The massive security breach at TJX Companies Inc. that exposed more than 45 million customers to identity fraud is hitting the bottom line big-time, if the company's second-quarter earnings report is any indication.
The Framingham, Mass.-based retail giant acknowledged it has spent $256 million dealing with the breach, which was first disclosed in January. That's more than 10 times the $25 million figure TJX cited in May.
TJX said the expenses went into battening down its computer system and responding to a growing list of investigations and lawsuits against it.
According to TJX's latest earnings report, costs related to the data theft in the second quarter bit into TJX's profit by $118 million. Still, TJX said, strong sales continued during the same period, which it cited as proof that customers aren't walking away.
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) in March, and also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.
The attackers reportedly began their assault on TJX by exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn. Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.
Friday, August 31, 2007
Latest Microsoft flaws affect Windows, IE, Excel
Microsoft released nine security updates Tuesday for flaws in Internet Explorer, Excel and other programs within the Windows OS. Attackers could exploit the most serious flaws to hijack targeted machines and launch malicious code, the software giant warned.
Six updates address critical flaws, which Microsoft typically describes as those an attacker could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts. The rest of this month's updates are rated important.
Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said IT administrators should put the most urgency on deploying MS07-046, which fixes a flaw in how Windows' Graphics Rendering Engine handles specially crafted images.
Microsoft said an attacker could exploit the flaw by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in email, and that a successful attacker could take complete control of an affected system. All supported editions of Windows are affected except for Windows 2003 Server Service Pack 2 and Windows Vista.
"This is a flaw that affects the core of the Windows Graphics Library, so it should really be on the top of the list," he said, adding that IT shops should also patch the latest Internet Explorer and Excel flaws as soon as possible, since those programs are so widely used.
Sarwate said this month's security updates reflect a continuing trend toward more Web-centric vulnerabilities, with more cracks being discovered in image files, media players and browsers. Agreeing with him is Dave Marcus, security research and communications manager for McAfee Avert Labs.
"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," he said in an emailed statement. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."
In addition to MS07-046, the "critical" security updates are:
MS07-042, which fixes a flaw attackers could exploit by luring Internet Explorer users to a specially crafted Web page. Specifically, the vulnerability could be exploited by attacking Microsoft XML Core Services. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.
MS07-043, which fixes a flaw in Object Linking and Embedding (OLE) attackers could exploit to run malicious code on targeted machines. This flaw affects all supported editions of Windows 2000, Windows XP, Microsoft Office 2004 for Mac, and Visual Basic 6. "This security update addresses the vulnerability by adding a check on memory requests within OLE automation," Microsoft said in its advisory.
MS07-044, which fixes flaws in Microsoft Excel. Attackers could exploit the flaw to launch malicious code if a user opens a specially crafted Excel file, Microsoft said. The update is critical for supported editions of Microsoft Office 2000, and important for supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Excel Viewer 2003. Microsoft addressed the problem by modifying the way that the program handles specially crafted Excel files.
MS07-045, a cumulative update for Internet Explorer that fixes flaws attackers could exploit to launch malicious code when a user views a specially crafted Web page with the browser. "The security update addresses two vulnerabilities by setting the kill bit for ActiveX controls, and addresses a third vulnerability by modifying the way Internet Explorer handles certain strings in CSS files," Microsoft said.
MS07-050, which fixes a flaw in the Vector Markup Language (VML) implementation in Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer," Microsoft said. The update affects supported releases of Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 7.
The "important" security updates are:
MS07-047, which fixes two flaws in Windows Media Player. "These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player," Microsoft said.
MS07-048, which fixes several Windows Gadgets flaws. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget, added a malicious contacts file in the Contacts Gadget or clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system," Microsoft said.
MS07-049, which fixes a flaw in Microsoft Virtual PC and Microsoft Virtual Server that could allow a guest operating system user to run code on the host or another guest operating systems. Microsoft noted that only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. The update affects all supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7.
Six updates address critical flaws, which Microsoft typically describes as those an attacker could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts. The rest of this month's updates are rated important.
Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said IT administrators should put the most urgency on deploying MS07-046, which fixes a flaw in how Windows' Graphics Rendering Engine handles specially crafted images.
Microsoft said an attacker could exploit the flaw by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in email, and that a successful attacker could take complete control of an affected system. All supported editions of Windows are affected except for Windows 2003 Server Service Pack 2 and Windows Vista.
"This is a flaw that affects the core of the Windows Graphics Library, so it should really be on the top of the list," he said, adding that IT shops should also patch the latest Internet Explorer and Excel flaws as soon as possible, since those programs are so widely used.
Sarwate said this month's security updates reflect a continuing trend toward more Web-centric vulnerabilities, with more cracks being discovered in image files, media players and browsers. Agreeing with him is Dave Marcus, security research and communications manager for McAfee Avert Labs.
"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," he said in an emailed statement. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."
In addition to MS07-046, the "critical" security updates are:
MS07-042, which fixes a flaw attackers could exploit by luring Internet Explorer users to a specially crafted Web page. Specifically, the vulnerability could be exploited by attacking Microsoft XML Core Services. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.
MS07-043, which fixes a flaw in Object Linking and Embedding (OLE) attackers could exploit to run malicious code on targeted machines. This flaw affects all supported editions of Windows 2000, Windows XP, Microsoft Office 2004 for Mac, and Visual Basic 6. "This security update addresses the vulnerability by adding a check on memory requests within OLE automation," Microsoft said in its advisory.
MS07-044, which fixes flaws in Microsoft Excel. Attackers could exploit the flaw to launch malicious code if a user opens a specially crafted Excel file, Microsoft said. The update is critical for supported editions of Microsoft Office 2000, and important for supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Excel Viewer 2003. Microsoft addressed the problem by modifying the way that the program handles specially crafted Excel files.
MS07-045, a cumulative update for Internet Explorer that fixes flaws attackers could exploit to launch malicious code when a user views a specially crafted Web page with the browser. "The security update addresses two vulnerabilities by setting the kill bit for ActiveX controls, and addresses a third vulnerability by modifying the way Internet Explorer handles certain strings in CSS files," Microsoft said.
MS07-050, which fixes a flaw in the Vector Markup Language (VML) implementation in Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer," Microsoft said. The update affects supported releases of Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 7.
The "important" security updates are:
MS07-047, which fixes two flaws in Windows Media Player. "These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player," Microsoft said.
MS07-048, which fixes several Windows Gadgets flaws. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget, added a malicious contacts file in the Contacts Gadget or clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system," Microsoft said.
MS07-049, which fixes a flaw in Microsoft Virtual PC and Microsoft Virtual Server that could allow a guest operating system user to run code on the host or another guest operating systems. Microsoft noted that only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. The update affects all supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7.
Inside MSRC: Microsoft releases searchable update database
Microsoft's Christopher Budd explains the software vendor's new Update Catalog, a searchable database of all Microsoft security updates, drivers, and service packs. Also a look at this month's updates.
For August 2007, we are releasing nine new security bulletins as part of our standard monthly bulletin release. In addition, we are re-releasing one security update from July 2007. Finally, we are releasing a security advisory to make you aware of a new update that can help improve your overall security.
To help you assess this month's release, I'll cover the re-release and the security advisory. I'll also cover the changes in functionality in two of this month's Critical new security updates as well.
First, I want to mention our detection and deployment tools so you are aware of the latest deadlines and new offerings.
SUS 1.0 Expiration
I want to explain the expiration of support for Software Update Services (SUS) 1.0 that I mentioned in last month's column.
Last month's bulletin release marked the end of support for SUS 1.0. This means that starting with this month's release, new updates, including security updates, will NOT be available through SUS 1.0. We hope that everyone has migrated to a supported version of Windows Server Update Services (WSUS): either WSUS 2.0 or the new WSUS 3.0. If you have not migrated, we encourage you to do so right away because your SUS 1.0 clients will not receive this month's security updates or any future security updates.
Microsoft Update Catalog
This new tool can help you deploy updates including security updates. The Microsoft Update Catalog is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can also use the Microsoft Update Catalog to obtain and deploy hotfixes. You can use the Microsoft Update Catalog to distribute these updates through a corporate network using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).
The Microsoft Update Catalog expands the capabilities of your update deployment infrastructure and provides the capability to deploy hotfixes to address known issues in security updates when they occur. We encourage all who are using WSUS 3.0, SCE or SSCM to evaluate the Microsoft Update Catalog for their environment.
Expiration of Support for MBSA 1.2.1
I also want to remind you again of the upcoming expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1 on Oct. 9, 2007. Once again, we encourage all customers to upgrade toMBSA 2.0.1, the latest version of MBSA.
Microsoft Security Advisory (932596)
We are releasing one security advisory today: Microsoft Security Advisory (932596). This is to make customers who run x64-based Windows operating systems aware of an update for Kernel Patch Protection.
This update adds additional checks to Kernel Patch Protection for increased reliability, performance and security. We periodically make updates to improve the security of Kernel Patch Protection. While this update does not address security vulnerabilities in Kernel Patch Protection, it contains changes that help improve security. So, we are releasing Microsoft Security Advisory (932596) to help customers who run x64-based Windows operating systems so they are aware of this update, and to encourage them to test and deploy it.
Re-Release of MS07-038
We are re-releasing MS07-038, the security update for the Windows Vista Firewall from July 2007. There are no changes to the update itself; the update as originally released protects against the vulnerability discussed in the bulletin. We've made changes to the installer for this update to address installation issues that a very small number of customers were experiencing. These are outlined in Microsoft Knowledge Base Article 935807. If you've already applied this update then you do not need to take any action. However, if you were experiencing the issues outlined in the article, you should go ahead and apply the updated version.
Severity ratings and killbits for Microsoft Internet Explorer Bulletin MS07-045
For the new security updates this month, I call your attention to information about this month's Microsoft Internet Explorer security update for your risk assessment and your testing and deployment.
Specifically, while this bulletin is rated as "Critical" for Internet Explorer 5.01 and Internet Explorer 6 on Windows XP Service Pack (SP) 2, it is rated as "Important" for Internet Explorer 7 on Windows XP SP2 and Windows Vista. Further, because of the Enhanced Security Configuration (ESC) on Windows Server 2003 SP1 and SP2, this is rated as "Moderate" for these platforms when running Internet Explorer 6 and "Low" when running Internet Explorer 7.
Next, in addition to addressing the security updates discussed in the bulletin, this month's IE update sets the killbit for a number of ActiveX controls:
ouactrl.ocx: a control that is out of support
The CAPICOM control addressed in Microsoft Security Bulletin MS07-028
The Download Manager ActiveX control, available from Akamai Technologies
An ActiveX control available from Lenovo
An ActiveX control available from Motive Incorporated.
Please see security bulletin MS07-045 for more information on these ActiveX controls.
Functionality changes for Windows Media Player Bulletin MS07-047
Next, for your testing and deployment, I wanted to make you aware of a change to functionality in this month's security update for Windows Media Player, MS07-047.
For more information about this change, please see Microsoft Knowledge Base Article 940893.
Conclusion
In closing, I want to encourage you to join me and Mike Reavey on Wednesday, Aug. 15, at 11 a.m. Pacific Time. Like we do each month, we'll review the bulletin in more depth and answer your questions with information from our subject matter experts. If you can't join us for the live webcast, don't forget that you can listen to it later on demand. You can register for the webcast here.
Be sure to mark your calendars for the September 2007 bulletin, which will release on Tuesday, Sept. 11th. I'll be joining you here again in September with information to help you plan and deploy the release for your environment.
For August 2007, we are releasing nine new security bulletins as part of our standard monthly bulletin release. In addition, we are re-releasing one security update from July 2007. Finally, we are releasing a security advisory to make you aware of a new update that can help improve your overall security.
To help you assess this month's release, I'll cover the re-release and the security advisory. I'll also cover the changes in functionality in two of this month's Critical new security updates as well.
First, I want to mention our detection and deployment tools so you are aware of the latest deadlines and new offerings.
SUS 1.0 Expiration
I want to explain the expiration of support for Software Update Services (SUS) 1.0 that I mentioned in last month's column.
Last month's bulletin release marked the end of support for SUS 1.0. This means that starting with this month's release, new updates, including security updates, will NOT be available through SUS 1.0. We hope that everyone has migrated to a supported version of Windows Server Update Services (WSUS): either WSUS 2.0 or the new WSUS 3.0. If you have not migrated, we encourage you to do so right away because your SUS 1.0 clients will not receive this month's security updates or any future security updates.
Microsoft Update Catalog
This new tool can help you deploy updates including security updates. The Microsoft Update Catalog is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can also use the Microsoft Update Catalog to obtain and deploy hotfixes. You can use the Microsoft Update Catalog to distribute these updates through a corporate network using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).
The Microsoft Update Catalog expands the capabilities of your update deployment infrastructure and provides the capability to deploy hotfixes to address known issues in security updates when they occur. We encourage all who are using WSUS 3.0, SCE or SSCM to evaluate the Microsoft Update Catalog for their environment.
Expiration of Support for MBSA 1.2.1
I also want to remind you again of the upcoming expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1 on Oct. 9, 2007. Once again, we encourage all customers to upgrade toMBSA 2.0.1, the latest version of MBSA.
Microsoft Security Advisory (932596)
We are releasing one security advisory today: Microsoft Security Advisory (932596). This is to make customers who run x64-based Windows operating systems aware of an update for Kernel Patch Protection.
This update adds additional checks to Kernel Patch Protection for increased reliability, performance and security. We periodically make updates to improve the security of Kernel Patch Protection. While this update does not address security vulnerabilities in Kernel Patch Protection, it contains changes that help improve security. So, we are releasing Microsoft Security Advisory (932596) to help customers who run x64-based Windows operating systems so they are aware of this update, and to encourage them to test and deploy it.
Re-Release of MS07-038
We are re-releasing MS07-038, the security update for the Windows Vista Firewall from July 2007. There are no changes to the update itself; the update as originally released protects against the vulnerability discussed in the bulletin. We've made changes to the installer for this update to address installation issues that a very small number of customers were experiencing. These are outlined in Microsoft Knowledge Base Article 935807. If you've already applied this update then you do not need to take any action. However, if you were experiencing the issues outlined in the article, you should go ahead and apply the updated version.
Severity ratings and killbits for Microsoft Internet Explorer Bulletin MS07-045
For the new security updates this month, I call your attention to information about this month's Microsoft Internet Explorer security update for your risk assessment and your testing and deployment.
Specifically, while this bulletin is rated as "Critical" for Internet Explorer 5.01 and Internet Explorer 6 on Windows XP Service Pack (SP) 2, it is rated as "Important" for Internet Explorer 7 on Windows XP SP2 and Windows Vista. Further, because of the Enhanced Security Configuration (ESC) on Windows Server 2003 SP1 and SP2, this is rated as "Moderate" for these platforms when running Internet Explorer 6 and "Low" when running Internet Explorer 7.
Next, in addition to addressing the security updates discussed in the bulletin, this month's IE update sets the killbit for a number of ActiveX controls:
ouactrl.ocx: a control that is out of support
The CAPICOM control addressed in Microsoft Security Bulletin MS07-028
The Download Manager ActiveX control, available from Akamai Technologies
An ActiveX control available from Lenovo
An ActiveX control available from Motive Incorporated.
Please see security bulletin MS07-045 for more information on these ActiveX controls.
Functionality changes for Windows Media Player Bulletin MS07-047
Next, for your testing and deployment, I wanted to make you aware of a change to functionality in this month's security update for Windows Media Player, MS07-047.
For more information about this change, please see Microsoft Knowledge Base Article 940893.
Conclusion
In closing, I want to encourage you to join me and Mike Reavey on Wednesday, Aug. 15, at 11 a.m. Pacific Time. Like we do each month, we'll review the bulletin in more depth and answer your questions with information from our subject matter experts. If you can't join us for the live webcast, don't forget that you can listen to it later on demand. You can register for the webcast here.
Be sure to mark your calendars for the September 2007 bulletin, which will release on Tuesday, Sept. 11th. I'll be joining you here again in September with information to help you plan and deploy the release for your environment.
Novell To Acquire Senforce For Endpoint Security
Novell today announced the acquisition of endpoint security vendor, Senforce Technologies Inc., in a deal that would integrate Senforce into an endpoint security suite.
Terms of the deal were not released. Novell and Senforce launched ZENworks Endpoint Security Management, during a recent partnership development. The endpoint software package was designed for corporate networks.
Draper, Utah-based Senforce was one of the early vendors developing network access control (NAC) technologies. Senforce, and a host of other smaller vendors, such as Elemental Security Inc., and Lockdown Networks Inc., have been competing with Microsoft, Juniper Networks Inc., McAfee Inc. and Cisco Systems Inc., to sell NAC systems. Each vendor configures NAC differently.
In recent years it has extended to securing the endpoint with removable device and wireless control features, application control, encryption, and personal firewalls.
Interest in deploying NAC is ultimately prompting vendors to make acquisitions to develop an endpoint security strategy, said Natalie Lambert, a senior analyst for Cambridge, Mass.-based Forrester Research Inc. Ultimately, NAC will fold into client management products to be the access control solution dictated around policies that in the client management suite, Lambert said.
"A lot of endpoint security functionality and tools are being handled by the operations group," Lambert said. "Customers are demanding this because they now have one set of staffers managing this area and they want single set of tools to be able to best manage their environments."
Prior to the acquisition, Novell shared a close partnership with Securewave for application device control. Securewave was acquired by Patchlink in June.
A lot of the major vendors have made acquisitions to bolster device security and data leakage protection when devices enter a corporate network. Symantec jumped in early, acquiring a number of multiple point solutions including Sygate in 2005. McAfee acquired Onigma and several other point solutions in 2006.
"This is really a move for [Novell] to become one of the players that can compete against Altiris and others," Lambert said. "This is something they should have done early and hopefully they've done early enough to be a competitor."
Altiris is a provider of IT service-oriented management software with an emphasis on network security management.
Senforce's ZENworks Endpoint Security Management software conducts automated encryption policy enforcement at the desktop, regardless of whether a user is on or off-line. The software also includes tools for removable device security, personal firewalls, wireless security and application control to secure the network.
"Combining Senforce's technology with Novell's existing systems and resource management solutions creates a new level of control and protection for our customers, Joe Wagner, senior vice president and general manager at Novell said in a statement.
Terms of the deal were not released. Novell and Senforce launched ZENworks Endpoint Security Management, during a recent partnership development. The endpoint software package was designed for corporate networks.
Draper, Utah-based Senforce was one of the early vendors developing network access control (NAC) technologies. Senforce, and a host of other smaller vendors, such as Elemental Security Inc., and Lockdown Networks Inc., have been competing with Microsoft, Juniper Networks Inc., McAfee Inc. and Cisco Systems Inc., to sell NAC systems. Each vendor configures NAC differently.
In recent years it has extended to securing the endpoint with removable device and wireless control features, application control, encryption, and personal firewalls.
Interest in deploying NAC is ultimately prompting vendors to make acquisitions to develop an endpoint security strategy, said Natalie Lambert, a senior analyst for Cambridge, Mass.-based Forrester Research Inc. Ultimately, NAC will fold into client management products to be the access control solution dictated around policies that in the client management suite, Lambert said.
"A lot of endpoint security functionality and tools are being handled by the operations group," Lambert said. "Customers are demanding this because they now have one set of staffers managing this area and they want single set of tools to be able to best manage their environments."
Prior to the acquisition, Novell shared a close partnership with Securewave for application device control. Securewave was acquired by Patchlink in June.
A lot of the major vendors have made acquisitions to bolster device security and data leakage protection when devices enter a corporate network. Symantec jumped in early, acquiring a number of multiple point solutions including Sygate in 2005. McAfee acquired Onigma and several other point solutions in 2006.
"This is really a move for [Novell] to become one of the players that can compete against Altiris and others," Lambert said. "This is something they should have done early and hopefully they've done early enough to be a competitor."
Altiris is a provider of IT service-oriented management software with an emphasis on network security management.
Senforce's ZENworks Endpoint Security Management software conducts automated encryption policy enforcement at the desktop, regardless of whether a user is on or off-line. The software also includes tools for removable device security, personal firewalls, wireless security and application control to secure the network.
"Combining Senforce's technology with Novell's existing systems and resource management solutions creates a new level of control and protection for our customers, Joe Wagner, senior vice president and general manager at Novell said in a statement.
Apple iPhone To Provoke Complex Mobile Attacks, Expert Warns
Though mobile malware has been circulating for more than three years, Mikko Hypponen has seen no evidence of phones being targeted for the type of profit-motivated attacks PC users have suffered at the hands of botnets, rootkits and self-spreading worms. But believes more sophisticated mobile phone attacks are coming, with the bad guys emboldened by the current craze over Apple's iPhone.
As director of antivirus research for Helsinki-based F-Secure Corp., Hypponen has been a leading voice on the dangers of mobile malware, repeatedly warning IT professionals to prepare for attacks where phone infections could be passed to company networks. He repeated those warnings Thursday at the Usenix Security Symposium in Boston, predicting that attackers will be inspired by the iPhone's popularity.
"The iPhone has really put the concept of smart phones on the table, especially in the United States," he said in an interview with SearchSecurity.com. "The amount of hype around the iPhone is pretty unbelievable, so it's a given that people will continue to play around with it and find ways around the security features of the phone. It's quite likely that we'll see iPhone malware sooner or later."
The security of the iPhone has been the topic of much debate in the information security community, and late last month a group of security researchers unveiled a couple of simple ways to take complete control of the iPhone. The results were the first real success researchers have had in trying to find ways to exploit the new device, which lacks many of the common user interfaces and inputs that hackers rely on for successful attacks.
Hypponen is among the legions of experts picking the phone apart in search of weaknesses. One of his more encouraging observations is that it'll probably be very difficult, if not impossible, to create iPhone malware that could be spread to other smart phones.
"It's probably unlikely because iPhone is such a closed device that runs its own operating system," he said. "We've seen a little over 370 different examples of malware running on smart phone platforms. Almost all of them target Symbian-based phones, because Symbian is by far the market leader, with over half the smart phones in the world running that operating system. Bluetooth is the most common vector of how malware jumps from one device to the other."
But while iPhone has Bluetooth, he said, the Bluetooth chip can't be used on the device for file transmissions. If there were self-spreading malware on iPhones, it would probably be spread by email, Hypponen said.
Even if one takes the iPhone out of the equation, he said it's only a matter of time before attackers launch more sophisticated attacks against smart phones in general. While there are currently no signs of botnets using mobile phones, for example, he said the threat might grow in the future because mobile phone processing power and mobile network connection speeds are growing. "I could see mobile phone botnets being used to send email spam or text messaging spam to other phones," he said.
Hypponen noted that there are about 3 billion mobile phones in circulation around the world, with tens of thousands of mobile malware infections reported thus far. The Cabir and Commwarrior malware is now afflicting phones in more than 30 countries.
"Cabir was the first, appearing in June 2004, and it's still spreading," he said.
In recent interviews, when asked how mobile malware could spread to desktops and corporate networks, he pointed to malware called SymbOS.Cardtrap as an example. It installs Windows malware on the infected phone's memory card and tries to fool users into investigating the phone problems with a PC and a memory card reader, making it possible for Windows malware to spread. Mobile devices provide a wider variety of communication methods than traditional PCs, and this could mean new ways to spread malware, he said.
To guard against mobile malware, he has recommended IT professionals use common sense and install security software both for their PCs as well as to their smart phones. He also warns against accepting or installing software from untrusted sources, or swapping memory cards between phones."
As director of antivirus research for Helsinki-based F-Secure Corp., Hypponen has been a leading voice on the dangers of mobile malware, repeatedly warning IT professionals to prepare for attacks where phone infections could be passed to company networks. He repeated those warnings Thursday at the Usenix Security Symposium in Boston, predicting that attackers will be inspired by the iPhone's popularity.
"The iPhone has really put the concept of smart phones on the table, especially in the United States," he said in an interview with SearchSecurity.com. "The amount of hype around the iPhone is pretty unbelievable, so it's a given that people will continue to play around with it and find ways around the security features of the phone. It's quite likely that we'll see iPhone malware sooner or later."
The security of the iPhone has been the topic of much debate in the information security community, and late last month a group of security researchers unveiled a couple of simple ways to take complete control of the iPhone. The results were the first real success researchers have had in trying to find ways to exploit the new device, which lacks many of the common user interfaces and inputs that hackers rely on for successful attacks.
Hypponen is among the legions of experts picking the phone apart in search of weaknesses. One of his more encouraging observations is that it'll probably be very difficult, if not impossible, to create iPhone malware that could be spread to other smart phones.
"It's probably unlikely because iPhone is such a closed device that runs its own operating system," he said. "We've seen a little over 370 different examples of malware running on smart phone platforms. Almost all of them target Symbian-based phones, because Symbian is by far the market leader, with over half the smart phones in the world running that operating system. Bluetooth is the most common vector of how malware jumps from one device to the other."
But while iPhone has Bluetooth, he said, the Bluetooth chip can't be used on the device for file transmissions. If there were self-spreading malware on iPhones, it would probably be spread by email, Hypponen said.
Even if one takes the iPhone out of the equation, he said it's only a matter of time before attackers launch more sophisticated attacks against smart phones in general. While there are currently no signs of botnets using mobile phones, for example, he said the threat might grow in the future because mobile phone processing power and mobile network connection speeds are growing. "I could see mobile phone botnets being used to send email spam or text messaging spam to other phones," he said.
Hypponen noted that there are about 3 billion mobile phones in circulation around the world, with tens of thousands of mobile malware infections reported thus far. The Cabir and Commwarrior malware is now afflicting phones in more than 30 countries.
"Cabir was the first, appearing in June 2004, and it's still spreading," he said.
In recent interviews, when asked how mobile malware could spread to desktops and corporate networks, he pointed to malware called SymbOS.Cardtrap as an example. It installs Windows malware on the infected phone's memory card and tries to fool users into investigating the phone problems with a PC and a memory card reader, making it possible for Windows malware to spread. Mobile devices provide a wider variety of communication methods than traditional PCs, and this could mean new ways to spread malware, he said.
To guard against mobile malware, he has recommended IT professionals use common sense and install security software both for their PCs as well as to their smart phones. He also warns against accepting or installing software from untrusted sources, or swapping memory cards between phones."
Microsoft To Update Critical Windows, Office, Flaws
Microsoft Corp. plans to hand customers nine security updates Tuesday, patching flaws in Windows, Office, IE, Virtual PC and XML Core Services. Six updates will address critical vulnerabilities attackers could exploit remotely to run malicious code on targeted machines.
Microsoft Windows, including Vista will be among the software being updated according to the security updates Microsoft announced on its TechNet site Thursday. Other fixes will target security holes in Microsoft Office, Internet Explorer, Visual Basic, Virtual PC and Virtual Server.
Microsoft typically describes critical flaws as those attackers could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts.
Meanwhile, the software giant will release several non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and two non-security, high-priority updates for Windows on Windows Update (WU) and Software Update Services (SUS). And, as it does every month, the company will update its malicious software removal tool.
Last month, Microsoft released six security updates, three of which addressed critical flaws in Excel, Windows and the .NET Framework.
The exploits of August While there's no indication this month will be more problematic for IT administrators than usual, there is a history of trouble following Microsoft's August patch releases.
Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.
And in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.
Some have theorized that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.
Microsoft Windows, including Vista will be among the software being updated according to the security updates Microsoft announced on its TechNet site Thursday. Other fixes will target security holes in Microsoft Office, Internet Explorer, Visual Basic, Virtual PC and Virtual Server.
Microsoft typically describes critical flaws as those attackers could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts.
Meanwhile, the software giant will release several non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and two non-security, high-priority updates for Windows on Windows Update (WU) and Software Update Services (SUS). And, as it does every month, the company will update its malicious software removal tool.
Last month, Microsoft released six security updates, three of which addressed critical flaws in Excel, Windows and the .NET Framework.
The exploits of August While there's no indication this month will be more problematic for IT administrators than usual, there is a history of trouble following Microsoft's August patch releases.
Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.
And in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.
Some have theorized that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.
EMC's RSA To Acquire Tablus For Data Loss Prevention
RSA, EMC Corp.'s security division, on Thursday said it is acquiring privately held Tablus, a provider of data-loss prevention products and services. The financial terms of the deal were not disclosed.
Tablus, of San Mateo, Calif., is one of a number of small start-ups that have been angling for enterprise IT dollars in a small, but growing, niche of the security market.
EMC, of Hopkinton, Mass., said it plans to integrate Tablus' Content Sentinel and Content Alarm products with its RSA division's encryption and information management offerings. How exactly that integration will be handled remains to be seen, however.
The acquisition gives EMC a foothold in the emerging market for products that stop sensitive information from leaving corporate networks. The rash of stolen laptops, security breaches and lost backup tapes in the last few years has brought the task of securing such data to the forefront and made it a key issue for senior management as well security professionals. (For more on the data storage implications of this announcement, please see "EMC buys Tablus for data classification and security" by Beth Pariseau on SearchStorage.com.
High-profile incidents such as the theft of a hard drive belonging to the Veterans' Administration and this week's revelation that a laptop containing personal information on VeriSign Inc. employees was stolen from a car also have shown that the problem is not limited to small organizations or those without the budget to put proper controls in place
Aside from the security aspects of the problem, one of the major stumbling blocks in putting a data-loss prevention product in place is classification of the company's data. Determining which data needs strict controls and which can be less closely watched is a time-consuming task and one that can be layered with inter-departmental battles. Tablus' products help with this classification and enable customers to identify sensitive intellectual property. The products also have the ability to monitor email and other network traffic and enforce policies relating to what content can go where.
Data-loss prevention products have gained in popularity in recent years, but the vendor landscape is still populated mainly by start-ups such as Vericept, Vontu, Reconnex and a handful of others. EMC is the first major IT vendor to get into the market. That is one of the things that made the Tablus deal attractive to RSA, officials said.
Consolidation in the market is inevitable said Paul Stamp a principal analyst with Cambridge, Mass.-based Forrester Research Inc. In December, WebSense started the trend by acquiring PortAuthority Technologies. Tablus was probably acquired at a bargain price since it doesn't have the market footprint that Vericept and Vontu has, Stamp said.
"This is not a technology that can stand on its own," Stamp said. "Tablus has really good technology but they haven't really captured the imagination of the enterprise."
Stamp said to look for larger security vendors to acquire or develop similar technology as part of an overall information lifecycle management suite as enterprises struggle to lock down systems and protect sensitive data.
"Data leakage is a symptom of companies not knowing where their data is and where it is going," Stamp said.
The data-loss prevention market "is growing to critical mass and beginning to be tracked and identified by analysts…though no large company has addressed this space yet," said Dennis Hoffman, vice president and chief strategy officer at RSA.
If history is any guide, the Tablus acquisition may start a run on similar deals in the next few months as other large IT providers look for a way in.
Tablus, of San Mateo, Calif., is one of a number of small start-ups that have been angling for enterprise IT dollars in a small, but growing, niche of the security market.
EMC, of Hopkinton, Mass., said it plans to integrate Tablus' Content Sentinel and Content Alarm products with its RSA division's encryption and information management offerings. How exactly that integration will be handled remains to be seen, however.
The acquisition gives EMC a foothold in the emerging market for products that stop sensitive information from leaving corporate networks. The rash of stolen laptops, security breaches and lost backup tapes in the last few years has brought the task of securing such data to the forefront and made it a key issue for senior management as well security professionals. (For more on the data storage implications of this announcement, please see "EMC buys Tablus for data classification and security" by Beth Pariseau on SearchStorage.com.
High-profile incidents such as the theft of a hard drive belonging to the Veterans' Administration and this week's revelation that a laptop containing personal information on VeriSign Inc. employees was stolen from a car also have shown that the problem is not limited to small organizations or those without the budget to put proper controls in place
Aside from the security aspects of the problem, one of the major stumbling blocks in putting a data-loss prevention product in place is classification of the company's data. Determining which data needs strict controls and which can be less closely watched is a time-consuming task and one that can be layered with inter-departmental battles. Tablus' products help with this classification and enable customers to identify sensitive intellectual property. The products also have the ability to monitor email and other network traffic and enforce policies relating to what content can go where.
Data-loss prevention products have gained in popularity in recent years, but the vendor landscape is still populated mainly by start-ups such as Vericept, Vontu, Reconnex and a handful of others. EMC is the first major IT vendor to get into the market. That is one of the things that made the Tablus deal attractive to RSA, officials said.
Consolidation in the market is inevitable said Paul Stamp a principal analyst with Cambridge, Mass.-based Forrester Research Inc. In December, WebSense started the trend by acquiring PortAuthority Technologies. Tablus was probably acquired at a bargain price since it doesn't have the market footprint that Vericept and Vontu has, Stamp said.
"This is not a technology that can stand on its own," Stamp said. "Tablus has really good technology but they haven't really captured the imagination of the enterprise."
Stamp said to look for larger security vendors to acquire or develop similar technology as part of an overall information lifecycle management suite as enterprises struggle to lock down systems and protect sensitive data.
"Data leakage is a symptom of companies not knowing where their data is and where it is going," Stamp said.
The data-loss prevention market "is growing to critical mass and beginning to be tracked and identified by analysts…though no large company has addressed this space yet," said Dennis Hoffman, vice president and chief strategy officer at RSA.
If history is any guide, the Tablus acquisition may start a run on similar deals in the next few months as other large IT providers look for a way in.
Subscribe to:
Posts (Atom)