnolde wrote.

Continued :

- Collapse -
Twitter API has new third party sign-on method

Users of obscure third-party Twitter applications may be surprised to find that their apps no longer work, if the app creators of those apps haven't been keeping up with changes in the Twitter API (application programming interface).

Microblogging service Twitter is in the final stages of migrating its sign-on service for third party applications to a different of authentication protocol, called OAuth.

Users logging through the Twitter Web site will not notice the difference, nor should users of third-party apps that have already made the switchover, including many popular ones such as TweetDeck, Twitterrific, Seesmic, and Twitter for Android. But if the app hasn't been updated in a while, and still requires a Twitter user name and password, then it will probably stop working correctly.

Over the past month, Twitter has periodically lowered the number of data requests that apps could make to Twitter each hour, as a way of weaning third-party application developers from the old authentication procedure, called Basic Auth. As of 8 AM Pacific time, Tuesday, Twitter will reject any requests from third-party applications that use Basic Auth.

"Basic Auth for Twitter is almost history. Rate limits are down to 15 requests/hour, and will be 0 by tomorrow," wrote Twitter creative director Doug Bowman in a short post on the Twitter site Monday. The rate limit for OAuth is 350 requests per hour.

Continued :

- Collapse -
Email still the top source of data loss

Email continues to be the number one source of data loss risks in large enterprises as more than a third (35 percent) investigated a leak of confidential or proprietary information via email in the past 12 months, according to Proofpoint. [Screenshot]

At the same time, the number of data loss events associated with social media channels continued to increase. Employee misuse of email, work-owned mobile devices, and popular social media tools including Facebook, LinkedIn, Twitter, video sharing sites, forums and blogs resulted in an increasing number of disciplinary actions?including termination?as enterprises demonstrate increasing concern about securing sensitive data.

Despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:

? Thirty-six percent of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
? Thirty-one percent of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
? Twenty-nine percent of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.

Continued :

- Collapse -
Hackers Focus on Misconfigured Networks, Survey Finds

"Misconfigured networks are the most popular target for hackers, according to a survey taken at the DEFCON security conference in July."

Ever wonder what IT resource is the easiest for hackers to exploit? According to a survey of attendees of the annual DEFCON security conference, the answer is misconfigured networks.

The survey was conducted by Tufin Technologies, and polled 101 attendees at DEFCON 18 in July. Seventy-six percent named misconfigured networks as the easiest IT resource to attack.

Fifty-seven percent of those surveyed said network misconfiguration was caused by IT staffers not knowing what to look for when assessing the security posture of the network. Another 18 percent believe misconfigured networks are the result of insufficient time or money for audits, while 14 percent felt compliance audits that fail to capture security best practices are a factor.

The rest do not think security can keep up with the threat landscape.

?The really big question coming out of the survey is how to manage the risk that organizations run dealing with the complexity that is part and parcel of any medium-to-large sized company?s security operations,? said Reuven Harrison, chief technology officer at Tufin, in a statement.

Outside of attacking Web sites, 43 percent agreed planting a malicious insider in a company is the latest and most successful form of commercial hacking.

Continued :

Also : Misconfigured networks main cause of breaches

- Collapse -
Computer problems last at DMV, other Va. agencies

A massive failure of the state's problem-plagued centralized computers continued to hit several state agencies Tuesday, making it difficult for Virginians to get a driver's license or file tax returns and make payments.

The Virginia Information Technologies Agency has been trying since Wednesday to fix the computer outage that affected nearly 30 state agencies. The outage also prompted Gov. Bob McDonnell to call for an independent third party to investigate the problems, including whether contractor Northrop Grumman should reimburse the state for lost business and productivity.

As of Tuesday, computer problems continued to affect the Department of Motor Vehicles, the Department of Taxation and the State Board of Elections. Other agencies also were experiencing minor issues relating to the failure at VITA's large suburban Richmond computing center, one of several data storage systems in different parts of Virginia.

Teams are trying to get all the agencies completely up and running and are making significant progress, Virginia's Secretary of Technology Jim Duffey said in a statement. He asked for "continued understanding and patience of state employees and citizens as this work continues."

The outage has left people unable to get or renew driver's licenses or identification cards at the DMV's 74 customer service centers. About 5,000 license or ID cards expired as of Monday without being able to be renewed, spokesman Melanie Stokes said.

Continued :

Also : Virginia IT woes drag on; Northrup Grumman grateful for the patience

CNET Forums