Many agree Adobe has never responded to security vulnerabilities in their popular products quickly. Known vulnerabilities would take weeks and in some cases months before being addressed. Most recently in February Adobe confirmed a known vulnerability in their Acrobat PDF software and admitted the vulnerability is actively being used by hackers. Brad Arkin, Adobe’s director for product security and privacy mentions this event is what prompted a new security practice.

Adobe has started reviewing the code in Adobe Reader and Adobe Acrobat products and is identifying “at-risk areas” that will be addressed and ultimately re-written. “We’re going to broadly look at the whole application, but focus on at-risk areas, where we’ll do threat modeling, static code analysis and look for potential vulnerabilities,” said Arkin. “We’re going to do a lot more pro-active work,” he promised. “We want to shake loose vulnerabilities.”

Arkin promises a regular patching cycle and in fact will deliver patches the same day as Microsoft. Although their patch cycle is quarterly, not monthly, the patches will be delivered the second Tuesday of the month. This schedule has not officially started.  Arkin also mentioned JavaScript will not be disabled by default in future builds of Adobe Acrobat products.

More information on Adobe Acrobat’s new security initiative can be found on Adobe’s Asset blog.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

A laptop reported missing on July 26th containing personally identifiable information on some 33,000 airport travelers has been found.  The unencrypted laptop was found more than a week later in the Transportation Security Administration office from which it had disappeared.  The questions on everybody’s mind are, was the laptop ever really missing or was it simply mis-placed, and should we assume that the data on it has been compromised.  The data comprises information on applicants to the TSA’s fast-pass security pre-screening program, and includes names, addresses, birth dates, driver’s license, and passport or green card numbers.

A week is more than enough time for someone to copy the relevant data, then wait for an opportune time to return the laptop.  Maybe the thieves hope that by returning the laptop, the company would attempt to conceal the fact that the laptop was missing, thereby avoiding the embarrassing admission that it was left unencrypted and in an apparently insecure location.  This would mean that the potential victims would never know that their personal data was compromised, thus there would be no impetus to scrutinize their accounts and monitor their credit.

Fortunately, the company has disclosed the fact that the laptop was missing, and is notifying the applicants whose data may have been compromised.  This will help mitigate the damage if the data was indeed stolen.  This incident is one more in a chain of events over the last few years where unencrypted data on laptops and PDAs has potentially fallen into the hands of identity thieves when the devices were lost or stolen.

Author: Christopher

(No Ratings Yet)

 Loading ...

Lifeblood – Memphis, TN
Over 320,000 blood donor records missing and assumed stolen.

Tenet Healthcare Corporation – Dallas, TX
An ex-employee was confirmed to have stolen 37,000 records with patient names and personal information.

Long Island University – Brookville, NY
30,000 tax records are considered compromised because of defective mailers with missing adhesive on one side.

Source: Privacy Rights Clearinghouse

Author: Christopher

(No Ratings Yet)

 Loading ...

HP Australia has warned that optional USB keys shipped with some of its Proliant servers are infected with malware, bringing attention to the growing use of USB drives as a means to distribute viral infections.

The low risk worms, Fakerecy and SillyFDC, were found in a batch of 256MB and 1GB USB keys that shipped with the servers. It is undetermined how many infected keys, used for installing optional floppy-disc drives to servers, were distributed. An infected machine in the manufacturing factory is the likely cause of the incident.

The malware distributed is not considered an enormous threat, due in part to the low number of estimated users still utilizing floppy disk drives for data storage and that most hackers don’t find the virus valuable.

This is not the first incident of infection to come out of the factory; others have involved digital photo frames and similar products. Anti-virus software, if up to date, should detect both of the viruses involved in the Proliant USB attack as long the computer security software was installed after the floppy disk was added. Disabling autorun thwarts both Fakerecy and SillyFDC and may be the better option.

HP’s advisory, via local security clearing house AUSCert, can be found here. The SANS Institutes’s Internet Storm Centre has advice on avoiding USB malware-related peril here.

Author: Christopher

(No Ratings Yet)

 Loading ...

Late in December 2007, something Roger Thompson of Grisoft characterized as “a pretty good mass hack” compromised tens of thousands of websites, including edu and gov domains, with an automated SQL injection. The hack exploited a Microsoft SQL Server vulnerability that was over a year old, one that was patched in early 2006 by the MS06-014 security update. The hack injected into SQL databases an SQL iterative loop with a JavaScript tag that appends itself to every column of text. The script instructs browsers reaching the site to execute another script hosted on a malicious server. From what is known, those hacked appeared to share little in common except a common weak spot in their SQL server databases. Since those hacked are not bragging about it, the identities of the hackers as well as the actual purpose of the hackers was, and is, unclear.

Although the mass hack was cleaned up in record time, quickly relieving many fears of disastrous consequences, the possibilities from the hack may have been broader than what actually took place. One professional web developer responding on Thompson’s blog anxiously noted, “Looks like exploits for Y! Messenger, IE TIFF overflow and RealPlayer are also in there. Yikes.” Symantec and other experts analyzing the JavaScript itself agreed that the malicious script targeted a RealPlayer bug, one much more recent that the server vulnerability. The RealPlayer bug targeted had been found and fixed in October 2007, only a couple of months before the hack.

Those hacked were not simply at-home users or amateur server owners. According to Thompson, who reported the hack on January 5, 2008, “some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages.” While it appears that no seriously harmful damage resulted from this particular hack, its massive size leaves many users troubled about other equally vulnerable bugs that may exist in their own server farms.

Author: Christopher

(No Ratings Yet)

 Loading ...

A recent article on Forbes talks about a Lieutenant Colonel of the Army purchasing Apple Macintosh computers to decrease their risk of exploitation. Primarily in response to the recent security breach of the Pentagon back in June as well as a few other incidents. It is widely discussed that Macintosh computers are more secure than Windows & Linux based computers because fewer vulnerabilities exist for the Mac platform.

What I never hear talked about in these discussions is the alarming fact that Macintosh had five and a half more vulnerabilities per month on average than Windows throughout the year 2007. You can see the details and the numbers in a recent ZDNet article. It is quite common to see Macintosh users without any active Malware (Anti-Virus, Worm, Trojan, Spyware) protection.

Back in April 3Com held a short lived contest that resulted in compromising a fully patched Macintosh laptop for a prize of $10,000 and the MacBook.

Author: Christopher

(No Ratings Yet)

 Loading ...